Updated command and control rules

Author: aring87

detections/sentinel/browser/browser-extension-install-from-temp-or-user-profile.yml

@@ -1,47 +1,46 @@
-title: Browser Extension Install from Temp or User Profile
+title: Browser Extension Files Created by Non-Browser Process
 id: SENT-BROW-0001
 status: experimental
-description: Detects possible browser extension installation or staging from temporary or user-writable locations, aligned to Red Canary reporting on browser-extension threats and browser-centric compromise.
+description: Detects suspicious creation of browser extension files or folders in browser profile extension directories by non-browser processes, which may indicate unauthorized extension staging or installation.
 author: Adam Ring
 date: 2026-03-20
 modified: 2026-03-20
 logsource:
   product: windows
-  service: file_creation
+  category: file_event
 platform: microsoft_sentinel
 query_language: kql
 query: |
   DeviceFileEvents
-  | where FolderPath has "\\User Data\\Default\\Extensions\\"
-     or FolderPath has "\\User Data\\Profile "
-  | where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","brave.exe","firefox.exe","explorer.exe","msiexec.exe")
-  | where FolderPath has_any ("\\Downloads\\","\\Temp\\","\\AppData\\Local\\","\\AppData\\Roaming\\")
-  | project Timestamp,DeviceName,InitiatingProcessAccountName,InitiatingProcessFileName,FileName,FolderPath
+  | where FolderPath has_any ("\\Chrome\\User Data\\Default\\Extensions\\","\\Chrome\\User Data\\Profile ","\\Edge\\User Data\\Default\\Extensions\\","\\Edge\\User Data\\Profile ","\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions\\")
+  | where FileName in~ ("manifest.json") or FolderPath matches regex @"\\Extensions\\[a-z]{32}\\"
+  | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","brave.exe","firefox.exe")
+  | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, SHA1, ReportId
 severity: medium
 risk_score: 60
 tactics:
   - Persistence
-  - Credential Access
 techniques:
   - T1176
 kill_chain_phases:
   - Persistence
 data_sources:
   - DeviceFileEvents
 falsepositives:
-  - Legitimate browser extension installs by users
-  - Managed extension deployment
+  - Legitimate enterprise software deploying approved extensions
+  - Browser migration or profile restore activity
+  - Developer testing of unpacked extensions
 triage:
-  - Review the extension path, extension ID, and whether the browser is enterprise-managed
-  - Validate whether the extension is on the approved list
-  - Check for recent browser updates, compromised extension reports, or suspicious outbound requests
+  - Review the extension path, manifest, and extension ID
+  - Determine whether the extension is approved or enterprise-managed
+  - Review the initiating process and command line for archive extraction, scripting, or installer behavior
+  - Check for related browser credential theft, suspicious outbound traffic, or new persistence nearby
 validation:
-  - Install a benign test extension in a lab and compare path patterns
+  - Install a benign test extension and compare normal browser-created file patterns versus non-browser initiated writes
 lifecycle: experimental
 owner: Detection Engineering
 tags:
   - attack.persistence
-  - attack.credential-access
   - attack.t1176
   - browser-extension
   - chrome

detections/sentinel/collection/Clipboard-Data-Collection.yml

@@ -1,22 +1,24 @@
-title: Clipboard Data Collection
+title: Suspicious Clipboard Read or Clipboard Utility Execution
 id: SENT-COLL-0001
 status: experimental
-description: Detects PowerShell or command-line usage that reads or manipulates clipboard contents, which may indicate collection of copied data or credentials.
+description: Detects suspicious clipboard read activity or clipboard utility execution that may indicate collection of copied data, secrets, or credentials.
 author: Adam Ring
 date: 2026-03-06
-modified: 2026-03-06
+modified: 2026-03-26
 platform: microsoft_sentinel
 query_language: kql
 logsource:
   product: windows
   category: process_creation
 query: |
   DeviceProcessEvents
-  | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe")
-  | where ProcessCommandLine has_any ("Get-Clipboard","Set-Clipboard","clip.exe")
-  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
+  | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","clip.exe")
+  | where ProcessCommandLine has_any ("Get-Clipboard","[Windows.Forms.Clipboard]::GetText","GetText()","clip.exe")
+  | where ProcessCommandLine !has "Set-Clipboard"
+  | where InitiatingProcessFileName !in~ ("Code.exe","devenv.exe","powershell_ise.exe")
+  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA1, ReportId
 severity: medium
-risk_score: 60
+risk_score: 55
 tactics:
   - Collection
 techniques:
@@ -26,18 +28,19 @@ kill_chain_phases:
 data_sources:
   - DeviceProcessEvents
 falsepositives:
-  - Benign clipboard scripting or user automation
-  - Support workflows that sanitize clipboard content
+  - Legitimate administrator or developer clipboard scripting
+  - Automation workflows that intentionally read clipboard contents
+  - User troubleshooting or local productivity scripts
 triage:
-  - Review why clipboard access was needed on the host
-  - Determine whether the user was performing routine admin work
-  - Check for concurrent archiving or exfiltration activity
+  - Review whether the account normally uses PowerShell or command-line clipboard access
+  - Check whether clipboard reads occurred near archive creation, browser credential access, or outbound transfers
+  - Review the initiating process and surrounding process tree for scripting, LOLBins, or user-writable execution paths
 validation:
-  - Run Get-Clipboard in a lab PowerShell session
+  - Run Get-Clipboard in a lab PowerShell session and compare with normal admin activity
 lifecycle: experimental
 owner: Detection Engineering
 tags:
   - attack.collection
   - attack.t1115
   - sentinel
-  - collection
+  - collection

detections/sentinel/collection/data-from-local-system.yml

@@ -1,31 +1,53 @@
-title: Data Collection from Local System
-id: dodea-sig-018-data-collection-from-local-system
+title: Suspicious Access to Sensitive Local User Documents
+id: SENT-COLL-0005
 status: experimental
-description: Detects enumeration or access to sensitive files on the local system
+description: Detects processes accessing potentially sensitive document types in common user data paths, which may indicate collection or staging from the local system.
 author: Adam Ring
-date: 2025-07-31 00:00:00+00:00
-tags:
-  - attack.collection
-  - attack.t1005
-  - ckc.actions-on-objectives
+date: 2026-03-26
+modified: 2026-03-26
+platform: microsoft_sentinel
+query_language: kql
 logsource:
   product: windows
-  category: process_creation
-detection:
-  selection:
-    query: >-
-      DeviceFileEvents | where FolderPath has_any ("C:\Users\", "Desktop",
-      "Documents")
-
-      | where FileName endswith ".docx" or FileName endswith ".pdf" or FileName endswith ".xls" or FileName endswith ".csv"
-
-      | project TimeGenerated, DeviceName, FileName, FolderPath, ActionType
-  condition: selection
-falsepositives:
-  - None known
-level: medium
+  category: file_event
+query: |
+  DeviceFileEvents
+  | where ActionType in~ ("FileCreated","FileModified","FileRead","FileAccessed")
+  | where FolderPath has_any ("\\Users\\","\\Desktop\\","\\Documents\\","\\Downloads\\")
+  | where FileName endswith ".docx"
+      or FileName endswith ".pdf"
+      or FileName endswith ".xls"
+      or FileName endswith ".xlsx"
+      or FileName endswith ".csv"
+      or FileName endswith ".pptx"
+      or FileName endswith ".txt"
+  | where InitiatingProcessFileName !in~ ("explorer.exe","SearchIndexer.exe","OneDrive.exe","MsMpEng.exe")
+  | summarize FileCount=count(), DistinctPaths=dcount(FolderPath), Files=make_set(FileName,20) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 15m)
+  | where FileCount >= 25 and DistinctPaths >= 3
+severity: medium
+risk_score: 57
 tactics:
-  - collection
+  - Collection
 techniques:
-  - t1005
+  - T1005
+kill_chain_phases:
+  - Collection
+data_sources:
+  - DeviceFileEvents
+falsepositives:
+  - Backup, indexing, sync, or anti-malware activity
+  - Bulk document processing by IT or approved business tooling
+  - User-driven search, migration, or archival workflows
+triage:
+  - Identify the process and account accessing the files
+  - Determine whether the host or user normally performs bulk document access
+  - Review for nearby archive creation, cloud upload, email exfiltration, or removable media usage
+validation:
+  - Use a benign script in a lab to access many files across user folders and tune thresholds against normal activity
 lifecycle: experimental
+owner: Detection Engineering
+tags:
+  - attack.collection
+  - attack.t1005
+  - sentinel
+  - collection

detections/sentinel/collection/graph-mail-access-burst.yml

@@ -0,0 +1,48 @@
+title: Microsoft Graph Mail Access Burst
+id: SENT-COLL-0004
+status: experimental
+description: Detects bursts of Microsoft Graph mail search or mail access activity that may indicate post-compromise mailbox collection or reconnaissance.
+author: Adam Ring
+date: 2026-03-20
+modified: 2026-03-26
+logsource:
+  product: m365
+  service: cloud_app
+platform: microsoft_sentinel
+query_language: kql
+query: |
+  CloudAppEvents
+  | where Application == "Microsoft Graph"
+  | where ActionType has_any ("SearchQueryPerformed","MailItemsAccessed","MessageBind")
+  | extend User = tostring(coalesce(AccountUpn, AccountDisplayName, AccountObjectId))
+  | extend ClientIP = tostring(IPAddress)
+  | summarize ActionCount=count(), Actions=make_set(ActionType,10), IPs=make_set(ClientIP,10) by bin(TimeGenerated, 30m), User, Application
+  | where ActionCount >= 20
+severity: medium
+risk_score: 70
+tactics:
+  - Collection
+techniques:
+  - T1114
+kill_chain_phases:
+  - Collection
+data_sources:
+  - CloudAppEvents
+falsepositives:
+  - Migration tools
+  - eDiscovery, journaling, or approved admin search workflows
+  - Application integrations that legitimately access mail at scale
+triage:
+  - Validate whether the user or application normally performs high-volume Graph mail access
+  - Check for nearby device code sign-ins, consent grants, OAuth abuse, or risky sign-in activity
+  - Determine whether the activity targeted high-value mailboxes or was followed by mail export, forwarding, or download behavior
+validation:
+  - Tune thresholds against known mail clients, admin workflows, and approved tenant applications
+lifecycle: experimental
+owner: Detection Engineering
+tags:
+  - attack.collection
+  - attack.t1114
+  - graph
+  - mailbox
+  - sentinel

detections/sentinel/collection/graph-mail-search-keyword-burst.yml

@@ -1,19 +1,20 @@
-title: Mass File Enumeration in User Data Paths
+title: Mass File Access in User Data Paths by Uncommon Process
 id: SENT-COLL-0002
 status: experimental
-description: Detects processes enumerating many files in user data paths, which can indicate staging for collection.
+description: Detects high-volume access to files in user data paths by uncommon processes, which can indicate collection or staging activity.
 author: Adam Ring
 date: 2026-03-06
-modified: 2026-03-06
+modified: 2026-03-26
 platform: microsoft_sentinel
 query_language: kql
 logsource:
   product: windows
   category: file_event
 query: |
   DeviceFileEvents
-  | where FolderPath has_any ("\Users\","\Desktop\","\Documents\","\Downloads\")
-  | summarize FileTouches=count(), Paths=dcount(FolderPath) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, bin(Timestamp, 15m)
+  | where FolderPath has_any ("\\Users\\","\\Desktop\\","\\Documents\\","\\Downloads\\")
+  | where InitiatingProcessFileName !in~ ("explorer.exe","SearchIndexer.exe","OneDrive.exe","MsMpEng.exe","svchost.exe")
+  | summarize FileTouches=count(), Paths=dcount(FolderPath), SamplePaths=make_set(FolderPath,20) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 15m)
   | where FileTouches >= 200 and Paths >= 3
 severity: medium
 risk_score: 58
@@ -27,17 +28,20 @@ kill_chain_phases:
 data_sources:
   - DeviceFileEvents
 falsepositives:
-  - Backup, indexing, or anti-malware scanning
-  - Bulk file management by IT administrators
+  - Backup, indexing, sync, or anti-malware scanning
+  - Bulk file handling by administrators or approved enterprise tooling
+  - Software inventory or migration utilities
 triage:
-  - Identify the process touching large numbers of files
-  - Determine whether normal tooling explains the volume
-  - Review for compression or outbound transfer soon after
+  - Identify the process touching large numbers of files and whether it is normal for the host
+  - Review the command line, signer, path, and parent process for suspicious execution context
+  - Check whether archive creation, cloud upload, email transfer, or removable media usage followed soon after
 validation:
-  - Use a benign script to recurse through user folders in a lab
+  - Use a benign script to recurse through user folders in a lab and tune thresholds against normal platform noise
 lifecycle: experimental
 owner: Detection Engineering
 tags:
   - attack.collection
+  - attack.t1005
+  - attack.t1039
   - sentinel
-  - collection
+  - collection