FalconFriday free content: custom detections for Microsoft Defender XDR and Sentinel.

Solution: FalconFriday

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	FalconForce
Support Tier	Partner
Support Link	https://www.falconforce.nl/en/
Categories	domains
Version	3.0.1
Author	FalconForce - info@falconforce.nl
First Published	2021-10-18
Last Updated	2026-03-09
Solution Folder	FalconFriday
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

FalconFriday is a blog post series by FalconForce providing the community with free detection content for various attacks seen and executed in the wild by FalconForce.

Contents

• Data Connectors
• Tables Used
• Content Items

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 11 table(s) from its content items:

Table	Used By Content
AADNonInteractiveUserSignInLogs	Analytics
CommonSecurityLog	Analytics
DeviceEvents	Analytics
DeviceFileEvents	Analytics
DeviceImageLoadEvents	Analytics
DeviceLogonEvents	Analytics
DeviceNetworkEvents	Analytics
DeviceProcessEvents	Analytics
DeviceRegistryEvents	Analytics
SecurityEvent	Analytics
SigninLogs	Analytics

Content Items

This solution includes 30 content item(s):

Content Type	Count
Analytic Rules	30

Analytic Rules

Name	Severity	Tactics	Tables Used
ASR Bypassing Writing Executable Content	Medium	DefenseEvasion	DeviceFileEvents
Access Token Manipulation - Create Process with Token	Medium	PrivilegeEscalation, DefenseEvasion	DeviceLogonEvents DeviceProcessEvents
Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains	Medium	CommandAndControl	CommonSecurityLog
Certified Pre-Owned - TGTs requested with certificate authentication	Medium	DefenseEvasion	SecurityEvent
Certified Pre-Owned - backup of CA private key - rule 1	Medium	DefenseEvasion	SecurityEvent
Certified Pre-Owned - backup of CA private key - rule 2	Medium	DefenseEvasion	SecurityEvent
Component Object Model Hijacking - Vault7 trick	Medium	Persistence, PrivilegeEscalation	DeviceRegistryEvents
DCOM Lateral Movement	Medium	LateralMovement	DeviceNetworkEvents DeviceProcessEvents
Detect .NET runtime being loaded in JScript for code execution	Medium	Execution	DeviceImageLoadEvents
Detecting UAC bypass - ChangePK and SLUI registry tampering	Medium	Impact	DeviceProcessEvents
Detecting UAC bypass - elevated COM interface	Medium	Impact	DeviceProcessEvents
Detecting UAC bypass - modify Windows Store settings	Medium	Impact	DeviceProcessEvents
Disable or Modify Windows Defender	Medium	DefenseEvasion	DeviceProcessEvents
Excessive share permissions	Medium	Collection, Discovery	SecurityEvent
Expired access credentials being used in Azure	Medium	CredentialAccess	SigninLogs
Hijack Execution Flow - DLL Side-Loading	Medium	Persistence, PrivilegeEscalation, DefenseEvasion	DeviceFileEvents DeviceImageLoadEvents
Ingress Tool Transfer - Certutil	Low	CommandAndControl, DefenseEvasion	DeviceFileEvents DeviceProcessEvents
Match Legitimate Name or Location - 2	Medium	DefenseEvasion	DeviceProcessEvents
Microsoft Entra ID Rare UserAgent App Sign-in	Medium	DefenseEvasion	AADNonInteractiveUserSignInLogs SigninLogs
Microsoft Entra ID UserAgent OS Missmatch	Medium	DefenseEvasion	AADNonInteractiveUserSignInLogs SigninLogs
Office ASR rule triggered from browser spawned office process.	Medium	InitialAccess	DeviceEvents
Oracle suspicious command execution	Medium	LateralMovement, PrivilegeEscalation	DeviceProcessEvents
Password Spraying	Medium	CredentialAccess	DeviceLogonEvents
Remote Desktop Protocol - SharpRDP	Medium	LateralMovement	DeviceLogonEvents DeviceProcessEvents
Rename System Utilities	Medium	DefenseEvasion	DeviceProcessEvents
SMB/Windows Admin Shares	Medium	LateralMovement	DeviceNetworkEvents DeviceProcessEvents
Suspicious Process Injection from Office application	Medium	Execution	DeviceEvents
Suspicious named pipes	Medium	Execution, DefenseEvasion	DeviceEvents
Suspicious parentprocess relationship - Office child processes.	Medium	InitialAccess	DeviceProcessEvents
Trusted Developer Utilities Proxy Execution	Medium	DefenseEvasion	DeviceProcessEvents

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	24-06-2024	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID and Added missing AMA Data Connector reference in Analytic rules.

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index