← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.809
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
A threat actor is running an active campaign that impersonates Anthropic's Claude AI, CrowdStrike, SentinelOne, and Trellix to trick Windows users into installing a new backdoor called Beagle. The malware uses a legitimate G Data security binary to load malicious code, evading many traditional defenses, and connects to attacker-controlled infrastructure on Alibaba Cloud for remote access. Organizations whose employees download security or AI tools from unverified sources are directly exposed; a successful infection gives attackers persistent, remote control of the affected system.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you downloaded a Claude AI app or security tool from a website in early 2026, the real Claude AI does not have a standalone Windows app.
🔓
What got out
Suspected: full remote access to your computer by attackers
Suspected: any files or passwords stored on your computer
Suspected: your computer may still be under attacker control
✅
Do this now
1 Search your computer for a file called NOVupdate.exe, if you find it, do not open it and contact a tech professional. 2 If you downloaded a Claude AI or security tool installer from a website recently, run a full scan with your antivirus software. 3 If your antivirus finds anything, disconnect your computer from the internet and ask for professional help before using it again.
👀
Watch for these
Your computer running slowly or doing things on its own for no clear reason.
Unexpected emails or messages sent from your accounts that you did not write.
Anyone contacting you claiming to be from Anthropic, CrowdStrike, or a security company asking for access.
🌱
Should you worry?
If you did not download a Claude AI app or security tool installer from a website, you are very unlikely to be affected. If you did download something like that, take it seriously, this malware gives attackers real control of your computer.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unknown — PlugX-linked actor (unattributed; operational overlap with historical PlugX campaigns noted)
TTP Sophistication
HIGH
13 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Windows systems; users targeted via typosquatted Anthropic Claude AI site; G Data NOVupdate.exe abused for DLL sideloading; Alibaba Cloud infrastructure used for C2; CrowdStrike, SentinelOne, and Trellix brands impersonated in delivery lures
Are You Exposed?
⚠
Your industry is targeted by Unknown — PlugX-linked actor (unattributed; operational overlap with historical PlugX campaigns noted) → Heightened risk
⚠
You use products/services from Windows systems; users targeted via typosquatted Anthropic Claude AI site; G Data NOVupdate.exe abused for DLL sideloading; Alibaba Cloud infrastructure used for C2; CrowdStrike → Assess exposure
⚠
13 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A successful Beagle infection hands attackers persistent, remote control of the affected Windows system — enabling data theft, lateral movement, and potential ransomware staging from a single employee download. The campaign impersonates security vendors including CrowdStrike, SentinelOne, and Trellix, meaning employees with elevated security tool access are plausible targets, increasing the blast radius of any single compromise. Organizations face operational disruption from incident response, potential data loss, and reputational damage if a breach tied to an AI-tool lure becomes public.
You Are Affected If
Employees use Windows systems and have permission to download and install software from the internet without IT approval
Your organization uses or evaluates AI tools and employees may search for Claude AI or similar products independently
You have not deployed application allowlisting or execution controls that would block unsigned or unrecognized binaries
Your security stack does not alert on DLL sideloading events (T1574.002) or in-memory code injection (T1055)
Your DNS or proxy controls do not block newly registered or typosquatted domains
Board Talking Points
Attackers are impersonating well-known security vendors and AI tools to install malware that gives them full remote control of employee Windows computers.
Security teams should immediately block the known malicious file (NOVupdate.exe) and restrict employee software downloads to IT-approved sources within the next 48 hours.
Without action, a single employee installing what appears to be a legitimate security or AI tool could give attackers persistent access to internal systems and data.
Technical Analysis
Beagle is a previously undocumented Windows backdoor delivered through a multi-stage infection chain.
Initial access occurs via typosquatted sites impersonating Anthropic Claude AI, CrowdStrike, SentinelOne, and Trellix, at least four delivery variants observed since February 2026.
The MSI installer drops and executes DonutLoader, which performs in-memory process injection (T1055 ) to load a malicious DLL (avk.dll) sideloaded through NOVupdate.exe, a legitimate signed binary from G Data security software (T1574.002 , CWE-426).
The downloader retrieves code without integrity verification (CWE-494), and the final payload constitutes embedded malicious code (CWE-506). Beagle provides full remote access: file upload/download (T1105 ), Windows command shell execution (T1059.003 ), and C2 communication over both TCP/443 with AES encryption (T1573.001 , T1071.001 ) and UDP/8080 (T1095 ). Persistence is established via registry run keys or startup folder (T1547.001 ). C2 infrastructure is hosted on Alibaba Cloud. Operational similarities to historical PlugX tooling have been noted by researchers; definitive actor attribution has not been established. No CVE assigned. Relevant CWEs: CWE-426, CWE-494, CWE-506. Sources: BleepingComputer, Security Affairs (T3).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to IR leadership, legal, and CISO immediately if any evidence of lateral movement (Security Event ID 4624 Type 3 from infected host), credential access (Event ID 4648, LSASS access in Sysmon Event ID 10), or data staging/exfiltration to Alibaba Cloud C2 is confirmed during the infection dwell window, as these conditions elevate the incident from initial access to potential breach requiring regulatory notification assessment.
1
Containment, Block execution of NOVupdate.exe across the environment via application control policy (e.g., AppLocker, Windows Defender Application Control). NOVupdate.exe is a high-confidence IOC for this campaign when found outside a managed, IT-provisioned G Data installation. Isolate any system where it is found.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-3 (Malicious Code Protection)
NIST CM-7 (Least Functionality) — restrict execution to approved binaries only
CIS 2.3 (Address Unauthorized Software)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
Without enterprise AppLocker/WDAC management, deploy a Sysmon configuration (SwiftOnSecurity baseline) with a rule to alert on NOVupdate.exe process creation: EventType 'ProcessCreate' where Image ends with 'NOVupdate.exe'. Immediately run: Get-Process | Where-Object {$_.Name -eq 'NOVupdate'} | Stop-Process -Force across all reachable endpoints via PowerShell remoting. Block the binary hash at the host firewall using: New-NetFirewallRule -DisplayName 'Block_Beagle_NOVupdate' -Action Block -Program 'C:\Path\NOVupdate.exe'. Use osquery to sweep: SELECT * FROM processes WHERE name = 'NOVupdate.exe'; across the fleet.
Preserve Evidence
Before isolating, capture: (1) full memory dump of the NOVupdate.exe process using ProcDump — 'procdump.exe -ma NOVupdate.exe novupdate_memdump.dmp' — to preserve the injected Beagle payload in memory before it is lost on reboot; (2) open network connections from the process via 'netstat -anob | findstr NOVupdate' to identify active Alibaba Cloud C2 IP and port; (3) loaded DLL list for the process — specifically confirm presence of avk.dll loaded from an anomalous path outside C:\Program Files\G Data\; (4) parent process tree from Sysmon Event ID 1 or Windows Event ID 4688 to identify which MSI installer spawned NOVupdate.exe; (5) filesystem timestamps (Created, Modified, Accessed) on NOVupdate.exe and avk.dll using 'Get-Item | Select-Object Name, CreationTime, LastWriteTime, LastAccessTime'.
2
Detection, Hunt for NOVupdate.exe in process creation logs (Windows Event ID 4688 or Sysmon Event ID 1). Search EDR telemetry for avk.dll loaded by any process other than a verified G Data installation. Check DNS and proxy logs for connections to Alibaba Cloud IP ranges on TCP/443 and UDP/8080 from endpoints that are not cloud workloads. Review download logs for MSI files retrieved from domains typosquatting 'claude,' 'anthropic,' 'crowdstrike,' 'sentinelone,' or 'trellix.'
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
MITRE ATT&CK T1574.002 (DLL Side-Loading) — detection pivot for avk.dll loaded by NOVupdate.exe outside G Data install path
MITRE ATT&CK T1566.002 (Spearphishing Link) — typosquatted download delivery vector
Compensating Control
Without a SIEM, run this PowerShell query against Windows Security Event logs: Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4688 -and $_.Message -match 'NOVupdate.exe'}. For DLL sideloading detection without EDR, use Sysmon Event ID 7 (ImageLoaded) with a filter on ImageLoaded path containing 'avk.dll' AND process image NOT matching 'C:\Program Files\G Data\'. For DNS hunting without a proxy solution, parse Windows DNS client event log (Microsoft-Windows-DNS-Client/Operational) for queries matching regex pattern: /(claude|anthropic|crowdstrike|sentinelone|trellix)[^.]*\.(?!anthropic\.com|crowdstrike\.com|sentinelone\.com|trellix\.com)/i. Download and apply the community Sigma rule for PlugX-linked sideloading (search Sigma HQ repo for 'dll_sideloading_abused_tools') to parse collected Sysmon logs with sigma-cli.
Preserve Evidence
Collect before triaging: (1) Windows Event ID 4688 or Sysmon Event ID 1 records for NOVupdate.exe showing full command line and parent process — command-line logging must be enabled via Group Policy (Audit Process Creation + include command line); (2) Sysmon Event ID 7 records showing avk.dll loaded outside 'C:\Program Files\G Data\' — this is the forensic fingerprint of sideloading vs. legitimate G Data use; (3) DNS query logs filtered for typosquatted domains containing 'claude', 'anthropic', 'crowdstrike', 'sentinelone', or 'trellix' with non-canonical TLDs or subdomain prefixes; (4) proxy or web filter logs for HTTP GET/POST to Alibaba Cloud ASN (AS37963, AS45102) on TCP/443 or UDP/8080 from non-cloud endpoints; (5) browser download history and Windows Zone.Identifier alternate data streams on MSI files to confirm download origin URL — run: Get-Item *.msi -Stream Zone.Identifier | Get-Content.
3
Eradication, On confirmed infected systems: terminate and remove NOVupdate.exe and avk.dll. Remove associated MSI installer artifacts. Purge registry run keys or startup folder entries added by the malware (T1547.001). Block identified C2 domains and IPs at the perimeter firewall and DNS resolver. No vendor patch applies, this is a campaign-based threat, not a software vulnerability.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation) — applied here as artifact removal, not software patching
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-7 (Least Functionality)
CIS 2.3 (Address Unauthorized Software)
MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder) — specific persistence mechanism to remove
Compensating Control
Without EDR for guided remediation: (1) terminate process — Stop-Process -Name NOVupdate -Force; (2) remove files — Remove-Item -Force 'C:\[install path]\NOVupdate.exe', 'C:\[install path]\avk.dll', and MSI artifacts in %TEMP% and %APPDATA%\Local\Temp; (3) audit registry persistence — reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run for any entry pointing to NOVupdate.exe or referencing the sideload path, then delete: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v [BeagleEntry] /f; (4) check startup folder — Get-ChildItem 'C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'; (5) block C2 at Windows Firewall — New-NetFirewallRule -DisplayName 'Block_Beagle_C2' -Direction Outbound -Action Block -RemoteAddress [Alibaba C2 IPs] -Protocol TCP -RemotePort 443.
Preserve Evidence
Before removing artifacts, preserve: (1) full forensic image or at minimum a targeted collection of NOVupdate.exe and avk.dll with SHA-256 hashes documented — use: Get-FileHash -Algorithm SHA256 NOVupdate.exe; (2) export all Run key contents before deletion — reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\IR\RunKeys_HKCU.reg and same for HKLM; (3) capture contents of Startup folder — copy all LNK and executable files to IR evidence share before removal; (4) export Windows Event Log Security and Sysmon logs to offline storage before touching the system; (5) document all C2 IP and domain indicators from active netstat and DNS cache — ipconfig /displaydns > C:\IR\dns_cache.txt — to support perimeter block accuracy.
4
Recovery, After removing artifacts, verify no additional persistence mechanisms remain using an EDR full-scan and manual review of HKCU/HKLM Run keys and startup folders. Monitor outbound connections from the previously infected host for 72 hours. Re-image if confidence in full eradication is low. Validate that no lateral movement or credential access occurred during the window of infection.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST CP-10 (System Recovery and Reconstitution)
CIS 5.1 (Establish and Maintain an Inventory of Accounts) — validate no accounts created or modified during infection window
MITRE ATT&CK T1003 (OS Credential Dumping) — validate no credential access tools executed during Beagle dwell time
MITRE ATT&CK T1021 (Remote Services) — validate no lateral movement from infected host
Compensating Control
Without EDR for post-eradication validation: (1) run Autoruns (Sysinternals) with 'Check VirusTotal' enabled to scan all persistence points including Run keys, scheduled tasks, services, and startup folders; (2) check for scheduled tasks created during infection window — Get-ScheduledTask | Where-Object {$_.Date -gt [infection_start_timestamp]}; (3) for lateral movement validation, review Windows Security Event ID 4624 (Logon) and 4648 (Explicit Credential Logon) from the infected host to other systems using: Get-WinEvent -ComputerName [host] -FilterHashtable @{LogName='Security';Id=4624;StartTime=[infection_start]} | Where-Object {$_.Message -match 'Logon Type.*3'}; (4) deploy Wireshark or tcpdump on the recovered host's network segment for 72 hours filtering on Alibaba Cloud ASN egress traffic.
Preserve Evidence
Before closing out recovery: (1) collect Windows Security Event ID 4648 (explicit credential use) and 4768/4769 (Kerberos TGT/TGS requests) from the infected host during the dwell window to assess if Beagle facilitated credential theft for lateral movement; (2) review Security Event ID 4624 logon events from other hosts showing origination from the infected system's IP/hostname during infection window; (3) export Scheduled Tasks XML — Export-ScheduledTask — for any task created during infection timeframe; (4) collect a final Autoruns snapshot post-remediation as documented evidence of clean state; (5) capture a post-remediation netstat baseline — netstat -anob > C:\IR\post_remediation_netstat.txt — timestamped, to serve as the clean-state reference for the 72-hour monitoring window.
5
Post-Incident, This campaign exploited the absence of controls around unsigned software downloads (CWE-494) and unmanaged DLL loading (CWE-426). Evaluate whether software download policies restrict employees to approved sources. Implement or audit application allowlisting. Add brand-impersonation monitoring for your own vendors (CrowdStrike, SentinelOne, Trellix) to your threat intelligence feed. Update security awareness training to include AI tool impersonation as a current lure type.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling) — update playbook to include DLL sideloading via abused security vendor binaries
NIST IR-8 (Incident Response Plan) — revise to address brand-impersonation delivery vectors
NIST SI-7 (Software, Firmware, and Information Integrity) — enforce code signing verification for all downloaded executables
NIST SA-22 (Unsupported System Components) — policy basis for restricting unapproved software sources
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — establish recurring hunt for sideloading patterns
CIS 2.1 (Establish and Maintain a Software Inventory) — unauthorized NOVupdate.exe would be caught by inventory gap analysis
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — extend to include campaign-based threats, not just CVEs
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Without a commercial TI feed: (1) subscribe to CISA's Known Exploited Vulnerabilities feed and free threat intel sharing via ISAC relevant to your sector; (2) create a free dnstwist (open source) scheduled scan against your own vendor brand names (crowdstrike, sentinelone, trellix, anthropic, claude) to detect newly registered typosquatted domains — run: dnstwist --registered crowdstrike.com weekly via cron; (3) create a YARA rule targeting the NOVupdate.exe + avk.dll sideloading pattern and deploy via ClamAV on email gateway and shared drives; (4) build a Sigma rule for Sysmon Event ID 7 where ImageLoaded matches 'avk.dll' and process is not in the G Data install path, and run it as a scheduled hunt against archived Sysmon logs using sigma-cli; (5) add a mandatory acknowledgment step to the software download SOP requiring employees to verify URLs against a pinned approved-sources list before downloading any security or AI tooling.
Preserve Evidence
For lessons learned documentation: (1) timeline reconstruction showing first MSI download event (browser history or proxy log) through to C2 beacon establishment — this establishes dwell time and scope for the post-incident report; (2) the Zone.Identifier ADS contents from the original MSI file confirming the typosquatted download URL; (3) the full list of C2 indicators (Alibaba Cloud IPs and domains) observed in DNS/proxy logs — these become permanent block entries and TI feed submissions; (4) Sysmon Event ID 7 records showing avk.dll sideloading as the definitive forensic proof of the DLL hijack technique for the after-action report; (5) any Security Event ID 4688 or Sysmon Event ID 1 records of unusual child processes spawned by NOVupdate.exe to characterize full Beagle backdoor capability observed in this environment.
Recovery Guidance
After artifact removal, monitor the previously infected host's outbound network traffic for a minimum of 72 hours specifically filtering for connections to Alibaba Cloud ASN ranges (AS37963, AS45102) on TCP/443 and UDP/8080, as Beagle's PlugX-linked infrastructure may use multiple fallback C2 channels not identified in initial IOC sets. Validate integrity of any security tools (EDR agents, AV clients) installed on the infected host, as the campaign impersonated CrowdStrike, SentinelOne, and Trellix and the backdoor may have tampered with or replaced legitimate security software. Re-image any system where confidence in full eradication is below high, particularly if the system held privileged credentials or had access to sensitive data during the infection window.
Key Forensic Artifacts
NOVupdate.exe and avk.dll on disk: hash both files (SHA-256) and compare against known-good G Data binary hashes; presence of avk.dll outside 'C:\Program Files\G Data\AVK\' is definitive evidence of DLL sideloading (CWE-426) specific to this campaign
MSI installer file with Zone.Identifier alternate data stream intact: the ADS HostUrl field will contain the typosquatted domain used for delivery (e.g., a domain impersonating claude.ai, crowdstrike.com, sentinelone.com, or trellix.com), providing direct attribution to the Beagle campaign delivery vector
Windows DNS client event log (Microsoft-Windows-DNS-Client/Operational) and proxy logs: queries to Alibaba Cloud-hosted C2 domains on TCP/443 and UDP/8080 are the network-layer fingerprint of Beagle's command-and-control pattern, directly linked to the PlugX-associated infrastructure used in this campaign
Registry export of HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM equivalent, plus Startup folder contents: Beagle establishes persistence via T1547.001 and these keys/folders will contain the specific entry pointing to NOVupdate.exe or a renamed variant, timestamped to the infection window
Sysmon Event ID 7 (ImageLoaded) logs showing avk.dll loaded by NOVupdate.exe: this is the highest-fidelity forensic artifact for DLL sideloading confirmation and distinguishes a Beagle-campaign infection from any legitimate G Data AVK installation, which would show the same DLL loaded only by G Data's own signed processes
Detection Guidance
Primary IOC: presence of NOVupdate.exe on any system not running a managed, IT-provisioned G Data installation.
Secondary IOCs: avk.dll loaded outside a verified G Data process tree; MSI installers downloaded from domains containing 'claude,' 'anthropic,' or typosquats of major security vendor names.
Behavioral indicators: DonutLoader-style in-memory injection events in EDR (unsigned shellcode executed from memory); outbound connections on UDP/8080 to Alibaba Cloud IP space from endpoint systems; encrypted C2 beaconing on TCP/443 with irregular intervals from recently installed processes.
Sysmon rules: alert on ImageLoad events where ImageLoaded matches avk.dll and the parent process is not a verified G Data binary path. MITRE coverage gaps to check: T1574.002 (DLL sideloading), T1055 (process injection), T1095 (non-application layer C2). C2 IPs and domains should be obtained from current threat intelligence feeds (BleepingComputer, Security Affairs, and OSINT sources tracking Alibaba Cloud abuse).
Indicators of Compromise (5)
Export as
Splunk SPL
KQL
Elastic
Copy All (5)
2 domains
1 url
2 hashs
Type Value Enrichment Context Conf.
⌘ DOMAIN
Typosquatted Anthropic/Claude AI domains (specific domains not confirmed in available T3 sources)
VT
US
Initial delivery sites impersonating Anthropic Claude AI brand; deliver malicious MSI installer
MEDIUM
⌘ DOMAIN
Typosquatted CrowdStrike, SentinelOne, Trellix domains (specific domains not confirmed in available T3 sources)
VT
US
Secondary delivery lures observed since February 2026; same infection chain
MEDIUM
🔗 URL
Alibaba Cloud-hosted C2 infrastructure (specific IPs/URLs not confirmed in available T3 sources)
VT
US
Beagle backdoor C2 communications over TCP/443 (AES-encrypted) and UDP/8080
MEDIUM
# HASH
NOVupdate.exe (specific file hash not confirmed in available T3 sources — flag any instance outside verified G Data deployment)
VT
MB
Legitimate signed G Data binary abused for DLL sideloading; high-confidence IOC when found outside managed G Data installation
HIGH
# HASH
avk.dll (specific file hash not confirmed in available T3 sources)
VT
MB
Malicious DLL sideloaded via NOVupdate.exe; delivers Beagle backdoor
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Beagle Backdoor Campaign Uses Fake Claude AI Site with DLL Sideloading and PlugX
let malicious_urls = dynamic(["Alibaba Cloud-hosted C2 infrastructure (specific IPs/URLs not confirmed in available T3 sources)"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (9)
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (2 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "Typosquatted Anthropic/Claude AI domains (specific domains not confirmed in available T3 sources)",
"source": "SCC Threat Intel",
"description": "Initial delivery sites impersonating Anthropic Claude AI brand; deliver malicious MSI installer",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-09T00:00:00Z"
},
{
"type": "domain",
"value": "Typosquatted CrowdStrike, SentinelOne, Trellix domains (specific domains not confirmed in available T3 sources)",
"source": "SCC Threat Intel",
"description": "Secondary delivery lures observed since February 2026; same infection chain",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-09T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["Typosquatted Anthropic/Claude AI domains (specific domains not confirmed in available T3 sources)", "Typosquatted CrowdStrike, SentinelOne, Trellix domains (specific domains not confirmed in available T3 sources)"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1547.001
T1574.002
T1095
T1071.001
T1055
T1566
+7
AC-6
SC-7
SI-3
SI-4
AT-2
CA-7
+4
MITRE ATT&CK Mapping
T1547.001
Registry Run Keys / Startup Folder
persistence
T1095
Non-Application Layer Protocol
command-and-control
T1055
Process Injection
defense-evasion
T1566
Phishing
initial-access
T1105
Ingress Tool Transfer
command-and-control
T1027
Obfuscated Files or Information
defense-evasion
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1573.001
Symmetric Cryptography
command-and-control
Guidance Disclaimer
