feat: add Cloud Storage Exfiltration Domain Hits rule, fix ScreenConnect sort

LasCC · LasCC · commit 06e233c24583 · 2026-05-05T09:06:35.000-04:00
Adds an Exfiltration-category rule that hits on event.dns.request /
url.address against 50 cloud-storage and anonymous file-sharing
domains sourced from the lolexfil tools.json "cloud storage" set
(Backblaze, Dropbox, MEGA, pCloud, MediaFire, 4shared, fex.net,
Bublup, gofile, anonfiles, bashupload, temp.sh, transfer.sh,
catbox.moe, share.riseup.net, oshi.at, send.exploit.in, myftp.*, etc.).
Popular cloud-platform domains (Google, Amazon, Microsoft) are
excluded to keep the rule actionable.

Also fixes the Newly Observed ScreenConnect Host Server rule: the
final "| sort -_FirstSeenMs" ran after "| columns" projected the
output, which dropped _FirstSeenMs from scope and silently no-oped
the sort. Moves the sort step ahead of the columns projection.
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -152,7 +152,7 @@
     {
         "category": "Command & Control",
         "name": "Newly Observed ScreenConnect Host Server",
-        "query": "(src.process.name = \"ScreenConnect.ClientService.exe\" OR src.process.publisher contains:anycase \"ConnectWise\") AND src.process.cmdline contains:anycase \"&h=\"\n| let screenconnectServer = src.process.cmdline.extract_matches('[?&]h=([^&\"]+)').get(0)\n| filter screenconnectServer != null\n| filter NOT (screenconnectServer contains:anycase \".screenconnect.com\" OR screenconnectServer contains:anycase \".connectwisecontrol.com\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), EndpointCount=estimate_distinct(endpoint.name), UniqueHosts=array_agg_distinct(endpoint.name), UniqueUsers=array_agg_distinct(src.process.user), UniqueParents=array_agg_distinct(src.process.parent.name), UniqueCmdlines=array_agg_distinct(src.process.cmdline) by screenconnectServer\n| filter EndpointCount == 1\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllHosts = UniqueHosts.to_string(', '), AllUsers = UniqueUsers.to_string(', '), AllParents = UniqueParents.to_string(', '), AllCmdlines = UniqueCmdlines.to_string(' | ')\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, screenconnectServer, EndpointCount, AllHosts, AllUsers, AllParents, AllCmdlines, Count\n| sort -_FirstSeenMs\n| limit 100000"
+        "query": "(src.process.name = \"ScreenConnect.ClientService.exe\" OR src.process.publisher contains:anycase \"ConnectWise\") AND src.process.cmdline contains:anycase \"&h=\"\n| let screenconnectServer = src.process.cmdline.extract_matches('[?&]h=([^&\"]+)').get(0)\n| filter screenconnectServer != null\n| filter NOT (screenconnectServer contains:anycase \".screenconnect.com\" OR screenconnectServer contains:anycase \".connectwisecontrol.com\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), EndpointCount=estimate_distinct(endpoint.name), UniqueHosts=array_agg_distinct(endpoint.name), UniqueUsers=array_agg_distinct(src.process.user), UniqueParents=array_agg_distinct(src.process.parent.name), UniqueCmdlines=array_agg_distinct(src.process.cmdline) by screenconnectServer\n| filter EndpointCount == 1\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllHosts = UniqueHosts.to_string(', '), AllUsers = UniqueUsers.to_string(', '), AllParents = UniqueParents.to_string(', '), AllCmdlines = UniqueCmdlines.to_string(' | ')\n| sort -_FirstSeenMs\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, screenconnectServer, EndpointCount, AllHosts, AllUsers, AllParents, AllCmdlines, Count\n| limit 100000"
     },
     {
         "category": "Execution & TTPs",
@@ -488,5 +488,10 @@
         "category": "macOS",
         "name": "macOS LOOBins - Living Off the Orchard (High Confidence)",
         "query": "endpoint.os = \"osx\" AND ((src.process.name = \"security\" AND src.process.cmdline contains:anycase \"dump-keychain\") OR (src.process.name = \"security\" AND src.process.cmdline contains:anycase \"find-generic-password\" AND src.process.cmdline contains:anycase \"Chrome Safe Storage\") OR (src.process.name = \"osascript\" AND src.process.cmdline contains:anycase \"display dialog\" AND src.process.cmdline contains:anycase (\"password\",\"keychain\",\"credential\",\"login\",\"authentif\")) OR (src.process.name = \"sqlite3\" AND src.process.cmdline contains:anycase (\"cookies.sqlite\",\"moz_cookies\",\"Login Data\")) OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"eyJ\") OR (#cmdline contains \"com.apple.quarantine\" AND #cmdline contains \"-d\") OR (src.process.name = \"spctl\" AND src.process.cmdline contains:anycase \"--master-disable\") OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"erase\" AND src.process.cmdline contains:anycase \"--all\") OR (src.process.name = \"csrutil\" AND src.process.cmdline contains:anycase \"disable\") OR (src.process.name = \"sfltool\" AND src.process.cmdline contains:anycase \"resetbtm\") OR (src.process.name = \"ssh-keygen\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.name = \"tclsh\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.cmdline contains:anycase \"LoginHook\") OR (src.process.name = \"sysadminctl\" AND src.process.cmdline contains:anycase (\"-addUser\",\"-resetPasswordFor\",\"-smbGuestAccess\",\"-afpGuestAccess\")) OR (src.process.name = \"networksetup\" AND src.process.cmdline contains:anycase (\"-setwebproxy\",\"-setsecurewebproxy\",\"-setautoproxyurl\")) OR (src.process.name = \"systemsetup\" AND src.process.cmdline contains:anycase (\"-setremotelogin\",\"-setremoteappleevents\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category": "Exfiltration",
+        "name": "Cloud Storage Exfiltration Domain Hits",
+        "query": "event.dns.request contains:anycase (\"api.backblazeb2.com\", \"backblazeb2.com\", \"api.dropboxapi.com\", \"content.dropboxapi.com\", \"dropboxapi.com\", \"dropbox.com\", \"g.api.mega.co.nz\", \"upload.mega.co.nz\", \"userstorage.mega.co.nz\", \"static.mega.co.nz\", \"api.mega.co.nz\", \"mega.co.nz\", \"mega.nz\", \"mega.io\", \"api.pcloud.com\", \"pcloud.com\", \"mediafire.com\", \"4shared.com\", \"api.4shared.com\", \"fex.net\", \"api.fex.net\", \"bublup.com\", \"api.bublup.com\", \"gofile.io\", \"store1.gofile.io\", \"store2.gofile.io\", \"api.gofile.io\", \"anonfiles.com\", \"api.anonfiles.com\", \"bashupload.com\", \"temp.sh\", \"transfer.sh\", \"tempsend.com\", \"sendspace.com\", \"file.io\", \"catbox.moe\", \"files.catbox.moe\", \"dropmefiles.com\", \"easyupload.io\", \"ufile.io\", \"qaz.im\", \"privat.lab\", \"share.riseup.net\", \"transfert-my-files.com\", \"oshi.at\", \"send.exploit.in\", \"bayfiles.com\", \"filetransfer.io\", \"myftp.biz\", \"myftp.org\") or url.address contains:anycase (\"api.backblazeb2.com\", \"backblazeb2.com\", \"api.dropboxapi.com\", \"content.dropboxapi.com\", \"dropboxapi.com\", \"dropbox.com\", \"g.api.mega.co.nz\", \"upload.mega.co.nz\", \"userstorage.mega.co.nz\", \"static.mega.co.nz\", \"api.mega.co.nz\", \"mega.co.nz\", \"mega.nz\", \"mega.io\", \"api.pcloud.com\", \"pcloud.com\", \"mediafire.com\", \"4shared.com\", \"api.4shared.com\", \"fex.net\", \"api.fex.net\", \"bublup.com\", \"api.bublup.com\", \"gofile.io\", \"store1.gofile.io\", \"store2.gofile.io\", \"api.gofile.io\", \"anonfiles.com\", \"api.anonfiles.com\", \"bashupload.com\", \"temp.sh\", \"transfer.sh\", \"tempsend.com\", \"sendspace.com\", \"file.io\", \"catbox.moe\", \"files.catbox.moe\", \"dropmefiles.com\", \"easyupload.io\", \"ufile.io\", \"qaz.im\", \"privat.lab\", \"share.riseup.net\", \"transfert-my-files.com\", \"oshi.at\", \"send.exploit.in\", \"bayfiles.com\", \"filetransfer.io\", \"myftp.biz\", \"myftp.org\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request, url.address\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, event.dns.request, url.address, Count\n| sort -Count\n| limit 100000"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@`
`152`	`152`	`{`
`153`	`153`	`"category": "Command & Control",`
`154`	`154`	`"name": "Newly Observed ScreenConnect Host Server",`
`155`		- "query": "(src.process.name = \"ScreenConnect.ClientService.exe\" OR src.process.publisher contains:anycase \"ConnectWise\") AND src.process.cmdline contains:anycase \"&h=\"\n\| let screenconnectServer = src.process.cmdline.extract_matches('[?&]h=([^&\"]+)').get(0)\n\| filter screenconnectServer != null\n\| filter NOT (screenconnectServer contains:anycase \".screenconnect.com\" OR screenconnectServer contains:anycase \".connectwisecontrol.com\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), EndpointCount=estimate_distinct(endpoint.name), UniqueHosts=array_agg_distinct(endpoint.name), UniqueUsers=array_agg_distinct(src.process.user), UniqueParents=array_agg_distinct(src.process.parent.name), UniqueCmdlines=array_agg_distinct(src.process.cmdline) by screenconnectServer\n\| filter EndpointCount == 1\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllHosts = UniqueHosts.to_string(', '), AllUsers = UniqueUsers.to_string(', '), AllParents = UniqueParents.to_string(', '), AllCmdlines = UniqueCmdlines.to_string(' \| ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, screenconnectServer, EndpointCount, AllHosts, AllUsers, AllParents, AllCmdlines, Count\n\| sort -_FirstSeenMs\n\| limit 100000"
	`155`	+ "query": "(src.process.name = \"ScreenConnect.ClientService.exe\" OR src.process.publisher contains:anycase \"ConnectWise\") AND src.process.cmdline contains:anycase \"&h=\"\n\| let screenconnectServer = src.process.cmdline.extract_matches('[?&]h=([^&\"]+)').get(0)\n\| filter screenconnectServer != null\n\| filter NOT (screenconnectServer contains:anycase \".screenconnect.com\" OR screenconnectServer contains:anycase \".connectwisecontrol.com\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), EndpointCount=estimate_distinct(endpoint.name), UniqueHosts=array_agg_distinct(endpoint.name), UniqueUsers=array_agg_distinct(src.process.user), UniqueParents=array_agg_distinct(src.process.parent.name), UniqueCmdlines=array_agg_distinct(src.process.cmdline) by screenconnectServer\n\| filter EndpointCount == 1\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllHosts = UniqueHosts.to_string(', '), AllUsers = UniqueUsers.to_string(', '), AllParents = UniqueParents.to_string(', '), AllCmdlines = UniqueCmdlines.to_string(' \| ')\n\| sort -_FirstSeenMs\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, screenconnectServer, EndpointCount, AllHosts, AllUsers, AllParents, AllCmdlines, Count\n\| limit 100000"
`156`	`156`	`},`
`157`	`157`	`{`
`158`	`158`	`"category": "Execution & TTPs",`
`@@ -488,5 +488,10 @@`
`488`	`488`	`"category": "macOS",`
`489`	`489`	`"name": "macOS LOOBins - Living Off the Orchard (High Confidence)",`
`490`	`490`	"query": "endpoint.os = \"osx\" AND ((src.process.name = \"security\" AND src.process.cmdline contains:anycase \"dump-keychain\") OR (src.process.name = \"security\" AND src.process.cmdline contains:anycase \"find-generic-password\" AND src.process.cmdline contains:anycase \"Chrome Safe Storage\") OR (src.process.name = \"osascript\" AND src.process.cmdline contains:anycase \"display dialog\" AND src.process.cmdline contains:anycase (\"password\",\"keychain\",\"credential\",\"login\",\"authentif\")) OR (src.process.name = \"sqlite3\" AND src.process.cmdline contains:anycase (\"cookies.sqlite\",\"moz_cookies\",\"Login Data\")) OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"eyJ\") OR (#cmdline contains \"com.apple.quarantine\" AND #cmdline contains \"-d\") OR (src.process.name = \"spctl\" AND src.process.cmdline contains:anycase \"--master-disable\") OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"erase\" AND src.process.cmdline contains:anycase \"--all\") OR (src.process.name = \"csrutil\" AND src.process.cmdline contains:anycase \"disable\") OR (src.process.name = \"sfltool\" AND src.process.cmdline contains:anycase \"resetbtm\") OR (src.process.name = \"ssh-keygen\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.name = \"tclsh\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.cmdline contains:anycase \"LoginHook\") OR (src.process.name = \"sysadminctl\" AND src.process.cmdline contains:anycase (\"-addUser\",\"-resetPasswordFor\",\"-smbGuestAccess\",\"-afpGuestAccess\")) OR (src.process.name = \"networksetup\" AND src.process.cmdline contains:anycase (\"-setwebproxy\",\"-setsecurewebproxy\",\"-setautoproxyurl\")) OR (src.process.name = \"systemsetup\" AND src.process.cmdline contains:anycase (\"-setremotelogin\",\"-setremoteappleevents\")))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, Count\n\| sort -Count\n\| limit 100000"
	`491`	`+ },`
	`492`	`+ {`
	`493`	`+ "category": "Exfiltration",`
	`494`	`+ "name": "Cloud Storage Exfiltration Domain Hits",`
	`495`	+ "query": "event.dns.request contains:anycase (\"api.backblazeb2.com\", \"backblazeb2.com\", \"api.dropboxapi.com\", \"content.dropboxapi.com\", \"dropboxapi.com\", \"dropbox.com\", \"g.api.mega.co.nz\", \"upload.mega.co.nz\", \"userstorage.mega.co.nz\", \"static.mega.co.nz\", \"api.mega.co.nz\", \"mega.co.nz\", \"mega.nz\", \"mega.io\", \"api.pcloud.com\", \"pcloud.com\", \"mediafire.com\", \"4shared.com\", \"api.4shared.com\", \"fex.net\", \"api.fex.net\", \"bublup.com\", \"api.bublup.com\", \"gofile.io\", \"store1.gofile.io\", \"store2.gofile.io\", \"api.gofile.io\", \"anonfiles.com\", \"api.anonfiles.com\", \"bashupload.com\", \"temp.sh\", \"transfer.sh\", \"tempsend.com\", \"sendspace.com\", \"file.io\", \"catbox.moe\", \"files.catbox.moe\", \"dropmefiles.com\", \"easyupload.io\", \"ufile.io\", \"qaz.im\", \"privat.lab\", \"share.riseup.net\", \"transfert-my-files.com\", \"oshi.at\", \"send.exploit.in\", \"bayfiles.com\", \"filetransfer.io\", \"myftp.biz\", \"myftp.org\") or url.address contains:anycase (\"api.backblazeb2.com\", \"backblazeb2.com\", \"api.dropboxapi.com\", \"content.dropboxapi.com\", \"dropboxapi.com\", \"dropbox.com\", \"g.api.mega.co.nz\", \"upload.mega.co.nz\", \"userstorage.mega.co.nz\", \"static.mega.co.nz\", \"api.mega.co.nz\", \"mega.co.nz\", \"mega.nz\", \"mega.io\", \"api.pcloud.com\", \"pcloud.com\", \"mediafire.com\", \"4shared.com\", \"api.4shared.com\", \"fex.net\", \"api.fex.net\", \"bublup.com\", \"api.bublup.com\", \"gofile.io\", \"store1.gofile.io\", \"store2.gofile.io\", \"api.gofile.io\", \"anonfiles.com\", \"api.anonfiles.com\", \"bashupload.com\", \"temp.sh\", \"transfer.sh\", \"tempsend.com\", \"sendspace.com\", \"file.io\", \"catbox.moe\", \"files.catbox.moe\", \"dropmefiles.com\", \"easyupload.io\", \"ufile.io\", \"qaz.im\", \"privat.lab\", \"share.riseup.net\", \"transfert-my-files.com\", \"oshi.at\", \"send.exploit.in\", \"bayfiles.com\", \"filetransfer.io\", \"myftp.biz\", \"myftp.org\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request, url.address\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, event.dns.request, url.address, Count\n\| sort -Count\n\| limit 100000"
`491`	`496`	`}`
`492`	`497`	`]`