← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.769
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Threat actors are impersonating IT helpdesk staff over Microsoft Teams external chat, then using Microsoft's own Quick Assist remote access tool to take control of employee workstations. Once inside, attackers install hidden backdoors disguised as legitimate software (Autodesk, Adobe Acrobat), exfiltrate data using Rclone, and cover their tracks using built-in Windows tools. Any organization using Microsoft Teams with external communications enabled is exposed, and successful compromise can result in full network access, data theft, and ransomware deployment.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unattributed — structural overlap with Black Basta Teams abuse campaigns
TTP Sophistication
HIGH
22 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Teams (External Chat), Quick Assist, Windows Remote Management (WinRM), Rclone, Autodesk, Adobe Acrobat/Reader, Windows Error Reporting
Are You Exposed?
⚠
Your industry is targeted by Unattributed — structural overlap with Black Basta Teams abuse campaigns → Heightened risk
⚠
You use products/services from Microsoft Teams (External Chat) → Assess exposure
⚠
22 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A successful compromise gives attackers full interactive control of an employee's workstation, including access to credentials, internal systems, and sensitive business data, without triggering traditional security alerts. Because the attack uses Microsoft's own tools and signed software, standard endpoint defenses are unlikely to block it. The end result can be large-scale data theft or ransomware deployment, with associated costs including regulatory fines, operational downtime, and customer notification obligations.
You Are Affected If
Your organization uses Microsoft Teams with external access enabled (default configuration allows messages from any external Teams or Skype for Business user)
Quick Assist is available and not blocked on employee workstations
Your employees are not trained to recognize or reject unsolicited helpdesk contact via Teams external chat
Rclone is not blocked by endpoint protection or application control policy
Signed third-party executables (Autodesk, Adobe) can be installed by standard users without IT approval
Board Talking Points
Attackers are posing as our IT helpdesk on Microsoft Teams and convincing employees to hand over remote control of their computers — no technical vulnerability is involved, only deception.
Security and IT leadership should immediately restrict Microsoft Teams external messaging and disable Quick Assist for employees who do not require it, within the next 48 hours.
Organizations that take no action remain fully exposed to data theft and ransomware through a channel most employees consider trustworthy.
Technical Analysis
This campaign, documented by Microsoft in two security blog posts (March 2026), chains nine stages to achieve enterprise compromise without traditional exploit code.
Attack vector: Microsoft Teams external chat (T1566.004 ) used to initiate contact and establish false helpdesk identity.
The attacker convinces the target to launch Quick Assist (T1219 ), granting interactive remote session access.
Post-access, the attacker deploys LOLBins including WinRM (T1021.006 ) and executes commands via cmd.exe and PowerShell (T1059.003 , T1059.001 ). Persistence is established via registry run keys (T1547.001 ) and signed malware masquerading as Autodesk or Adobe Acrobat/Reader installers (T1036.005 , T1574.002 ). Windows Error Reporting is abused for defense evasion (T1562 , T1562.001 ). Final-stage exfiltration uses Rclone to cloud storage endpoints (T1567 , T1567.002 ). Relevant CWEs: CWE-427 (uncontrolled search path), CWE-1021 (improper frame restrictions), CWE-693 (protection mechanism failure), CWE-426 (untrusted search path). No CVE assigned. Structural overlap noted with Black Basta Teams abuse campaigns; attribution remains unconfirmed. Microsoft disclosed technical detail across two security blog posts dated 2026-03-03 and 2026-03-16. No patch resolves this campaign; it abuses legitimate, intended functionality.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to executive leadership, legal counsel, and potentially law enforcement if Rclone exfiltration is confirmed to cloud storage endpoints (indicating data theft of PII, PHI, or IP), if unauthorized accounts were created in Active Directory or Azure AD, or if compromise scope extends beyond a single endpoint — any of these conditions may trigger breach notification obligations under GDPR, HIPAA, or state-level data protection laws.
1
Step 1: Containment — Restrict or disable Microsoft Teams external access immediately for user populations that do not require it. In Teams Admin Center, navigate to External Access settings and block or allowlist specific external domains rather than permitting all external communication. Disable Quick Assist enterprise-wide via Group Policy or block quickassist.exe via application control policy if Quick Assist is not operationally required. Verify the Group Policy setting persists after Windows Update patches and monitor for unexpected re-enablement. (Cite: NIST AC-4 — Information Flow Enforcement; NIST AC-17 — Remote Access; NIST AC-20 — Use Of External Systems; CIS 2.3 — Address Unauthorized Software; D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST CM-7 (Least Functionality)
NIST SC-7 (Boundary Protection)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
Without enterprise MDM, push a GPO immediately: Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies — add a DENY rule for %SystemRoot%\System32\quickassist.exe and %ProgramFiles%\WindowsApps\MicrosoftCorporationII.QuickAssist*\QuickAssist.exe. For Teams external access without a Teams Admin Center license tier that exposes those controls, use the PowerShell module: Connect-MicrosoftTeams; Set-CsTenantFederationConfiguration -AllowFederatedUsers $false. One analyst executes GPO, one validates enforcement via rsop.msc on a sample endpoint within 30 minutes.
Preserve Evidence
Before restricting Teams external access, export the full Teams External Access configuration audit trail via Microsoft Purview Unified Audit Log (UAL) — search for operation 'TeamsSessionStarted' and 'MeetingDetail' filtered to ExternalParticipant fields. Capture the list of all active Quick Assist session handles from the Windows Event Log: Applications and Services Logs > Microsoft > Windows > RemoteAssistance-Gui > Operational, Event ID 101 (session initiated) and 102 (session accepted). Screenshot or export Teams Admin Center External Access configuration before any policy changes to document pre-incident state.
2
Step 2: Detection — Query Unified Audit Logs and Microsoft Teams audit logs for external-initiated chat sessions from non-corporate or consumer Microsoft accounts contacting internal users. Hunt for quickassist.exe parent-child process chains spawning cmd.exe, powershell.exe, or msiexec.exe. Search EDR telemetry for rclone.exe execution with copy or sync arguments to cloud storage endpoints. Review Windows Event ID 4688 for wsmprovhost.exe (WinRM provider host) activity initiated from unexpected sources. Flag signed executables claiming Autodesk or Adobe identity installed outside standard software deployment paths. (Cite: NIST AU-2 — Event Logging; NIST AU-6 — Audit Record Review, Analysis, And Reporting; NIST AU-12 — Audit Record Generation; CIS 8.2 — Collect Audit Logs; D3-SFA — System File Analysis; D3-LAM — Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without EDR, deploy Sysmon with SwiftOnSecurity config (github.com/SwiftOnSecurity/sysmon-config) and hunt using these specific queries — (1) Sysmon Event ID 1 (Process Create): ParentImage contains 'quickassist.exe' AND Image contains any of 'cmd.exe','powershell.exe','msiexec.exe'; (2) Sysmon Event ID 3 (Network Connect): Image contains 'rclone.exe' AND DestinationPort in (443,80) to non-corporate IPs; (3) Windows Security Event ID 4688 with CommandLine containing 'wsmprovhost' or 'winrm'. For Teams UAL without a SIEM, run: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType MicrosoftTeams -Operations 'MessageCreatedHasLink,MessageSent' | Where-Object {$_.AuditData -like '*external*'} | Export-Csv teams_external_audit.csv. Use Sigma rule 'proc_creation_win_rclone_exec.yml' (SigmaHQ) converted to PowerShell for Event Log querying.
Preserve Evidence
Capture before analysis: (1) Microsoft Purview UAL export for RecordType=MicrosoftTeams covering the suspected compromise window, filtering on ExternalAccess=true and sender domains ending in outlook.com, hotmail.com, or gmail.com (consumer Microsoft accounts used by threat actor); (2) Sysmon or Security Event ID 4688 logs from all endpoints showing quickassist.exe execution and its child process tree; (3) Prefetch files (%SystemRoot%\Prefetch\RCLONE.EXE-*.pf and QUICKASSIST.EXE-*.pf) to establish first-execution timestamps; (4) Windows Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store for evidence of rclone.exe execution even if logs were cleared; (5) WinRM operational log at Applications and Services Logs > Microsoft > Windows > WinRM > Operational for remote session establishment events.
3
Step 3: Eradication — There is no patch; the attack abuses legitimate Microsoft functionality. Block rclone.exe by hash or filename via endpoint protection policy. Remove any unauthorized RMM tools, scheduled tasks, or registry run keys added outside approved deployment channels. Revoke Quick Assist sessions in progress and audit remote session logs. Re-image systems where unauthorized remote access is confirmed. Audit software inventory and remove any installer or binary not present in the authorized software inventory. (Cite: NIST AC-17 — Remote Access; CIS 2.1 — Establish and Maintain a Software Inventory; CIS 2.3 — Address Unauthorized Software; CIS 4.6 — Securely Manage Enterprise Assets and Software; D3-SFA — System File Analysis; D3-FMBV — File Magic Byte Verification)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication and Recovery
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST CM-7 (Least Functionality)
CIS 2.3 (Address Unauthorized Software)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Without enterprise endpoint protection, use these manual eradication steps: (1) Block Rclone by SHA-256 hash using Windows Defender via PowerShell: Add-MpPreference -ExclusionPath is NOT what you want — instead use: New-CIPolicy then Add-SignerRule, or simpler: use WDAC in audit mode first with a policy that denies rclone.exe by file hash obtained from VirusTotal or your IR image; (2) Query all scheduled tasks across affected hosts: Get-ScheduledTask | Where-Object {$_.TaskPath -notlike '\Microsoft\*'} | Select TaskName,TaskPath,@{N='Action';E={$_.Actions.Execute}} | Export-Csv schtasks_audit.csv — review for entries pointing to temp directories, AppData, or ProgramData; (3) Query unauthorized registry run keys: Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run','HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and diff against your baseline; (4) Terminate active Quick Assist sessions: Get-Process quickassist | Stop-Process -Force on affected endpoints.
Preserve Evidence
Before re-imaging, collect full forensic triage package: (1) Memory image using WinPmem (free) to capture any in-memory backdoor artifacts from the Autodesk- or Adobe-disguised malware dropped via Quick Assist; (2) Full copy of %AppData%\Local\Temp, %ProgramData%, and any non-standard install directories where attackers dropped disguised installers — these will contain the malicious MSI or EXE files with spoofed Autodesk/Adobe digital signatures; (3) Registry hive export (SYSTEM, SOFTWARE, NTUSER.DAT) from affected endpoints to preserve Run key persistence mechanisms; (4) Collect all scheduled task XML definitions from C:\Windows\System32\Tasks\ before clearing; (5) Export Windows Event Logs (Security, System, Application, Sysmon) as .evtx files before re-image destroys them.
4
Step 4: Recovery — Validate registry run key baselines (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and equivalent user-level keys) against known-good snapshots. Confirm no unauthorized accounts were created (Event ID 4720) or elevated (Event ID 4672, 4728) using account inventory records. Monitor cloud storage audit logs for continued rclone-originated uploads. Restore affected endpoints from clean images where forensic integrity is uncertain. Retain all audit records collected during the incident to support after-action review. (Cite: NIST AC-2 — Account Management; NIST AU-9 — Protection Of Audit Information; NIST AU-11 — Audit Record Retention; CIS 5.1 — Establish and Maintain an Inventory of Accounts; D3-LAM — Local Account Monitoring; D3-SICA — System Init Config Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST CP-10 (System Recovery and Reconstitution)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AU-11 (Audit Record Retention)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 5.3 (Disable Dormant Accounts)
Compensating Control
Without SIEM for continuous monitoring, implement these manual recovery validation steps: (1) Account audit: Get-WinEvent -FilterHashtable @{LogName='Security';Id=4720,4672,4728} -MaxEvents 1000 | Select TimeCreated,Message | Export-Csv account_changes.csv — review for any accounts created or elevated during the compromise window; (2) Registry baseline diff: if no prior snapshot exists, compare against CIS Benchmarks baseline for Windows run keys and remove any entries pointing to non-standard paths (AppData, Temp, ProgramData); (3) For cloud exfiltration monitoring without a CASB, enable Microsoft Defender for Cloud Apps 30-day trial or query Azure AD sign-in logs for OAuth app authorizations granted to Rclone or unknown cloud storage apps: Get-MgAuditLogSignIn -Filter "appDisplayName eq 'rclone'" ; (4) Re-image validation: after restore, run 'sfc /scannow' and compare installed software inventory against pre-incident baseline via: Get-WmiObject Win32_Product | Select Name,Version | Sort Name.
Preserve Evidence
Before declaring recovery complete, verify: (1) Windows Security Event ID 4720 (account created), 4722 (account enabled), 4728 (member added to global security group), and 4672 (special privileges assigned) for the entire compromise window — attackers in this campaign have created backdoor local accounts for persistence; (2) Cloud storage provider audit logs (OneDrive, SharePoint, or any CASB-monitored SaaS) for Rclone user-agent strings or OAuth tokens issued to unknown applications; (3) WinRM audit logs (Applications and Services Logs > Microsoft > Windows > WinRM > Operational) confirming no active remote sessions persist post-eradication; (4) Autoruns output (Sysinternals Autoruns run as SYSTEM, exported to CSV) from recovered endpoints to confirm no persistence mechanisms survive the cleanup.
5
Step 5: Post-Incident — Conduct user awareness training specific to Teams-based helpdesk impersonation: legitimate internal IT teams do not initiate contact via Teams external chat. Implement a verified IT support contact process using a known internal Teams channel or ticketing system. Enforce application allowlisting to prevent unauthorized installer execution, ensuring only authorized software is designated in the software inventory. Require MFA for all administrative access and for remote network access to reduce risk if credentials are exposed in future campaigns. Review and tighten Teams external access policies as a standing control documented in policy, not a one-time response. (Cite: NIST AC-1 — Policy And Procedures; NIST AC-6 — Least Privilege; NIST AU-2 — Event Logging; CIS 2.1 — Establish and Maintain a Software Inventory; CIS 6.4 — Require MFA for Remote Network Access; CIS 6.5 — Require MFA for Administrative Access; D3-MFA — Multi-factor Authentication; D3-CH — Credential Hardening)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-2 (Incident Response Training)
NIST IR-8 (Incident Response Plan)
NIST AT-2 (Literacy Training and Awareness)
NIST CM-7 (Least Functionality)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
Without a dedicated security awareness platform, create a one-page Teams-specific phishing recognition guide covering: (1) how to identify external-badge indicators on Teams messages (the 'External' tag displayed on contacts outside your tenant); (2) a simulated helpdesk impersonation tabletop exercise using a free consumer Microsoft account to demonstrate how convincingly attackers can spoof IT staff display names; (3) publish a pinned message in all-staff Teams channels with a screenshot showing what a legitimate internal IT contact looks like vs. an external impersonator; (4) for application allowlisting without a commercial tool, deploy Windows Defender Application Control (WDAC) using the Microsoft-recommended block rules policy (free, built into Windows 10/11 Enterprise) — start in audit mode, review Event ID 3076/3077 in Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational, then enforce after 2-week baseline.
Preserve Evidence
For the post-incident lessons learned report (NIST 800-61r3 §4.1), preserve: (1) Complete Teams external chat history for all identified victim users, exported via Microsoft Purview Content Search filtered to the compromise timeframe, as the primary evidence of social engineering script and impersonation TTPs; (2) The full timeline of Quick Assist session IDs from RemoteAssistance-Gui Operational logs mapped to Active Directory user accounts to document which employees were targeted vs. compromised; (3) Rclone command-line arguments captured from process creation logs (Sysmon Event ID 1 or Security Event ID 4688) documenting destination cloud storage endpoints — this identifies what data was exfiltrated and to which attacker-controlled storage; (4) Any dropped installer files with spoofed Autodesk or Adobe signatures recovered from %AppData% or %Temp% for malware analysis and hash-based IOC development.
Recovery Guidance
After re-imaging confirmed compromised endpoints, maintain elevated monitoring of Teams external communication logs and WinRM activity for a minimum of 30 days, as this campaign's use of legitimate Microsoft tooling (Quick Assist, WinRM) means re-compromise attempts may not trigger standard malware alerts. Validate that all Rclone-associated OAuth tokens or cloud storage authorizations have been revoked in your identity provider, and cross-reference Azure AD audit logs for any persistent app permissions granted during the compromise window. Treat any endpoint where Quick Assist was actively used by an external party as fully compromised and re-image rather than attempting remediation in place, given the attacker had interactive desktop control and the ability to stage additional persistence mechanisms beyond what forensics may recover.
Key Forensic Artifacts
Microsoft Purview Unified Audit Log (UAL) — RecordType=MicrosoftTeams operations filtered for external sender domains (outlook.com, hotmail.com, live.com) contacting internal users: this is the primary artifact establishing the social engineering entry vector and attacker-controlled Microsoft account identifiers
Windows Event Log: Applications and Services Logs > Microsoft > Windows > RemoteAssistance-Gui > Operational — Event IDs 101/102 recording Quick Assist session initiation and acceptance, including timestamps and session handles that correlate to the attacker's interactive access window
Prefetch files at %SystemRoot%\Prefetch\RCLONE.EXE-*.pf and QUICKASSIST.EXE-*.pf — establish first-execution timestamps for both tools independently of potentially tampered Event Logs, and RCLONE.EXE prefetch will contain the last 8 directory paths accessed, potentially revealing staged exfiltration source folders
File system artifacts in %AppData%\Local\Temp, %ProgramData%, and non-standard install paths for MSI or EXE files with spoofed Autodesk or Adobe Acrobat digital signatures — these dropped backdoors are the persistent access mechanism and will have creation timestamps aligning to the Quick Assist session window
Windows Registry hive NTUSER.DAT and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run — persistence keys written by the backdoor installers during the Quick Assist session; also check HKLM\SYSTEM\CurrentControlSet\Services for any new services registered by the attacker-deployed tooling disguised as Autodesk or Adobe components
Detection Guidance
Primary detection surfaces are endpoint process telemetry, Windows event logs, and Microsoft Teams Unified Audit Logs.
All log sources must be enabled and collected per NIST AU-2 (Event Logging) and CIS 8.2 (Collect Audit Logs).
Audit records must capture actor, event type, timestamp, and outcome per NIST AU-3 (Content Of Audit Records).
Allocate sufficient storage to retain these logs for post-incident review per NIST AU-4 (Audit Storage Capacity) and NIST AU-11 (Audit Record Retention). Conduct regular review and analysis of collected records per NIST AU-6 (Audit Record Review, Analysis, And Reporting).
Key behavioral indicators to alert on:
1. quickassist.exe spawning cmd.exe, powershell.exe, or msiexec.exe — flag immediately. This process chain is not consistent with legitimate Quick Assist operation and directly maps to T1219 and T1059.003 . Apply D3-SFA (System File Analysis) to monitor for this execution pattern.
2. wsmprovhost.exe (WinRM provider host) executing without a known, approved administrative workflow — alert on any instance not correlated with a change ticket or authorized session. Maps to T1021.006 . Monitor under NIST AU-2 event logging scope.
3. rclone.exe present on any endpoint outside the authorized software inventory. Any execution of rclone.exe, especially with copy or sync arguments pointing to cloud storage endpoints, must trigger an alert. Apply CIS 2.3 (Address Unauthorized Software) controls to block or alert on unauthorized binaries. Maps to T1567 and T1567.002 .
4. Signed executables with Autodesk or Adobe metadata installed to user-writable directories (AppData, Temp) rather than Program Files. Apply D3-FMBV (File Magic Byte Verification) to validate file type integrity and D3-SFA to monitor for unauthorized executable placement. Maps to T1036 and T1036.005 .
5. wermgr.exe or werfault.exe (Windows Error Reporting) spawning unexpected child processes. This indicates abuse of WER for execution or defense evasion. Monitor under NIST AU-12 (Audit Record Generation) process creation logging scope.
6. In Microsoft Teams Unified Audit Logs, filter for external chat messages directed at internal users from non-corporate domains, particularly consumer microsoft.com accounts. Maps to T1566.004 and T1598 . This log source must be enabled and reviewed per NIST AU-6.
SIEM query pattern (generic, adapt to your platform): alert on (process_name=quickassist.exe AND child_process IN [cmd.exe, powershell.exe, msiexec.exe]) OR (process_name=rclone.exe) OR (process_name IN [wermgr.exe, werfault.exe] AND child_process NOT IN approved baseline).
Apply D3-LAM (Local Account Monitoring) to detect unauthorized account creation (Event ID 4720) or privilege escalation (Event IDs 4672, 4728) following remote session establishment. Apply D3-SICA (System Init Config Analysis) to detect persistence mechanisms added to registry run keys or startup locations (T1547.001 ). Protect audit log integrity against attacker-driven log clearing (T1562 , T1562.001 ) per NIST AU-9 (Protection Of Audit Information), which requires alerting on unauthorized access, modification, or deletion of audit records.
Indicators of Compromise (2)
Export as
Splunk SPL
KQL
Elastic
Copy All (2)
1 url
1 hash
Type Value Enrichment Context Conf.
🔗 URL
rclone cloud storage sync endpoints (generic — specific destination URLs not disclosed in source material)
VT
US
Rclone used for final-stage data exfiltration; specific cloud provider endpoints not confirmed in available sources
LOW
# HASH
Not available — specific file hashes for masquerading installers not disclosed in publicly available source material
VT
MB
Signed malware impersonating Autodesk and Adobe Acrobat/Reader installers; hashes not released in March 2026 Microsoft blog posts
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Microsoft Teams Helpdesk Impersonation: Nine-Stage Social Engineering Chain Abus
let malicious_urls = dynamic(["rclone cloud storage sync endpoints (generic — specific destination URLs not disclosed in source material)"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (9)
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1219
T1574.002
T1547.001
T1566.004
T1059.003
T1021.006
+16
CM-7
SI-3
SI-4
AT-2
CA-7
SC-7
+8
MITRE ATT&CK Mapping
T1219
Remote Access Tools
command-and-control
T1547.001
Registry Run Keys / Startup Folder
persistence
T1021.006
Windows Remote Management
lateral-movement
T1567
Exfiltration Over Web Service
exfiltration
T1566
Phishing
initial-access
T1036
Masquerading
defense-evasion
T1083
File and Directory Discovery
discovery
T1598
Phishing for Information
reconnaissance
T1078
Valid Accounts
defense-evasion
T1105
Ingress Tool Transfer
command-and-control
T1562
Impair Defenses
defense-evasion
T1018
Remote System Discovery
discovery
T1562.001
Disable or Modify Tools
defense-evasion
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1204
User Execution
execution
T1534
Internal Spearphishing
lateral-movement
T1567.002
Exfiltration to Cloud Storage
exfiltration
Guidance Disclaimer
