Update Dexplugin.yaml#199
Conversation
Added 15 New DEX emerging threat detections.
@microsoft-github-policy-service agree company="Microsoft" |
There was a problem hiding this comment.
Pull Request Overview
This PR updates the Dexplugin.yaml file to add 15 new DEX emerging threat detection rules. Key changes include the addition of multiple detection queries for various threat activities, updates to rule descriptions, and adjustments to query formatting.
Comments suppressed due to low confidence (1)
Plugins/Community Based Plugins/Microsoft Security Experts/Microsoft Defender Experts Plugin/Dexplugin.yaml:46
- [nitpick] The description uses inconsistent casing for 'ROADtx'; consider changing 'roadtx' to 'ROADtx' to match the DisplayName.
Description: Detects known filenames and command line activity associated with ROADrecon and roadtx tools.
…rosoft Defender Experts Plugin/Dexplugin.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
KwachSean
left a comment
KwachSean
left a comment
There was a problem hiding this comment.
Detailed Breakdown
- Formatting Fixes and Minor Edits
Added a YAML document separator (---) at the top.
Minor whitespace and formatting adjustments for code consistency.
Corrected description: Changed "ROADrecon and ROADtx tools" to "ROADrecon and roadtx tools" (lowercased 'roadtx').
Changed single quotes to double quotes in several KQL query templates for consistency. - Improved Query Formatting
Adjusted query blocks for skills like DEX-QakbotReconnaissanceActivities, changing single quotes to double quotes and aligning logical structure for improved clarity and consistency. - Added New Detection Skills (Major Additions)
Microsoft Teams and RMM/Phishing Detections
DEX-TeamsActivityAfterSuspiciousRMM
Detects Teams chat activity after suspicious Remote Monitoring and Management (RMM) tool usage.
Cross-references device process events with Teams chat creation involving foreign tenants.
DEX-TeamsPhishingviaUrlClickEvents
Correlates suspicious device alerts with URL click events in Microsoft Teams.
DEX-TeamsAdversary-in-The-Middle(AiTM)
Correlates risky sign-in attempts with Teams phishing from external tenants to identify adversary-in-the-middle scenarios.
LOLBINs, Exfiltration, and Persistence
DEX-SuspiciousFileDownloadsviaLOLBINs
Detects use of LOLBINs (e.g., curl.exe, powershell.exe, certutil.exe, bitsadmin.exe) for suspicious file downloads from public IPs.
DEX-CSVDEDownloadandADEnumeration
Detects the download and execution of Csvde.exe (Active Directory data export tool) via curl, followed by enumeration commands, within a short time window.
DEX-DataCompressionandExfiltration
Detects use of 7-Zip to extract files with a password, followed by possible data exfiltration via network connections.
DEX-PersistenceThroughStartupOperations
Detects persistence mechanisms via:
Registry keys (ASEP, Run, etc.)
Startup folder file creation/modification
Scheduled task creation
Browser, DPAPI, and Infostealer Detections
DEX-BrowserRemoteDebugging
Detects AutoIT scripts launching Chromium-based browsers in remote debugging mode.
DEX-DPAPI-AutoIT
Detects DPAPI (Data Protection API) decryption actions initiated by AutoIT scripts, specifically for Chrome/Edge.
DEX-DPAPI-LOLBAS
Detects DPAPI decryption via LOLBAS binaries (e.g., RegAsm.exe, MSBuild.exe).
DEX-SensitiveBrowserAccessAutoIT
Identifies AutoIT scripts accessing sensitive browser files (cookies, password databases, etc.).
DEX-SensitiveBrowserAccessLOLBAS
Identifies LOLBAS binaries accessing sensitive browser files.
DEX-Node.jsInfostealerActivity
Detects Node.js-based infostealers accessing Windows DPAPI-protected credentials, run via PowerShell parent process.
DEX-SuspiciousInlineJavaScriptExecution
Identifies suspicious inline JavaScript execution patterns with Node.js.
DEX-SuspiciousJSCFile
Identifies execution of suspicious .jsc (JavaScript compiled) files via Node.js.
Added 15 New DEX emerging threat detections.