Skip to content

Latest commit

 

History

History
178 lines (153 loc) · 15.6 KB

File metadata and controls

178 lines (153 loc) · 15.6 KB

MITRE ATT&CK Mapping

This page includes the mapping of KQL queries to the MITRE ATT&CK framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations.

This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope.

Statistics

Tactic Entry Count
Initial Access 13
Execution 7
Persistence 11
Privilege Escalation 5
Defense Evasion 19
Credential Access 7
Discovery 22
Lateral Movement 1
Collection 2
Command and Control 7
Exfiltration 1
Impact 6

Initial Access

Technique ID Title Query
T1078.004 Valid Accounts: Cloud Accounts New Authentication AppDetected
T1078.004 Valid Accounts: Cloud Accounts Conditional Access Application Failures
T1078.004 Valid Accounts: Cloud Accounts Conditional Access User Failures
T1190 Exploit Public-Facing Application Internet Facing Devices With Available Exploits
T1190 Exploit Public-Facing Application New Active CISA Known Exploited Vulnerability Detected
T1566 Phishing Typosquatted Email Received
T1566 Phishing Malicious Email Delivered In Mailbox
T1566.001 Phishing: Spearphishing Attachment Executable Email Attachment Recieved
T1566.001 Phishing: Spearphishing Attachment Macro Attachment Opened From Rare Sender
T1566.001 Phishing: Spearphishing Attachment ASR Executable Content Triggered
T1566.001 Phishing: Spearphishing Attachment Hunt: AsyncRAT OneNote Delivery
T1566.002 Phishing: Spearphishing Link Email Safe Links Trigger
T1566.002 Phishing: Spearphishing Link Potential Phishing Campaign

Execution

Technique ID Title Query
T1047 Windows Management Instrumentation WMIC Remote Command Execution
T1047 Windows Management Instrumentation WMIC Antivirus Discovery
T1059.001 Command and Scripting Interpreter: PowerShell PowerShell Launching Scripts From WindowsApps Directory (FIN7)
T1059.001 Command and Scripting Interpreter: PowerShell AMSI Script Detection
T1059.001 Command and Scripting Interpreter: PowerShell PowerShell Invoke-Webrequest
T1204.002 User Execution: Malicious File File Containing Malware Detected
T1204.002 User Execution: Malicious File Malware File Detected Office 365

Persistence

Technique ID Title Query
T1098 Account Manipulation Password Change After Succesful Brute Force
T1136.001 Create Account: Local Account Local Account Creation
T1136.001 Create Account: Local Account Local Administrator Account Creations
T1136.003 Create Account: Cloud Account Cloud Persistence Activity By User AtRisk
T1136.002 Create Account: Domain Account Commandline User Addition
T1078.004 Valid Accounts: Cloud Accounts Cloud Persistence Activity By User AtRisk
T1137 Office Application Startup ASR Executable Office Content
T1505.003 Server Software Component: Web Shell WebShell Detection
T1543 Create or Modify System Process Azure ARC Related Persistence Detection
T1556 Modify Authentication Process Deletion Conditional Access Policy
T1556 Modify Authentication Process Change Conditional Access Policy

Privilege Escalation

Technique ID Title Query
T1078.002 Valid Accounts: Domain Accounts User Added To Sensitive Group
T1078.002 Valid Accounts: Domain Accounts Multiple Sentitive Group Additions From Commandline
T1098 Account Manipulation *.All Graph Permissions Added
T1134.002 Access Token Manipulation: Create Process with Token Runas With Saved Credentials
T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Users Added To Sudoers Group

Defense Evasion

Technique ID Title Query
T1027 Obfuscated Files or Information PowerShell Encoded Commands Executed By Device
T1027 Obfuscated Files or Information All encoded Powershell Executions
T1027 Obfuscated Files or Information Encoded PowerShell with WebRequest
T1027 Obfuscated Files or Information Encoded Powershell Discovery Requests
T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild Suspicious network connection from MSBuild
T1027.010 Obfuscated Files or Information: Command Obfuscation PowerShell Encoded Command
T1070.001 Indicator Removal Custom Detection Deletion
T1070.001 Indicator Removal: Clear Windows Event Logs Security Log Cleared
T1070.001 Indicator Removal: Clear Windows Event Logs Wevutil Clear Windows Event Logs
T1134.002 Access Token Manipulation: Create Process with Token Runas With Saved Credentials
T1218 System Binary Proxy Execution WMIC Remote Command Execution
T1218.010 System Binary Proxy Execution: Regsvr32 Regsvr32 Started as Office Child
T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass Hunt for rare ISO files
T1562.001 Impair Defenses: Disable or Modify Tools Abusing PowerShell to disable Defender components
T1562.001 Impair Defenses: Disable or Modify Tools Scattered Spider Defense Evasion via Conditional Access Policies Detection
T1562.001 Impair Defenses: Disable or Modify Tools Defender For Endpoint Offboarding Package Downloaded
T1562.001 Impair Defenses: Disable or Modify Tools Large Number Of Analytics Rules Deleted
T1562.010 Impair Defenses: Downgrade Attack Potential Kerberos Encryption Downgrade
T1578.002 Modify Cloud Compute Infrastructure: Create Cloud Instance Large Number Of VMs Started

Credential Access

Technique ID Title Query
T1003 OS Credential Dumping: NTDS NTDS.DIT File Modifications
T1110 Brute Force Password Change After Succesful Brute Force
T1110 Brute Force Multiple Accounts Locked
T1552 Unsecured Credentials Commandline with cleartext password
T1557 Adversary-in-the-Middle STORM-0539 URL Paths Email
T1557 Adversary-in-the-Middle Potential Adversary in The Middle Phishing
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting Potential Kerberos Encryption Downgrade

Discovery

Technique ID Title Query
T1018 Remote System Discovery Anomalous SMB Sessions Created
T1040 Network Sniffing Windows Network Sniffing
T1046 Network Service Discovery Database Discovery
T1069 Permission Groups Discovery Net(1).exe Discovery Activities
T1069 Permission Groups Discovery Net(1).exe Discovery Activities Detected
T1069.001 Permission Groups Discovery: Local Groups Local Group Discovery
T1069.003 Permission Groups Discovery: Cloud Groups Azure AD Download All Users
T1069.003 Permission Groups Discovery: Cloud Groups Cloud Discovery By User At Risk
T1069.003 Permission Groups Discovery: Cloud Groups AzureHound
T1087 Account Discovery Net(1).exe Discovery Activities
T1087 Account Discovery Net(1).exe Discovery Activities Detected
T1087.002 Account Discovery: Domain Account Anomalous LDAP Traffic
T1087.004 Account Discovery: Cloud Account Azure AD Download All Users
T1087.004 Account Discovery: Cloud Account Encoded Powershell Discovery Requests
T1087.004 Account Discovery: Cloud Account AzureHound
T1518.001 Software Discovery: Security Software Discovery WMIC Antivirus Discovery
T1518.001 Software Discovery: Security Software Discovery Defender Discovery Activities
T1201 Password Policy Discovery Net(1).exe Discovery Activities
T1201 Password Policy Discovery Net(1).exe Discovery Activities Detected
T1482 Domain Trust Discovery Security Events - Nltest Discovery Activities
T1482 Domain Trust Discovery MDE - Nltest Discovery Activities
T1615 Group Policy Discovery Anomalous Group Policy Discovery

Lateral Movement

Technique ID Title Query
T1021.002 Remote Services: SMB/Windows Admin Shares SMB File Copy

Collection

Technique ID Title Query
T1114 Email Collection Big Yellow Taxi - SignIn Based
T1530 Data from Cloud Storage OneDrive Sync From Rare IP

Command and Control

Technique ID Title Query
T1071.001 Application Layer Protocol: Web Protocols Behavior - TelegramC2
T1090 Proxy Anonymous Proxy Events Cloud App
T1105 Ingress Tool Transfer Certutil Remote Download
T1219 Remote Access Software AnyDesk Remote Connections
T1219 Remote Access Software Detect Known RAT RMM Process Patterns
T1219 Remote Access Software NetSupport running from unexpected directory (FIN7)
T1219 Remote Access Software Remote Monitoring and Management Tool with connections

Exfiltration

to be implemented

Impact

Technique ID Title Query
T1485 Data Destruction (Mass) Cloud Resource Deletion
T1486 Data Encrypted for Impact ASR Ransomware
T1486 Data Encrypted for Impact Ransomware Double Extention
T1486 Data Encrypted for Impact Known Ransomware Extension Found
T1489 Service Stop Kill SQL Processes
T1490 Inhibit System Recovery Shadow Copy Deletion