Steven Lim (@0x534c) 's Twitter Profile
Steven Lim

@0x534c

#Cybersecurity #Sentinel #DefenderXDR #KQL #KQLWizard

ID: 42794499

linkhttps://github.com/SlimKQL/Hunting-Queries-Detection-Rules calendar_today27-05-2009 02:33:40

133 Tweet

1,1K Followers

865 Following

Steven Lim (@0x534c) 's Twitter Profile Photo

🪱Lateral Movement Analysis KQL Automatic Attack Disruption: A KQL query designed to provide statistics on the number of hosts and ports that the rogue quarantine device has connected to, supporting lateral movement investigation. detections.ai/rules/162280b5…

🪱Lateral Movement Analysis KQL

Automatic Attack Disruption: A KQL query designed to provide statistics on the number of hosts and ports that the rogue quarantine device has connected to, supporting lateral movement investigation.

detections.ai/rules/162280b5…
Steven Lim (@0x534c) 's Twitter Profile Photo

Blind Eagle infrastructure exclusively leverages VBS files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys read RATs as a second-stage malware. trustwave.com/en-us/resource… KQL: detections.ai/rules/75867a1f…

Blind Eagle infrastructure exclusively leverages VBS files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys read RATs as a second-stage malware.

trustwave.com/en-us/resource…

KQL:
detections.ai/rules/75867a1f…
Steven Lim (@0x534c) 's Twitter Profile Photo

SlimKQL Community Group Hi all, I have migrated all my 338 KQLs from the GitHub Repo to Detections.ai SlimKQL Community Group. If you would like to get updates on my latest KQL detections, please do "FOLLOW" this community group. Thank you! Steven 😄

SlimKQL Community Group

Hi all, I have migrated all my 338 KQLs from the GitHub Repo to Detections.ai SlimKQL Community Group. If you would like to get updates on my latest KQL detections, please do "FOLLOW" this community group. Thank you!

Steven 😄
Steven Lim (@0x534c) 's Twitter Profile Photo

Mail Bomb Mayhem? KQL to the Rescue. Spotted a mail bomb attack originating from 30+ sender IPs. Leveraged KQL to trace the source and identify the ISPs involved. Visibility matters.🛡️ detections.ai/rules/e6a47fe9…

Mail Bomb Mayhem? KQL to the Rescue.

Spotted a mail bomb attack originating from 30+ sender IPs. Leveraged KQL to trace the source and identify the ISPs involved. Visibility matters.🛡️

detections.ai/rules/e6a47fe9…
Steven Lim (@0x534c) 's Twitter Profile Photo

A KQL behavioural detection of the new #DEVMAN ransomware. Link: detections.ai/rules/8aa75ded… #Cybersecurity #DefenderXDR

Steven Lim (@0x534c) 's Twitter Profile Photo

Storm 1811 SE Attack Detection 1: Email Bombing 2: Microsoft Teams Impersonation 3: Remote Access via Quick Assist 4: Deploy Black Basta ransomware detections.ai/rules/8d713b74…

Storm 1811 SE Attack Detection

1: Email Bombing
2: Microsoft Teams Impersonation
3: Remote Access via Quick Assist
4: Deploy Black Basta ransomware 

detections.ai/rules/8d713b74…
Steven Lim (@0x534c) 's Twitter Profile Photo

🚀 detections.ai launched ~1.5 weeks ago and already hit: 👥 3K+ members 🛡️ 182+ detections (KQL, Sigma, YARA, Splunk, Elastic...) That’s ~18 detections/day! 🔥 Join the global defender community & contribute! 🔗 Use invite code: Slim2025 #DefenderUnite

🚀 detections.ai  launched ~1.5 weeks ago and already hit: 👥 3K+ members   🛡️ 182+ detections (KQL, Sigma, YARA, Splunk, Elastic...)

That’s ~18 detections/day! 🔥
Join the global defender community & contribute! 

🔗 Use invite code: Slim2025

#DefenderUnite
Steven Lim (@0x534c) 's Twitter Profile Photo

🕵️‍♂️ New Detection Drop "You enumerate. I correlate. You exfil. I alert." 🔥 Just shipped a Sentinel KQL detection for NauthNRPC — a stealthy RPC-based AD recon tool. github.com/sud0Ru/NauthNR… 🔍 Built to catch the quiet ones before they get loud. detections.ai/rules/f2769974…

🕵️‍♂️ New Detection Drop   "You enumerate. I correlate. You exfil. I alert." 🔥

Just shipped a Sentinel KQL detection for NauthNRPC — a stealthy RPC-based AD recon tool. 
github.com/sud0Ru/NauthNR…

🔍 Built to catch the quiet ones before they get loud.
detections.ai/rules/f2769974…
Steven Lim (@0x534c) 's Twitter Profile Photo

Hunting Exposed JDWP 🚨 New from Wiz: Attackers are actively exploiting exposed Java Debug Wire Protocol (JDWP) ports in the wild. Misconfigured dev-mode deployments are giving threat actors RCE on cloud workloads. wiz.io/blog/exposed-j… KQL Code: detections.ai/rules/d4a19448…

Hunting Exposed JDWP

🚨 New from Wiz: Attackers are actively exploiting exposed Java Debug Wire Protocol (JDWP) ports in the wild. Misconfigured dev-mode deployments are giving threat actors RCE on cloud workloads.
wiz.io/blog/exposed-j…

KQL Code:
detections.ai/rules/d4a19448…
Steven Lim (@0x534c) 's Twitter Profile Photo

🚨 Scattered Spider is back—and bolder. Check Point reveals 500+ phishing domains mimicking legit portals (e.g. victimname-okta[.]com) targeting aviation, tech, and more. No sector is safe. 🕷️✈️ blog.checkpoint.com/research/expos…

🚨 Scattered Spider is back—and bolder. Check Point reveals 500+ phishing domains mimicking legit portals (e.g. victimname-okta[.]com) targeting aviation, tech, and more. No sector is safe. 🕷️✈️

blog.checkpoint.com/research/expos…
Steven Lim (@0x534c) 's Twitter Profile Photo

🕷️The Hunt for Spidy Phishing Domains🎣 The "KQL" to sniff out the web across your MDE & MDO telemetry 🤣 blog.checkpoint.com/research/expos… KQL: detections.ai/rules/1fb925e9…

🕷️The Hunt for Spidy Phishing Domains🎣

The "KQL" to sniff out the web across your MDE & MDO telemetry 🤣

blog.checkpoint.com/research/expos…

KQL:
detections.ai/rules/1fb925e9…
Steven Lim (@0x534c) 's Twitter Profile Photo

🚨 2.3M users compromised. 18 Chrome & Edge extensions—once trusted, verified, even featured—turned into malware via silent updates. No phishing. No clicks. Just stealthy version bumps. blog.koi.security/google-and-mic… KQL Code: detections.ai/rules/39c4afce…

🚨 2.3M users compromised.

18 Chrome & Edge extensions—once trusted, verified, even featured—turned into malware via silent updates. No phishing. No clicks. Just stealthy version bumps.

blog.koi.security/google-and-mic…

KQL Code:
detections.ai/rules/39c4afce…
Steven Lim (@0x534c) 's Twitter Profile Photo

🚨New web spun alert! 🕷️ The domain auth-sso[.]com just popped up yesterday and it’s giving off major Scattered Spider vibes. Defender stay vigilant!🫡 #Cybersecurity #ThreatIntel #Checkpoint #ScatteredSpider

🚨New web spun alert! 

🕷️ The domain auth-sso[.]com just popped up yesterday and it’s giving off major Scattered Spider vibes. Defender stay vigilant!🫡

#Cybersecurity #ThreatIntel #Checkpoint #ScatteredSpider
Steven Lim (@0x534c) 's Twitter Profile Photo

🚨 New table alert for hashtag#AdvancedHunting in hashtag#DefenderXDR: GraphApiAuditEvents (Preview) Track Microsoft Entra ID API calls to Graph API—see who accessed what, when, and how. Perfect for auditing Graph API usage & spotting anomalies.🫡 learn.microsoft.com/en-us/defender…

🚨 New table alert for hashtag#AdvancedHunting in hashtag#DefenderXDR: GraphApiAuditEvents (Preview)

Track Microsoft Entra ID API calls to Graph API—see who accessed what, when, and how. Perfect for auditing Graph API usage & spotting anomalies.🫡 

learn.microsoft.com/en-us/defender…
Steven Lim (@0x534c) 's Twitter Profile Photo

🔥𝗪𝗼𝗿𝗹𝗱 𝗙𝗶𝗿𝘀𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗚𝗿𝗮𝗽𝗵 𝗔𝗣𝗜 𝗧𝗵𝗿𝗲𝗮𝘁 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻🫡 Monitoring Copilot Data Exfiltration via Graph API detections.ai/share/rule/uv6…

🔥𝗪𝗼𝗿𝗹𝗱 𝗙𝗶𝗿𝘀𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗚𝗿𝗮𝗽𝗵 𝗔𝗣𝗜 𝗧𝗵𝗿𝗲𝗮𝘁 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻🫡

Monitoring Copilot Data Exfiltration via Graph API
detections.ai/share/rule/uv6…