Repository of custom-made queries that have been useful to detect interesting things (malware / red-teams) from Defender. I will update it little by little
- Potential DLL Order Hijacking
- Suspicious DLL loaded in the address space of Rundll32
- Exfiltracion with rclone, megasync, stealbith
- Check persistence with Anydesk, Atera, Splashtop
- Connections from rundll32.exe with no command line
- Ngrok connections