detection.wiki

Detection rules › Kusto Query Language

VTI - High Severity SHA1 Collision Detection

Source
upstream

This will alert when a collision is detected for DeviceFileEvents events with VTI high severity SHA1 IoCs

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204 User Execution

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate
Security-Auditing4663An attempt was made to access an object.
Defender-DeviceFileEvents9002000File activity (any)

Stages and Predicates

Stage 1: source

DeviceFileEvents

Stage 2: join