Skip to content

Latest commit

 

History

History
160 lines (137 loc) · 13.6 KB

File metadata and controls

160 lines (137 loc) · 13.6 KB

MITRE ATT&CK Mapping

This page includes the mapping of KQL queries to the MITRE ATT&CK framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations.

This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope.

Statistics

Tactic Entry Count
Initial Access 11
Execution 5
Persistence 11
Privilege Escalation 5
Defense Evasion 15
Credential Access 7
Discovery 20
Lateral Movement 1
Collection 1
Command and Control 6
Exfiltration 1
Impact 4

Initial Access

Technique ID Title Query
T1078.004 Valid Accounts: Cloud Accounts New Authentication AppDetected
T1078.004 Valid Accounts: Cloud Accounts Conditional Access Application Failures
T1078.004 Valid Accounts: Cloud Accounts Conditional Access User Failures
T1190 Exploit Public-Facing Application Internet Facing Devices With Available Exploits
T1190 Exploit Public-Facing Application New Active CISA Known Exploited Vulnerability Detected
T1566.001 Phishing: Spearphishing Attachment Executable Email Attachment Recieved
T1566.001 Phishing: Spearphishing Attachment Macro Attachment Opened From Rare Sender
T1566.001 Phishing: Spearphishing Attachment ASR Executable Content Triggered
T1566.001 Phishing: Spearphishing Attachment Hunt: AsyncRAT OneNote Delivery
T1566.002 Phishing: Spearphishing Link Email Safe Links Trigger
T1566.002 Phishing: Spearphishing Link Potential Phishing Campaign

Execution

Technique ID Title Query
T1047 Windows Management Instrumentation WMIC Remote Command Execution
T1047 Windows Management Instrumentation WMIC Antivirus Discovery
T1059.001 Command and Scripting Interpreter: PowerShell PowerShell Launching Scripts From WindowsApps Directory (FIN7)
T1059.001 Command and Scripting Interpreter: PowerShell AMSI Script Detection
T1059.001 Command and Scripting Interpreter: PowerShell PowerShell Invoke-Webrequest

Persistence

Technique ID Title Query
T1098 Account Manipulation Password Change After Succesful Brute Force
T1136.001 Create Account: Local Account Local Account Creation
T1136.001 Create Account: Local Account Local Administrator Account Creations
T1136.003 Create Account: Cloud Account Cloud Persistence Activity By User AtRisk
T1136.002 Create Account: Domain Account Commandline User Addition
T1078.004 Valid Accounts: Cloud Accounts Cloud Persistence Activity By User AtRisk
T1137 Office Application Startup ASR Executable Office Content
T1505.003 Server Software Component: Web Shell WebShell Detection
T1543 Create or Modify System Process Azure ARC Related Persistence Detection
T1556 Modify Authentication Process Deletion Conditional Access Policy
T1556 Modify Authentication Process Change Conditional Access Policy

Privilege Escalation

Technique ID Title Query
T1078.002 Valid Accounts: Domain Accounts User Added To Sensitive Group
T1078.002 Valid Accounts: Domain Accounts Multiple Sentitive Group Additions From Commandline
T1098 Account Manipulation *.All Graph Permissions Added
T1134.002 Access Token Manipulation: Create Process with Token Runas With Saved Credentials
T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Users Added To Sudoers Group

Defense Evasion

Technique ID Title Query
T1027 Obfuscated Files or Information PowerShell Encoded Commands Executed By Device
T1027 Obfuscated Files or Information All encoded Powershell Executions
T1027 Obfuscated Files or Information Encoded PowerShell with WebRequest
T1027 Obfuscated Files or Information Encoded Powershell Discovery Requests
T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild Suspicious network connection from MSBuild
T1027.010 Obfuscated Files or Information: Command Obfuscation PowerShell Encoded Command
T1070.001 Indicator Removal: Clear Windows Event Logs Security Log Cleared
T1070.001 Indicator Removal: Clear Windows Event Logs Wevutil Clear Windows Event Logs
T1134.002 Access Token Manipulation: Create Process with Token Runas With Saved Credentials
T1218 System Binary Proxy Execution WMIC Remote Command Execution
T1218.010 System Binary Proxy Execution: Regsvr32 Regsvr32 Started as Office Child
T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass Hunt for rare ISO files
T1562.001 Impair Defenses: Disable or Modify Tools Abusing PowerShell to disable Defender components
T1562.001 Impair Defenses: Disable or Modify Tools Scattered Spider Defense Evasion via Conditional Access Policies Detection
T1562.010 Impair Defenses: Downgrade Attack Potential Kerberos Encryption Downgrade

Credential Access

Technique ID Title Query
T1003 OS Credential Dumping: NTDS NTDS.DIT File Modifications
T1110 Brute Force Password Change After Succesful Brute Force
T1110 Brute Force Multiple Accounts Locked
T1552 Unsecured Credentials Commandline with cleartext password
T1557 Adversary-in-the-Middle STORM-0539 URL Paths Email
T1557 Adversary-in-the-Middle Potential Adversary in The Middle Phishing
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting Potential Kerberos Encryption Downgrade

Discovery

Technique ID Title Query
T1018 Remote System Discovery Anomalous SMB Sessions Created
T1040 Network Sniffing Windows Network Sniffing
T1046 Network Service Discovery Database Discovery
T1069 Permission Groups Discovery Net(1).exe Discovery Activities
T1069 Permission Groups Discovery Net(1).exe Discovery Activities Detected
T1069.001 Permission Groups Discovery: Local Groups Local Group Discovery
T1069.003 Permission Groups Discovery: Cloud Groups Azure AD Download All Users
T1069.003 Permission Groups Discovery: Cloud Groups Cloud Discovery By User At Risk
T1069.003 Permission Groups Discovery: Cloud Groups AzureHound
T1087 Account Discovery Net(1).exe Discovery Activities
T1087 Account Discovery Net(1).exe Discovery Activities Detected
T1087.002 Account Discovery: Domain Account Anomalous LDAP Traffic
T1087.004 Account Discovery: Cloud Account Azure AD Download All Users
T1087.004 Account Discovery: Cloud Account Encoded Powershell Discovery Requests
T1087.004 Account Discovery: Cloud Account AzureHound
T1518.001 Software Discovery: Security Software Discovery WMIC Antivirus Discovery
T1518.001 Software Discovery: Security Software Discovery Defender Discovery Activities
T1201 Password Policy Discovery Net(1).exe Discovery Activities
T1201 Password Policy Discovery Net(1).exe Discovery Activities Detected
T1615 Group Policy Discovery Anomalous Group Policy Discovery

Lateral Movement

Technique ID Title Query
T1021.002 Remote Services: SMB/Windows Admin Shares SMB File Copy

Collection

to be implemented

Command and Control

Technique ID Title Query
T1071.001 Application Layer Protocol: Web Protocols Behavior - TelegramC2
T1090 Proxy Anonymous Proxy Events Cloud App
T1105 Ingress Tool Transfer Certutil Remote Download
T1219 Remote Access Software AnyDesk Remote Connections
T1219 Remote Access Software Detect Known RAT RMM Process Patterns
T1219 Remote Access Software NetSupport running from unexpected directory (FIN7)

Exfiltration

to be implemented

Impact

Technique ID Title Query
T1486 Data Encrypted for Impact ASR Ransomware
T1486 Data Encrypted for Impact Ransomware Double Extention
T1489 Service Stop Kill SQL Processes
T1490 Inhibit System Recovery Shadow Copy Deletion