This page includes the mapping of KQL queries to the MITRE ATT&CK framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations.
This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope.
Tactic | Entry Count |
---|---|
Initial Access | 11 |
Execution | 4 |
Persistence | 9 |
Privilege Escalation | 4 |
Defense Evasion | 14 |
Credential Access | 5 |
Discovery | 18 |
Lateral Movement | 1 |
Collection | 1 |
Command and Control | 5 |
Exfiltration | 1 |
Impact | 4 |
Technique ID | Title | Query |
---|---|---|
T1078.004 | Valid Accounts: Cloud Accounts | New Authentication AppDetected |
T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access Application Failures |
T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access User Failures |
T1190 | Exploit Public-Facing Application | Internet Facing Devices With Available Exploits |
T1190 | Exploit Public-Facing Application | New Active CISA Known Exploited Vulnerability Detected |
T1566.001 | Phishing: Spearphishing Attachment | Executable Email Attachment Recieved |
T1566.001 | Phishing: Spearphishing Attachment | Macro Attachment Opened From Rare Sender |
T1566.001 | Phishing: Spearphishing Attachment | ASR Executable Content Triggered |
T1566.001 | Phishing: Spearphishing Attachment | Hunt: AsyncRAT OneNote Delivery |
T1566.002 | Phishing: Spearphishing Link | Email Safe Links Trigger |
T1566.002 | Phishing: Spearphishing Link | Potential Phishing Campaign |
Technique ID | Title | Query |
---|---|---|
T1047 | Windows Management Instrumentation | WMIC Remote Command Execution |
T1047 | Windows Management Instrumentation | WMIC Antivirus Discovery |
T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell Launching Scripts From WindowsApps Directory (FIN7) |
T1059.001 | Command and Scripting Interpreter: PowerShell | AMSI Script Detection |
Technique ID | Title | Query |
---|---|---|
T1098 | Account Manipulation | Password Change After Succesful Brute Force |
T1136.001 | Create Account: Local Account | Local Account Creation |
T1136.001 | Create Account: Local Account | Local Administrator Account Creations |
T1136.003 | Create Account: Cloud Account | Cloud Persistence Activity By User AtRisk |
T1078.004 | Valid Accounts: Cloud Accounts | Cloud Persistence Activity By User AtRisk |
T1137 | Office Application Startup | ASR Executable Office Content |
T1505.003 | Server Software Component: Web Shell | WebShell Detection |
T1556 | Modify Authentication Process | Deletion Conditional Access Policy |
T1556 | Modify Authentication Process | Change Conditional Access Policy |
Technique ID | Title | Query |
---|---|---|
T1078.002 | Valid Accounts: Domain Accounts | User Added To Sensitive Group |
T1098 | Account Manipulation | *.All Graph Permissions Added |
T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Users Added To Sudoers Group |
Technique ID | Title | Query |
---|---|---|
T1027 | Obfuscated Files or Information | PowerShell Encoded Commands Executed By Device |
T1027 | Obfuscated Files or Information | All encoded Powershell Executions |
T1027 | Obfuscated Files or Information | Encoded PowerShell with WebRequest |
T1027 | Obfuscated Files or Information | Encoded Powershell Discovery Requests |
T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | Suspicious network connection from MSBuild |
T1027.010 | Obfuscated Files or Information: Command Obfuscation | PowerShell Encoded Command |
T1070.001 | Indicator Removal: Clear Windows Event Logs | Security Log Cleared |
T1070.001 | Indicator Removal: Clear Windows Event Logs | Wevutil Clear Windows Event Logs |
T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
T1218 | System Binary Proxy Execution | WMIC Remote Command Execution |
T1218.010 | System Binary Proxy Execution: Regsvr32 | Regsvr32 Started as Office Child |
T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | Hunt for rare ISO files |
T1562.001 | Impair Defenses: Disable or Modify Tools | Abusing PowerShell to disable Defender components |
T1562.010 | Impair Defenses: Downgrade Attack | Potential Kerberos Encryption Downgrade |
Technique ID | Title | Query |
---|---|---|
T1110 | Brute Force | Password Change After Succesful Brute Force |
T1552 | Unsecured Credentials | Commandline with cleartext password |
T1557 | Adversary-in-the-Middle | STORM-0539 URL Paths Email |
T1557 | Adversary-in-the-Middle | Potential Adversary in The Middle Phishing |
T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Potential Kerberos Encryption Downgrade |
Technique ID | Title | Query |
---|---|---|
T1018 | Remote System Discovery | Anomalous SMB Sessions Created |
T1040 | Network Sniffing | Windows Network Sniffing |
T1046 | Network Service Discovery | Database Discovery |
T1069 | Permission Groups Discovery | Net(1).exe Discovery Activities |
T1069 | Permission Groups Discovery | Net(1).exe Discovery Activities Detected |
T1069.001 | Permission Groups Discovery: Local Groups | Local Group Discovery |
T1069.003 | Permission Groups Discovery: Cloud Groups | Azure AD Download All Users |
T1069.003 | Permission Groups Discovery: Cloud Groups | Cloud Discovery By User At Risk |
T1087 | Account Discovery | Net(1).exe Discovery Activities |
T1087 | Account Discovery | Net(1).exe Discovery Activities Detected |
T1087.002 | Account Discovery: Domain Account | Anomalous LDAP Traffic |
T1087.004 | Account Discovery: Cloud Account | Azure AD Download All Users |
T1087.004 | Account Discovery: Cloud Account | Encoded Powershell Discovery Requests |
T1518.001 | Software Discovery: Security Software Discovery | WMIC Antivirus Discovery |
T1518.001 | Software Discovery: Security Software Discovery | Defender Discovery Activities |
T1201 | Password Policy Discovery | Net(1).exe Discovery Activities |
T1201 | Password Policy Discovery | Net(1).exe Discovery Activities Detected |
T1615 | Group Policy Discovery | Anomalous Group Policy Discovery |
Technique ID | Title | Query |
---|---|---|
T1021.002 | Remote Services: SMB/Windows Admin Shares | SMB File Copy |
to be implemented
Technique ID | Title | Query |
---|---|---|
T1071.001 | Application Layer Protocol: Web Protocols | Behavior - TelegramC2 |
T1090 | Proxy | Anonymous Proxy Events Cloud App |
T1219 | Remote Access Software | AnyDesk Remote Connections |
T1219 | Remote Access Software | Detect Known RAT RMM Process Patterns |
T1219 | Remote Access Software | NetSupport running from unexpected directory (FIN7) |
to be implemented
Technique ID | Title | Query |
---|---|---|
T1486 | Data Encrypted for Impact | ASR Ransomware |
T1486 | Data Encrypted for Impact | Ransomware Double Extention |
T1489 | Service Stop | Kill SQL Processes |
T1490 | Inhibit System Recovery | Shadow Copy Deletion |