Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion

Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations. Read More →

Entra ID Account Takeover: Three-Query Hunting Pack for Post-Compromise Detection

Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors. Read More →

BadUSB HID Injection Detection: New Hunt for PowerShell via Windows Run Dialog

Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns. Read More →

Microsoft Entra ID OAuth Consent Query: Fixing Zero-Result Bug in High-Risk Permission Detection

Corrects broken hunting query that returned no results due to incorrect property name filter. Read More →

Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detection

New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations. Read More →

Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta

New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →

Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalies

New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks. Read More →

Entra ID Attack Chain Correlation: Three New Hunting Queries for Sequential Compromise Patterns

Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs. Read More →

Phishing Detection: Raw IP URLs in Delivered Email

New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems. Read More →

Entra ID Hunting Pack: Defense Weakening and Privilege Abuse Detection

Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments. Read More →

LSASS Credential Dumping: Resilient Behavioral Detection Pack Added

Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names. Read More →

Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries

New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques. Read More →

ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading

New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths. Read More →

Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis

New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios. Read More →

Entra ID Cross-Source Hunting Pack: Post-Compromise Pattern Detection

Three new hunting queries correlate AuditLogs and SigninLogs to surface post-compromise identity patterns using baseline-driven anomaly detection. Read More →

AWS Content Quality Overhaul: Standardized Detection Rules and Improved Entity Mappings

Comprehensive quality improvements to 61 AWS Analytic Rules and 35 Hunting Queries with standardized naming conventions, normalized MITRE technique mappings, and updated entity field references from legacy AccountCustomEntity to UserIdentityUserName. Read More →

Microsoft Entra ID Table Rename: Hunting Queries Updated for Current Schema

12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references. Read More →

Entra ID Attack Chain Detection: 5 New Hunting Queries Target Application Layer Persistence

Five hunting queries expose OAuth consent abuse, privileged escalation, and Conditional Access evasion used in Midnight Blizzard and Storm-0558 campaigns. Read More →

Microsoft Entra ID: Service Principal Credential Manipulation by Rare Actors

Identifies service principal credential additions by actors not observed performing these operations in the previous 90 days, targeting persistence techniques. Read More →

Microsoft Entra ID: Hunting Query for Password Spraying Detection via IP Failure Bursts

Correlates failed sign-ins across multiple identities followed by successful authentication from the same IP within 15 minutes, targeting password spraying patterns. Read More →