MalChain Detections GitHub

Detection Library

Every technique ships with a runnable Microsoft Defender / Sentinel KQL query; 30 techniques with file or memory artifacts also ship a validated YARA rule. Choose a phase to view its rules, or jump straight from the coverage matrix.

52 KQL queries

Advanced Hunting across DeviceProcess, File, Registry, Network, Logon & Identity tables.

30 YARA rules

All compile cleanly; behavioural/network-only techniques are KQL-only by design.

1:1 mapping

Every rule ties to a single MalChain technique ID. Click a row to open it.

Coverage matrix

Every technique has a KQL query; 30 also have a YARA rule. Select any row to open its rule below.

TechniqueNameKQLYARA
ING-01Removable Media & File TransferKQLYARA
ING-02Malvertising & Drive-By DownloadsKQLYARA
ING-03Supply Chain CompromiseKQLYARA
ING-04Credential AbuseKQL
ING-05Malicious or Compromised USB DevicesKQLYARA
ING-06Watering Hole AttacksKQLYARA
ING-07External Remote ServicesKQL
ACT-01User-Executed FilesKQLYARA
ACT-02Script-Based ExecutionKQLYARA
ACT-03Service-Based ExecutionKQL
ACT-04DLL Side-Loading or HijackingKQLYARA
ACT-05WMI-Based ExecutionKQL
ACT-06Browser Extension ExecutionKQLYARA
ACT-07Boot / Firmware ExecutionKQL
ANC-01Startup & Logon ExecutionKQL
ANC-02Scheduled & Triggered ExecutionKQL
ANC-03Service & Daemon PersistenceKQL
ANC-04Registry-Based PersistenceKQL
ANC-05Browser-Based PersistenceKQL
ANC-06WMI & Event Subscription PersistenceKQLYARA
ANC-07Fileless & In-Memory PersistenceKQLYARA
ANC-08Boot & Pre-OS PersistenceKQL
CON-01Obfuscation & PackingKQLYARA
CON-02Fileless Malware ExecutionKQLYARA
CON-03Security Tool TamperingKQLYARA
CON-04Masquerading & ImpersonationKQLYARA
CON-05Environment & Sandbox EvasionKQLYARA
CON-06Process InjectionKQLYARA
CON-07Polymorphism & MetamorphismKQLYARA
CON-08Log & Artifact ManipulationKQLYARA
CON-09Living-off-the-Land for EvasionKQLYARA
CON-10Anti-Forensics & CleanupKQLYARA
EXP-01Living-off-the-Land Lateral MovementKQL
EXP-02Credential Reuse & RelayKQL
EXP-03Pass-the-Hash / Pass-the-TicketKQLYARA
EXP-04Remote Service & Protocol AbuseKQL
EXP-05Network Share PropagationKQL
EXP-06Worm-like Self-PropagationKQLYARA
EXP-07Privilege Escalation Across HostsKQL
EXP-08Identity & Trust Relationship AbuseKQLYARA
EXP-09Directory Services TargetingKQLYARA
EXP-10Cloud & Hybrid Lateral MovementKQL
EXT-01HTTP / HTTPS Data ExfiltrationKQL
EXT-02DNS TunnelingKQLYARA
EXT-03Cloud Storage AbuseKQL
EXT-04Messaging and Social Platform ChannelsKQLYARA
EXT-05FTP / SFTP / FTPS TransferKQL
EXT-06Tor / Proxy / VPN Anonymization ChannelsKQLYARA
EXT-07Encrypted Command-and-Control ChannelsKQLYARA
EXT-08Removable Media Data ExtractionKQL
EXT-09Steganographic Data TransferKQLYARA
EXT-10Multi-Channel Redundant ExfiltrationKQL

Rules by phase

IngressING

How malware enters systems. 7 techniques · copy any rule below.

ING-01Removable Media & File TransferTechnique →
kql
// Removable Media: execution or executable drop from removable drives
DeviceFileEvents
| where Timestamp > ago(14d)
| where InitiatingProcessAccountName != "system"
| where FolderPath matches regex @"^[D-Z]:\\" and (FileName endswith ".exe" or FileName endswith ".lnk" or FileName endswith ".scr" or FileName == "autorun.inf")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, SHA256
| join kind=leftouter (
    DeviceProcessEvents | where FolderPath matches regex @"^[D-Z]:\\"
    | project DeviceName, ExecFolder=FolderPath, ProcessCommandLine
) on DeviceName
yara
rule MC_ING_01_Removable_Media_Autorun
{
    meta:
        author = "MalChain"
        technique = "MC-ING-01 Removable Media & File Transfer"
        description = "Autorun.inf abusing removable media to auto-launch a payload"
    strings:
        $a = "[autorun]" ascii nocase
        $b = "open=" ascii nocase
        $c = "shellexecute=" ascii nocase
        $d = "shell\\open\\command" ascii nocase
        $exe = ".exe" ascii nocase
    condition:
        $a and 1 of ($b,$c,$d) and $exe
}
ING-02Malvertising & Drive-By DownloadsTechnique →
kql
// Malvertising / Drive-by: browser spawning script interpreters or writing executables
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe","iexplore.exe","brave.exe")
| where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
yara
rule MC_ING_02_Malvertising_HTA_Dropper
{
    meta:
        author = "MalChain"
        technique = "MC-ING-02 Malvertising & Drive-By Downloads"
        description = "HTA/JS drive-by dropper invoking script hosts or downloads"
    strings:
        $hta = "<hta:application" ascii nocase
        $ws  = "WScript.Shell" ascii nocase
        $ado = "ADODB.Stream" ascii nocase
        $xhr = "MSXML2.XMLHTTP" ascii nocase
        $ps  = "powershell" ascii nocase
    condition:
        ($hta or $ws) and 2 of ($ado,$xhr,$ps)
}
ING-03Supply Chain CompromiseTechnique →
kql
// Supply Chain: unexpected child process from a signed updater / installer
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("update","installer","setup","msiexec.exe")
| where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","cscript.exe","rundll32.exe","regsvr32.exe","bitsadmin.exe","curl.exe","certutil.exe")
| where ProcessCommandLine has_any ("http://","https://","-enc","DownloadString","Invoke-WebRequest")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
yara
rule MC_ING_03_Supply_Chain_Installer_Backdoor
{
    meta:
        author = "MalChain"
        technique = "MC-ING-03 Supply Chain Compromise"
        description = "Installer/updater carrying embedded shell or download logic"
    strings:
        $u1 = "cmd.exe /c" ascii nocase
        $u2 = "powershell -" ascii nocase
        $u3 = "DownloadString" ascii nocase
        $u4 = "certutil -urlcache" ascii nocase
        $msi = "Windows Installer" ascii nocase
    condition:
        $msi and 2 of ($u1,$u2,$u3,$u4)
}
ING-04Credential AbuseTechnique →
kql
// Credential Abuse: successful sign-ins from anomalous locations / impossible travel (identity)
IdentityLogonEvents
| where Timestamp > ago(7d)
| where ActionType == "LogonSuccess"
| summarize Countries=dcount(tostring(parse_json(AdditionalFields).Country)), Locations=make_set(tostring(parse_json(AdditionalFields).Country)) by AccountUpn, bin(Timestamp, 1h)
| where Countries > 1
| project Timestamp, AccountUpn, Countries, Locations
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ING-05Malicious or Compromised USB DevicesTechnique →
kql
// Malicious USB: new PnP HID / storage device followed by rapid process execution
DeviceEvents
| where Timestamp > ago(14d)
| where ActionType in ("PnpDeviceConnected","UsbDriveMounted")
| project ConnectTime=Timestamp, DeviceName, AdditionalFields
| join kind=inner (
    DeviceProcessEvents
    | where FileName in~ ("cmd.exe","powershell.exe","wscript.exe","mshta.exe")
    | project ExecTime=Timestamp, DeviceName, FileName, ProcessCommandLine
) on DeviceName
| where ExecTime between (ConnectTime .. (ConnectTime + 2m))
yara
rule MC_ING_05_BadUSB_HID_Payload
{
    meta:
        author = "MalChain"
        technique = "MC-ING-05 Malicious or Compromised USB Devices"
        description = "Rubber Ducky / BadUSB keystroke-injection script artifacts"
    strings:
        $d1 = "DELAY " ascii
        $d2 = "STRING " ascii
        $d3 = "GUI r" ascii
        $d4 = "ENTER" ascii
        $d5 = "duckyscript" ascii nocase
    condition:
        $d5 or (3 of ($d1,$d2,$d3,$d4))
}
ING-06Watering Hole AttacksTechnique →
kql
// Watering Hole: navigation to a compromised site then payload retrieval
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe")
| where RemoteUrl has_any (".hta",".jar",".ps1",".js",".vbs",".scr")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
yara
rule MC_ING_06_Watering_Hole_Injected_Script
{
    meta:
        author = "MalChain"
        technique = "MC-ING-06 Watering Hole Attacks"
        description = "Obfuscated JS injected into web content for selective delivery"
    strings:
        $s1 = "eval(" ascii
        $s2 = "String.fromCharCode(" ascii
        $s3 = "unescape(" ascii
        $s4 = "document.write(" ascii
        $s5 = "atob(" ascii
    condition:
        3 of them
}
ING-07External Remote ServicesTechnique →
kql
// External Remote Services: external RDP/VPN success followed by admin tool use
DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType in ("RemoteInteractive","Network") and ActionType == "LogonSuccess"
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, AccountName, RemoteIP, LogonType
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.

ActivationACT

Running malicious code. 7 techniques · copy any rule below.

ACT-01User-Executed FilesTechnique →
kql
// User-Executed Files: process launched from Downloads/Temp by a user session
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any (@"\Downloads\", @"\Temp\", @"\AppData\Local\Temp\", @"\Users\Public\")
| where InitiatingProcessFileName in~ ("explorer.exe","outlook.exe","winrar.exe","7zFM.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, ProcessCommandLine, SHA256
yara
rule MC_ACT_01_Office_Macro_Executor
{
    meta:
        author = "MalChain"
        technique = "MC-ACT-01 User-Executed Files"
        description = "Office document with auto-exec VBA spawning a shell"
    strings:
        $a1 = "AutoOpen" ascii nocase
        $a2 = "Document_Open" ascii nocase
        $a3 = "Auto_Open" ascii nocase
        $s1 = "Shell(" ascii nocase
        $s2 = "WScript.Shell" ascii nocase
        $s3 = "CreateObject" ascii nocase
    condition:
        1 of ($a*) and 1 of ($s*)
}
ACT-02Script-Based ExecutionTechnique →
kql
// Script-Based Execution: encoded / obfuscated interpreter command lines
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe")
| where ProcessCommandLine has_any ("-enc","-e ","FromBase64String","IEX","Invoke-Expression","-nop","-w hidden","bypass","DownloadString")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
yara
rule MC_ACT_02_Obfuscated_Script
{
    meta:
        author = "MalChain"
        technique = "MC-ACT-02 Script-Based Execution"
        description = "Base64/encoded PowerShell or script-based in-memory execution"
    strings:
        $p1 = "FromBase64String" ascii nocase
        $p2 = "-enc" ascii nocase
        $p3 = "IEX" ascii
        $p4 = "Invoke-Expression" ascii nocase
        $p5 = "-w hidden" ascii nocase
        $p6 = "-nop" ascii nocase
    condition:
        2 of them
}
ACT-03Service-Based ExecutionTechnique →
kql
// Service-Based Execution: new service created for code execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "sc.exe" and ProcessCommandLine has "create"
    or (InitiatingProcessFileName =~ "services.exe" and FileName in~ ("cmd.exe","powershell.exe"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ACT-04DLL Side-Loading or HijackingTechnique →
kql
// DLL Side-Loading: signed app loading an unsigned DLL from its own directory
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath !startswith "C:\\Windows"
| where FolderPath =~ InitiatingProcessFolderPath
| where isempty(Signer) or SignatureStatus != "Valid"
| where FileName endswith ".dll"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SignatureStatus
yara
rule MC_ACT_04_DLL_SideLoad_Proxy
{
    meta:
        author = "MalChain"
        technique = "MC-ACT-04 DLL Side-Loading or Hijacking"
        description = "Proxy DLL exporting forwarders plus payload staging APIs"
    strings:
        $e1 = "LoadLibraryA" ascii
        $e2 = "GetProcAddress" ascii
        $f1 = ".dll" ascii nocase
        $a1 = "VirtualProtect" ascii
        $a2 = "CreateThread" ascii
    condition:
        uint16(0) == 0x5A4D and $e1 and $e2 and $f1 and 1 of ($a*)
}
ACT-05WMI-Based ExecutionTechnique →
kql
// WMI-Based Execution: wmiprvse spawning interpreters (remote/lateral exec)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","mshta.exe","rundll32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ACT-06Browser Extension ExecutionTechnique →
kql
// Browser Extension Execution: new/modified extension manifest with broad permissions
DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath has_any (@"\Extensions\", @"\Extension Settings\")
| where FileName in~ ("manifest.json","background.js","content.js")
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, SHA256
yara
rule MC_ACT_06_Malicious_Browser_Extension
{
    meta:
        author = "MalChain"
        technique = "MC-ACT-06 Browser Extension Execution"
        description = "Extension manifest requesting broad permissions + remote code"
    strings:
        $m = "manifest_version" ascii
        $p1 = "\"<all_urls>\"" ascii
        $p2 = "webRequest" ascii
        $p3 = "tabs" ascii
        $c1 = "eval(" ascii
        $c2 = "chrome.runtime.onMessage" ascii
    condition:
        $m and 1 of ($p*) and 1 of ($c*)
}
ACT-07Boot / Firmware ExecutionTechnique →
kql
// Boot / Firmware Execution: bootloader / BCD tampering utilities
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("bcdedit.exe","bootcfg.exe","mountvol.exe") and ProcessCommandLine has_any ("set","/set","testsigning","nointegritychecks")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.

AnchoringANC

Maintaining presence. 8 techniques · copy any rule below.

ANC-01Startup & Logon ExecutionTechnique →
kql
// Startup & Logon: Run key or Startup-folder persistence created
union
(DeviceRegistryEvents
 | where ActionType in ("RegistryValueSet","RegistryKeyCreated")
 | where RegistryKey has_any (@"\CurrentVersion\Run", @"\CurrentVersion\RunOnce", @"\Winlogon")
 | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName),
(DeviceFileEvents
 | where FolderPath has @"\Start Menu\Programs\Startup\"
 | project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName)
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ANC-02Scheduled & Triggered ExecutionTechnique →
kql
// Scheduled & Triggered: task created via schtasks/PowerShell with suspicious action
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "schtasks.exe" and ProcessCommandLine has "/create")
    or (FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has "Register-ScheduledTask")
| where ProcessCommandLine has_any ("powershell","cmd","mshta","rundll32","http","AppData","Temp")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ANC-03Service & Daemon PersistenceTechnique →
kql
// Service & Daemon Persistence: auto-start service pointing to user-writable path
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has @"\Services\" and RegistryValueName == "ImagePath"
| where RegistryValueData has_any (@"\Users\", @"\Temp\", @"\AppData\", @"\ProgramData\", "powershell", "cmd /c")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ANC-04Registry-Based PersistenceTechnique →
kql
// Registry-Based Persistence: less-common autostart locations
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any (@"\Image File Execution Options", @"\AppInit_DLLs", @"\Userinit", @"\Shell", @"\CurrentVersion\Policies\Explorer\Run")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ANC-05Browser-Based PersistenceTechnique →
kql
// Browser-Based Persistence: registry-forced extension load / DebuggerPath
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any (@"\ExtensionInstallForcelist", @"\Chrome\NativeMessagingHosts", @"\Edge\NativeMessagingHosts")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
ANC-06WMI & Event Subscription PersistenceTechnique →
kql
// WMI Event Subscription Persistence: permanent consumer/binding creation
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any ("__EventFilter","CommandLineEventConsumer","ActiveScriptEventConsumer","__FilterToConsumerBinding","root\subscription")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
yara
rule MC_ANC_06_WMI_Event_Consumer
{
    meta:
        author = "MalChain"
        technique = "MC-ANC-06 WMI & Event Subscription Persistence"
        description = "Script creating permanent WMI event subscription persistence"
    strings:
        $a = "__EventFilter" ascii nocase
        $b = "CommandLineEventConsumer" ascii nocase
        $c = "ActiveScriptEventConsumer" ascii nocase
        $d = "__FilterToConsumerBinding" ascii nocase
        $e = "root\\subscription" ascii nocase
    condition:
        2 of them
}
ANC-07Fileless & In-Memory PersistenceTechnique →
kql
// Fileless & In-Memory Persistence: registry blob storing encoded payload
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where strlen(RegistryValueData) > 2048
| where RegistryValueData matches regex @"[A-Za-z0-9+/]{500,}={0,2}"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, DataLen=strlen(RegistryValueData), InitiatingProcessFileName
yara
rule MC_ANC_07_Fileless_Registry_Payload_Loader
{
    meta:
        author = "MalChain"
        technique = "MC-ANC-07 Fileless & In-Memory Persistence"
        description = "Loader reading an encoded payload from the registry into memory"
    strings:
        $r1 = "Get-ItemProperty" ascii nocase
        $r2 = "RegOpenKeyEx" ascii
        $b1 = "FromBase64String" ascii nocase
        $m1 = "VirtualAlloc" ascii
        $m2 = "[Reflection.Assembly]::Load" ascii nocase
    condition:
        (1 of ($r*)) and $b1 and (1 of ($m*))
}
ANC-08Boot & Pre-OS PersistenceTechnique →
kql
// Boot & Pre-OS Persistence: bootkit / raw disk write tooling
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("bcdedit.exe","bootim.exe","reagentc.exe") and ProcessCommandLine has_any ("set","disable","/set")
    or ProcessCommandLine has_any (@"\.\PhysicalDrive0", "\Device\Harddisk0")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.

ConcealmentCON

Avoiding detection. 10 techniques · copy any rule below.

CON-01Obfuscation & PackingTechnique →
kql
// Obfuscation & Packing: newly written PE with very high entropy sections
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (@"\Temp\", @"\AppData\", @"\ProgramData\", @"\Users\Public\")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
// Pivot SHA256 into a sandbox/entropy source; alert on packer indicators (UPX/MPRESS/Themida)
yara
rule MC_CON_01_Packed_Executable
{
    meta:
        author = "MalChain"
        technique = "MC-CON-01 Obfuscation & Packing"
        description = "Common runtime packer section names in a PE"
    strings:
        $upx0 = "UPX0" ascii
        $upx1 = "UPX1" ascii
        $mpress = ".MPRESS1" ascii
        $aspack = ".aspack" ascii
        $themida = "Themida" ascii nocase
        $petite = ".petite" ascii
    condition:
        uint16(0) == 0x5A4D and 1 of them
}
CON-02Fileless Malware ExecutionTechnique →
kql
// Fileless Execution: interpreter with no file, downloading & running in memory
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe","pwsh.exe")
| where ProcessCommandLine has_any ("IEX","Invoke-Expression","DownloadString","Reflection.Assembly","[Convert]::FromBase64String","VirtualAlloc")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
yara
rule MC_CON_02_Fileless_Reflective_Loader
{
    meta:
        author = "MalChain"
        technique = "MC-CON-02 Fileless Malware Execution"
        description = "In-memory reflective loading / shellcode allocation primitives"
    strings:
        $a1 = "VirtualAlloc" ascii
        $a2 = "VirtualAllocEx" ascii
        $a3 = "RtlMoveMemory" ascii
        $a4 = "CreateThread" ascii
        $a5 = "[Reflection.Assembly]::Load" ascii nocase
        $a6 = "ReflectiveLoader" ascii
    condition:
        3 of them
}
CON-03Security Tool TamperingTechnique →
kql
// Security Tool Tampering: defender / EDR service or exclusion manipulation
union
(DeviceProcessEvents
 | where ProcessCommandLine has_any ("Set-MpPreference","DisableRealtimeMonitoring","Add-MpPreference -ExclusionPath","sc stop","net stop") and ProcessCommandLine has_any ("defender","sense","windefend","MsMpEng","exclusion")
 | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine),
(DeviceRegistryEvents
 | where RegistryKey has @"\Windows Defender" and RegistryValueName in ("DisableAntiSpyware","DisableRealtimeMonitoring")
 | project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName)
yara
rule MC_CON_03_Security_Tool_Tampering
{
    meta:
        author = "MalChain"
        technique = "MC-CON-03 Security Tool Tampering"
        description = "Commands disabling AV/EDR or adding exclusions"
    strings:
        $a = "Set-MpPreference" ascii nocase
        $b = "DisableRealtimeMonitoring" ascii nocase
        $c = "Add-MpPreference -ExclusionPath" ascii nocase
        $d = "sc stop WinDefend" ascii nocase
        $e = "DisableAntiSpyware" ascii nocase
    condition:
        1 of them
}
CON-04Masquerading & ImpersonationTechnique →
kql
// Masquerading: system-named binary running from a non-system path
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe","lsass.exe","services.exe","csrss.exe","winlogon.exe","explorer.exe")
| where FolderPath !startswith "C:\\Windows"
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, SHA256
yara
rule MC_CON_04_Masquerade_System_Name
{
    meta:
        author = "MalChain"
        technique = "MC-CON-04 Masquerading & Impersonation"
        description = "PE claiming a core Windows original filename but lacking MS company"
    strings:
        $n1 = "svchost.exe" wide ascii nocase
        $n2 = "lsass.exe" wide ascii nocase
        $n3 = "services.exe" wide ascii nocase
        $ms = "Microsoft Corporation" wide ascii
    condition:
        uint16(0) == 0x5A4D and 1 of ($n*) and not $ms
}
CON-05Environment & Sandbox EvasionTechnique →
kql
// Sandbox / Environment Evasion: reconnaissance of VM & analysis artifacts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("vmware","vbox","virtualbox","qemu","sbiedll","wireshark","procmon","Win32_ComputerSystem","NumberOfCores")
| where FileName in~ ("wmic.exe","powershell.exe","reg.exe","cmd.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
yara
rule MC_CON_05_Sandbox_Evasion_Strings
{
    meta:
        author = "MalChain"
        technique = "MC-CON-05 Environment & Sandbox Evasion"
        description = "Anti-VM / anti-analysis artifact strings"
    strings:
        $v1 = "VBoxGuest" ascii nocase
        $v2 = "vmware" ascii nocase
        $v3 = "vmtoolsd" ascii nocase
        $v4 = "SbieDll.dll" ascii nocase
        $v5 = "QEMU" ascii
        $v6 = "IsDebuggerPresent" ascii
        $v7 = "CheckRemoteDebuggerPresent" ascii
    condition:
        3 of them
}
CON-06Process InjectionTechnique →
kql
// Process Injection: cross-process handle open + remote thread indicators
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall","WriteToLsassProcessMemory","QueueUserApcRemoteApiCall","SetThreadContextRemoteApiCall")
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName, FileName, AdditionalFields
yara
rule MC_CON_06_Process_Injection_Primitives
{
    meta:
        author = "MalChain"
        technique = "MC-CON-06 Process Injection"
        description = "Classic remote-injection / process-hollowing API set"
    strings:
        $a1 = "OpenProcess" ascii
        $a2 = "VirtualAllocEx" ascii
        $a3 = "WriteProcessMemory" ascii
        $a4 = "CreateRemoteThread" ascii
        $a5 = "NtUnmapViewOfSection" ascii
        $a6 = "SetThreadContext" ascii
        $a7 = "QueueUserAPC" ascii
    condition:
        uint16(0) == 0x5A4D and 3 of them
}
CON-07Polymorphism & MetamorphismTechnique →
kql
// Polymorphism/Metamorphism: many distinct hashes, same filename across fleet
DeviceFileEvents
| where Timestamp > ago(14d)
| where ActionType == "FileCreated"
| summarize DistinctHashes=dcount(SHA256), Hosts=dcount(DeviceName) by FileName
| where DistinctHashes > 10 and Hosts > 3
| project FileName, DistinctHashes, Hosts
yara
rule MC_CON_07_Polymorphic_Loader
{
    meta:
        author = "MalChain"
        technique = "MC-CON-07 Polymorphism & Metamorphism"
        description = "Self-modifying / runtime-decrypting loader primitives"
    strings:
        $a1 = "VirtualProtect" ascii
        $a2 = "WriteProcessMemory" ascii
        $x1 = { 33 ?? 88 ?? ?? 40 }        // xor/store/inc decrypt-loop shape
        $x2 = { 80 34 ?? ?? 40 3B }        // xor byte ptr [reg+key]; inc; cmp
    condition:
        uint16(0) == 0x5A4D and 1 of ($a*) and 1 of ($x*)
}
CON-08Log & Artifact ManipulationTechnique →
kql
// Log & Artifact Manipulation: event-log clearing
union
(DeviceProcessEvents
 | where (FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("cl ","clear-log"))
     or (FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has "Clear-EventLog")
 | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine),
(DeviceEvents | where ActionType == "SecurityLogCleared" | project Timestamp, DeviceName, ActionType, InitiatingProcessFileName)
yara
rule MC_CON_08_Log_Manipulation
{
    meta:
        author = "MalChain"
        technique = "MC-CON-08 Log & Artifact Manipulation"
        description = "Event log clearing / tampering commands"
    strings:
        $a = "wevtutil cl" ascii nocase
        $b = "Clear-EventLog" ascii nocase
        $c = "wevtutil clear-log" ascii nocase
        $d = "Remove-EventLog" ascii nocase
    condition:
        1 of them
}
CON-09Living-off-the-Land for EvasionTechnique →
kql
// Living-off-the-Land for Evasion: proxy execution via trusted binaries
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("regsvr32.exe","rundll32.exe","mshta.exe","installutil.exe","msbuild.exe","certutil.exe","regasm.exe","regsvcs.exe")
| where ProcessCommandLine has_any ("http","scrobj","javascript:","-decode","-urlcache","/i:","AppData","Temp")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
yara
rule MC_CON_09_LOLBin_Proxy_Execution
{
    meta:
        author = "MalChain"
        technique = "MC-CON-09 Living-off-the-Land for Evasion"
        description = "LOLBin proxy-execution command patterns"
    strings:
        $a = "regsvr32" ascii nocase
        $s = "scrobj.dll" ascii nocase
        $b = "mshta" ascii nocase
        $j = "javascript:" ascii nocase
        $c = "certutil" ascii nocase
        $u = "-urlcache" ascii nocase
    condition:
        ($a and $s) or ($b and $j) or ($c and $u)
}
CON-10Anti-Forensics & CleanupTechnique →
kql
// Anti-Forensics: shadow copy deletion & timestomping
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("vssadmin delete shadows","wmic shadowcopy delete","Delete-VssShadow","fsutil usn deletejournal","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
yara
rule MC_CON_10_AntiForensics_Cleanup
{
    meta:
        author = "MalChain"
        technique = "MC-CON-10 Anti-Forensics & Cleanup"
        description = "Shadow copy deletion / recovery disabling / journal wipe"
    strings:
        $a = "vssadmin delete shadows" ascii nocase
        $b = "wmic shadowcopy delete" ascii nocase
        $c = "wbadmin delete catalog" ascii nocase
        $d = "fsutil usn deletejournal" ascii nocase
        $e = "recoveryenabled no" ascii nocase
    condition:
        1 of them
}

ExpansionEXP

Spreading within networks. 10 techniques · copy any rule below.

EXP-01Living-off-the-Land Lateral MovementTechnique →
kql
// LotL Lateral Movement: remote exec tools launched to another host
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe","psexesvc.exe","wmic.exe","winrs.exe") or (FileName in~ ("powershell.exe","pwsh.exe") and ProcessCommandLine has_any ("Invoke-Command","New-PSSession","-ComputerName","Enter-PSSession"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXP-02Credential Reuse & RelayTechnique →
kql
// Credential Reuse & Relay: same account authenticating to many hosts quickly
DeviceLogonEvents
| where Timestamp > ago(1d)
| where ActionType == "LogonSuccess" and LogonType in ("Network","RemoteInteractive")
| summarize Hosts=dcount(DeviceName), HostSet=make_set(DeviceName,20) by AccountName, bin(Timestamp, 15m)
| where Hosts >= 5
| project Timestamp, AccountName, Hosts, HostSet
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXP-03Pass-the-Hash / Pass-the-TicketTechnique →
kql
// Pass-the-Hash / Pass-the-Ticket: NTLM/Kerberos logon anomalies from lsass access
DeviceLogonEvents
| where Timestamp > ago(3d)
| where LogonType == "Network" and ActionType == "LogonSuccess"
| where isempty(RemoteIP) == false
| join kind=inner (DeviceEvents | where ActionType == "OpenProcessApiCall" and FileName =~ "lsass.exe" | project DeviceName, Timestamp) on DeviceName
| project Timestamp, DeviceName, AccountName, RemoteIP, LogonType
yara
rule MC_EXP_03_Credential_Ticket_Tooling
{
    meta:
        author = "MalChain"
        technique = "MC-EXP-03 Pass-the-Hash / Pass-the-Ticket"
        description = "Mimikatz/Rubeus PtH/PtT command artifacts"
    strings:
        $a = "sekurlsa::pth" ascii nocase
        $b = "sekurlsa::logonpasswords" ascii nocase
        $c = "kerberos::ptt" ascii nocase
        $d = "asktgt" ascii nocase
        $e = "Rubeus" ascii
    condition:
        1 of them
}
EXP-04Remote Service & Protocol AbuseTechnique →
kql
// Remote Service & Protocol Abuse: remote service creation over the network
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "sc.exe" and ProcessCommandLine has_any (@"\\", "\\") and ProcessCommandLine has "create"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXP-05Network Share PropagationTechnique →
kql
// Network Share Propagation: writes of executables to admin/hidden shares
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath matches regex @"\\\\[^\\]+\\(ADMIN\$|C\$|IPC\$)"
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bat"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, SHA256
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXP-06Worm-like Self-PropagationTechnique →
kql
// Worm-like Self-Propagation: one process writing identical binary to many hosts/shares
DeviceFileEvents
| where Timestamp > ago(2d)
| where ActionType == "FileCreated" and (FileName endswith ".exe" or FileName endswith ".dll")
| summarize Targets=dcount(DeviceName), Paths=dcount(FolderPath) by SHA256, InitiatingProcessFileName
| where Targets > 5 or Paths > 20
| project SHA256, InitiatingProcessFileName, Targets, Paths
yara
rule MC_EXP_06_Worm_SelfPropagation
{
    meta:
        author = "MalChain"
        technique = "MC-EXP-06 Worm-like Self-Propagation"
        description = "Self-copy to network shares / removable drives via enumeration"
    strings:
        $a1 = "WNetAddConnection2" ascii
        $a2 = "GetLogicalDrives" ascii
        $a3 = "CopyFile" ascii
        $s1 = "\\ADMIN$" ascii nocase
        $s2 = "\\C$" ascii nocase
        $s3 = "autorun.inf" ascii nocase
    condition:
        uint16(0) == 0x5A4D and 1 of ($a*) and 1 of ($s*)
}
EXP-07Privilege Escalation Across HostsTechnique →
kql
// Privilege Escalation Across Hosts: token/UAC bypass & elevation tooling
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("SeDebugPrivilege","fodhelper.exe","eventvwr.exe","computerdefaults.exe","sdclt.exe","Invoke-TokenManipulation","getsystem")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXP-08Identity & Trust Relationship AbuseTechnique →
kql
// Identity & Trust Relationship Abuse: golden/silver ticket & delegation abuse recon
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("kerberos::golden","kerberos::ptt","Add-KrbtgtKey","asktgt","s4u","/impersonateuser","Rubeus")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
yara
rule MC_EXP_08_Kerberos_Trust_Abuse
{
    meta:
        author = "MalChain"
        technique = "MC-EXP-08 Identity & Trust Relationship Abuse"
        description = "Golden/silver ticket and delegation abuse artifacts"
    strings:
        $a = "kerberos::golden" ascii nocase
        $b = "kerberos::silver" ascii nocase
        $c = "/krbtgt" ascii nocase
        $d = "s4u" ascii nocase
        $e = "/impersonateuser" ascii nocase
    condition:
        1 of them
}
EXP-09Directory Services TargetingTechnique →
kql
// Directory Services Targeting: DCSync / mass LDAP enumeration
union
(DeviceProcessEvents
 | where ProcessCommandLine has_any ("lsadump::dcsync","dcsync","GetNCChanges","Get-ADReplAccount")
 | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine),
(IdentityDirectoryEvents
 | where ActionType == "Directory Services replication"
 | project Timestamp, DeviceName=TargetDeviceName, AccountName=AccountUpn, ActionType)
yara
rule MC_EXP_09_DCSync_Directory_Attack
{
    meta:
        author = "MalChain"
        technique = "MC-EXP-09 Directory Services Targeting"
        description = "DCSync / directory replication abuse artifacts"
    strings:
        $a = "lsadump::dcsync" ascii nocase
        $b = "GetNCChanges" ascii
        $c = "DsGetNCChanges" ascii
        $d = "Get-ADReplAccount" ascii nocase
    condition:
        1 of them
}
EXP-10Cloud & Hybrid Lateral MovementTechnique →
kql
// Cloud & Hybrid Lateral Movement: on-prem host reaching cloud IMDS / token endpoints
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("169.254.169.254","login.microsoftonline.com","sts.amazonaws.com","metadata.google.internal")
| where InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","curl.exe","python.exe","cmd.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.

ExtractionEXT

Stealing data. 10 techniques · copy any rule below.

EXT-01HTTP / HTTPS Data ExfiltrationTechnique →
kql
// HTTP/HTTPS Exfil: large outbound upload to rare external host
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess" and RemoteIPType == "Public"
| summarize SentBytes=sum(tolong(coalesce(SentBytes,0))) by DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, bin(Timestamp,1h)
| where SentBytes > 50000000
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, SentBytes, InitiatingProcessFileName
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXT-02DNS TunnelingTechnique →
kql
// DNS Tunneling: long / high-entropy subdomains and high query volume
DeviceNetworkEvents
| where Timestamp > ago(3d)
| where ActionType == "DnsQueryResponse" or isnotempty(RemoteUrl)
| extend Sub = tostring(split(RemoteUrl, ".")[0])
| where strlen(Sub) > 30
| summarize Queries=count(), MaxLen=max(strlen(Sub)) by DeviceName, Domain=strcat(tostring(split(RemoteUrl,".")[-2]),".",tostring(split(RemoteUrl,".")[-1])), bin(Timestamp,1h)
| where Queries > 100
| project Timestamp, DeviceName, Domain, Queries, MaxLen
yara
rule MC_EXT_02_DNS_Tunnel_Tooling
{
    meta:
        author = "MalChain"
        technique = "MC-EXT-02 DNS Tunneling"
        description = "Known DNS-tunnel tool markers / DNS TXT exfil routines"
    strings:
        $a = "iodine" ascii nocase
        $b = "dnscat" ascii nocase
        $c = "dns2tcp" ascii nocase
        $t = "DNS_TYPE_TXT" ascii
        $q = "DnsQuery_A" ascii
    condition:
        1 of ($a,$b,$c) or ($t and $q)
}
EXT-03Cloud Storage AbuseTechnique →
kql
// Cloud Storage Abuse: upload utilities / SDKs contacting cloud storage
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("s3.amazonaws.com","blob.core.windows.net","storage.googleapis.com","dropboxapi.com","drive.google.com","mega.nz")
| where InitiatingProcessFileName in~ ("powershell.exe","curl.exe","rclone.exe","python.exe","cmd.exe","aws.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXT-04Messaging and Social Platform ChannelsTechnique →
kql
// Messaging/Social Channels: exfil via Telegram/Discord/webhook APIs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("api.telegram.org","discord.com/api/webhooks","discordapp.com/api/webhooks","hooks.slack.com","pastebin.com")
| where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","teams.exe","slack.exe","discord.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
yara
rule MC_EXT_04_Messaging_Channel_Exfil
{
    meta:
        author = "MalChain"
        technique = "MC-EXT-04 Messaging and Social Platform Channels"
        description = "Hardcoded Telegram/Discord webhook exfil endpoints"
    strings:
        $a = "api.telegram.org/bot" ascii nocase
        $b = "discord.com/api/webhooks" ascii nocase
        $c = "discordapp.com/api/webhooks" ascii nocase
        $d = "hooks.slack.com/services" ascii nocase
    condition:
        1 of them
}
EXT-05FTP / SFTP / FTPS TransferTechnique →
kql
// FTP/SFTP/FTPS Transfer: command-line FTP clients to external hosts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("ftp.exe","winscp.com","winscp.exe","pscp.exe","psftp.exe","curl.exe") and ProcessCommandLine has_any ("ftp://","sftp://","ftps://","-put","put ")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXT-06Tor / Proxy / VPN Anonymization ChannelsTechnique →
kql
// Tor / Proxy / VPN Anonymization: connections to Tor / anonymizer infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (".onion","torproject.org") or InitiatingProcessFileName in~ ("tor.exe","obfs4proxy.exe","psiphon.exe")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
yara
rule MC_EXT_06_Tor_Anonymizer_Artifacts
{
    meta:
        author = "MalChain"
        technique = "MC-EXT-06 Tor / Proxy / VPN Anonymization Channels"
        description = "Embedded Tor / onion routing artifacts"
    strings:
        $a = ".onion" ascii nocase
        $b = "tor.exe" ascii nocase
        $c = "obfs4proxy" ascii nocase
        $d = "SOCKS5" ascii
        $e = "torrc" ascii nocase
    condition:
        2 of them
}
EXT-07Encrypted Command-and-Control ChannelsTechnique →
kql
// Encrypted C2: periodic beaconing (regular interval, small jitter) to one host
DeviceNetworkEvents
| where Timestamp > ago(2d) and RemoteIPType == "Public" and ActionType == "ConnectionSuccess"
| summarize Beacons=count(), Intervals=make_list(Timestamp,200) by DeviceName, RemoteIP, InitiatingProcessFileName
| where Beacons > 50
| project DeviceName, RemoteIP, InitiatingProcessFileName, Beacons
// Post-process Intervals for low standard-deviation to confirm beaconing
yara
rule MC_EXT_07_Encrypted_C2_Config
{
    meta:
        author = "MalChain"
        technique = "MC-EXT-07 Encrypted Command-and-Control Channels"
        description = "Beacon/C2 config primitives and known malleable markers"
    strings:
        $a = "User-Agent:" ascii
        $b = "WinHttpConnect" ascii
        $c = "InternetOpenA" ascii
        $bk = "beacon.dll" ascii nocase
        $mz = "ReflectiveLoader" ascii
    condition:
        uint16(0) == 0x5A4D and ($bk or $mz or (2 of ($a,$b,$c)))
}
EXT-08Removable Media Data ExtractionTechnique →
kql
// Removable Media Data Extraction: bulk copy of documents to removable drive
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated" and FolderPath matches regex @"^[D-Z]:\\"
| where FileName has_any (".docx",".xlsx",".pdf",".pst",".zip",".7z",".sql",".csv")
| summarize Files=count(), Bytes=sum(tolong(coalesce(FileSize,0))) by DeviceName, InitiatingProcessAccountName, bin(Timestamp,10m)
| where Files > 25
| project Timestamp, DeviceName, InitiatingProcessAccountName, Files, Bytes
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.
EXT-09Steganographic Data TransferTechnique →
kql
// Steganographic Data Transfer: stego tooling / image files with appended data
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("steghide.exe","openstego.exe","outguess.exe","zsteg.exe") or ProcessCommandLine has_any ("steghide","Add-Content -Encoding Byte","copy /b image","Invoke-PSImage")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
yara
rule MC_EXT_09_Steganography_Tooling
{
    meta:
        author = "MalChain"
        technique = "MC-EXT-09 Steganographic Data Transfer"
        description = "Steganography tools / PS image-embedding routines"
    strings:
        $a = "steghide" ascii nocase
        $b = "OpenStego" ascii nocase
        $c = "Invoke-PSImage" ascii nocase
        $d = "outguess" ascii nocase
    condition:
        1 of ($a,$b,$c,$d)
}
EXT-10Multi-Channel Redundant ExfiltrationTechnique →
kql
// Multi-Channel Redundant Exfil: one process using several distinct egress channels
DeviceNetworkEvents
| where Timestamp > ago(1d) and RemoteIPType == "Public"
| summarize Channels=dcount(RemoteUrl), Protocols=make_set(RemotePort,10) by DeviceName, InitiatingProcessFileName, bin(Timestamp,30m)
| where Channels > 15
| project Timestamp, DeviceName, InitiatingProcessFileName, Channels, Protocols
YARA not applicable to this behavioural / network-only technique — use the KQL rule above.