This page includes the mapping of KQL queries to the MITRE ATT&CK framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations.
This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope.
Tactic | Entry Count |
---|---|
Initial Access | 13 |
Execution | 7 |
Persistence | 11 |
Privilege Escalation | 5 |
Defense Evasion | 19 |
Credential Access | 7 |
Discovery | 22 |
Lateral Movement | 1 |
Collection | 2 |
Command and Control | 7 |
Exfiltration | 1 |
Impact | 6 |
Technique ID | Title | Query |
---|---|---|
T1078.004 | Valid Accounts: Cloud Accounts | New Authentication AppDetected |
T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access Application Failures |
T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access User Failures |
T1190 | Exploit Public-Facing Application | Internet Facing Devices With Available Exploits |
T1190 | Exploit Public-Facing Application | New Active CISA Known Exploited Vulnerability Detected |
T1566 | Phishing | Typosquatted Email Received |
T1566 | Phishing | Malicious Email Delivered In Mailbox |
T1566.001 | Phishing: Spearphishing Attachment | Executable Email Attachment Recieved |
T1566.001 | Phishing: Spearphishing Attachment | Macro Attachment Opened From Rare Sender |
T1566.001 | Phishing: Spearphishing Attachment | ASR Executable Content Triggered |
T1566.001 | Phishing: Spearphishing Attachment | Hunt: AsyncRAT OneNote Delivery |
T1566.002 | Phishing: Spearphishing Link | Email Safe Links Trigger |
T1566.002 | Phishing: Spearphishing Link | Potential Phishing Campaign |
Technique ID | Title | Query |
---|---|---|
T1047 | Windows Management Instrumentation | WMIC Remote Command Execution |
T1047 | Windows Management Instrumentation | WMIC Antivirus Discovery |
T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell Launching Scripts From WindowsApps Directory (FIN7) |
T1059.001 | Command and Scripting Interpreter: PowerShell | AMSI Script Detection |
T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell Invoke-Webrequest |
T1204.002 | User Execution: Malicious File | File Containing Malware Detected |
T1204.002 | User Execution: Malicious File | Malware File Detected Office 365 |
Technique ID | Title | Query |
---|---|---|
T1098 | Account Manipulation | Password Change After Succesful Brute Force |
T1136.001 | Create Account: Local Account | Local Account Creation |
T1136.001 | Create Account: Local Account | Local Administrator Account Creations |
T1136.003 | Create Account: Cloud Account | Cloud Persistence Activity By User AtRisk |
T1136.002 | Create Account: Domain Account | Commandline User Addition |
T1078.004 | Valid Accounts: Cloud Accounts | Cloud Persistence Activity By User AtRisk |
T1137 | Office Application Startup | ASR Executable Office Content |
T1505.003 | Server Software Component: Web Shell | WebShell Detection |
T1543 | Create or Modify System Process | Azure ARC Related Persistence Detection |
T1556 | Modify Authentication Process | Deletion Conditional Access Policy |
T1556 | Modify Authentication Process | Change Conditional Access Policy |
Technique ID | Title | Query |
---|---|---|
T1078.002 | Valid Accounts: Domain Accounts | User Added To Sensitive Group |
T1078.002 | Valid Accounts: Domain Accounts | Multiple Sentitive Group Additions From Commandline |
T1098 | Account Manipulation | *.All Graph Permissions Added |
T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Users Added To Sudoers Group |
Technique ID | Title | Query |
---|---|---|
T1027 | Obfuscated Files or Information | PowerShell Encoded Commands Executed By Device |
T1027 | Obfuscated Files or Information | All encoded Powershell Executions |
T1027 | Obfuscated Files or Information | Encoded PowerShell with WebRequest |
T1027 | Obfuscated Files or Information | Encoded Powershell Discovery Requests |
T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | Suspicious network connection from MSBuild |
T1027.010 | Obfuscated Files or Information: Command Obfuscation | PowerShell Encoded Command |
T1070.001 | Indicator Removal | Custom Detection Deletion |
T1070.001 | Indicator Removal: Clear Windows Event Logs | Security Log Cleared |
T1070.001 | Indicator Removal: Clear Windows Event Logs | Wevutil Clear Windows Event Logs |
T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
T1218 | System Binary Proxy Execution | WMIC Remote Command Execution |
T1218.010 | System Binary Proxy Execution: Regsvr32 | Regsvr32 Started as Office Child |
T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | Hunt for rare ISO files |
T1562.001 | Impair Defenses: Disable or Modify Tools | Abusing PowerShell to disable Defender components |
T1562.001 | Impair Defenses: Disable or Modify Tools | Scattered Spider Defense Evasion via Conditional Access Policies Detection |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defender For Endpoint Offboarding Package Downloaded |
T1562.001 | Impair Defenses: Disable or Modify Tools | Large Number Of Analytics Rules Deleted |
T1562.010 | Impair Defenses: Downgrade Attack | Potential Kerberos Encryption Downgrade |
T1578.002 | Modify Cloud Compute Infrastructure: Create Cloud Instance | Large Number Of VMs Started |
Technique ID | Title | Query |
---|---|---|
T1003 | OS Credential Dumping: NTDS | NTDS.DIT File Modifications |
T1110 | Brute Force | Password Change After Succesful Brute Force |
T1110 | Brute Force | Multiple Accounts Locked |
T1552 | Unsecured Credentials | Commandline with cleartext password |
T1557 | Adversary-in-the-Middle | STORM-0539 URL Paths Email |
T1557 | Adversary-in-the-Middle | Potential Adversary in The Middle Phishing |
T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Potential Kerberos Encryption Downgrade |
Technique ID | Title | Query |
---|---|---|
T1018 | Remote System Discovery | Anomalous SMB Sessions Created |
T1040 | Network Sniffing | Windows Network Sniffing |
T1046 | Network Service Discovery | Database Discovery |
T1069 | Permission Groups Discovery | Net(1).exe Discovery Activities |
T1069 | Permission Groups Discovery | Net(1).exe Discovery Activities Detected |
T1069.001 | Permission Groups Discovery: Local Groups | Local Group Discovery |
T1069.003 | Permission Groups Discovery: Cloud Groups | Azure AD Download All Users |
T1069.003 | Permission Groups Discovery: Cloud Groups | Cloud Discovery By User At Risk |
T1069.003 | Permission Groups Discovery: Cloud Groups | AzureHound |
T1087 | Account Discovery | Net(1).exe Discovery Activities |
T1087 | Account Discovery | Net(1).exe Discovery Activities Detected |
T1087.002 | Account Discovery: Domain Account | Anomalous LDAP Traffic |
T1087.004 | Account Discovery: Cloud Account | Azure AD Download All Users |
T1087.004 | Account Discovery: Cloud Account | Encoded Powershell Discovery Requests |
T1087.004 | Account Discovery: Cloud Account | AzureHound |
T1518.001 | Software Discovery: Security Software Discovery | WMIC Antivirus Discovery |
T1518.001 | Software Discovery: Security Software Discovery | Defender Discovery Activities |
T1201 | Password Policy Discovery | Net(1).exe Discovery Activities |
T1201 | Password Policy Discovery | Net(1).exe Discovery Activities Detected |
T1482 | Domain Trust Discovery | Security Events - Nltest Discovery Activities |
T1482 | Domain Trust Discovery | MDE - Nltest Discovery Activities |
T1615 | Group Policy Discovery | Anomalous Group Policy Discovery |
Technique ID | Title | Query |
---|---|---|
T1021.002 | Remote Services: SMB/Windows Admin Shares | SMB File Copy |
Technique ID | Title | Query |
---|---|---|
T1114 | Email Collection | Big Yellow Taxi - SignIn Based |
T1530 | Data from Cloud Storage | OneDrive Sync From Rare IP |
Technique ID | Title | Query |
---|---|---|
T1071.001 | Application Layer Protocol: Web Protocols | Behavior - TelegramC2 |
T1090 | Proxy | Anonymous Proxy Events Cloud App |
T1105 | Ingress Tool Transfer | Certutil Remote Download |
T1219 | Remote Access Software | AnyDesk Remote Connections |
T1219 | Remote Access Software | Detect Known RAT RMM Process Patterns |
T1219 | Remote Access Software | NetSupport running from unexpected directory (FIN7) |
T1219 | Remote Access Software | Remote Monitoring and Management Tool with connections |
to be implemented
Technique ID | Title | Query |
---|---|---|
T1485 | Data Destruction | (Mass) Cloud Resource Deletion |
T1486 | Data Encrypted for Impact | ASR Ransomware |
T1486 | Data Encrypted for Impact | Ransomware Double Extention |
T1486 | Data Encrypted for Impact | Known Ransomware Extension Found |
T1489 | Service Stop | Kill SQL Processes |
T1490 | Inhibit System Recovery | Shadow Copy Deletion |