This page includes the mapping of KQL queries to the MITRE ATT&CK framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations.
This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope.
| Tactic | Entry Count |
|---|---|
| Initial Access | 11 |
| Execution | 5 |
| Persistence | 11 |
| Privilege Escalation | 5 |
| Defense Evasion | 17 |
| Credential Access | 7 |
| Discovery | 22 |
| Lateral Movement | 1 |
| Collection | 1 |
| Command and Control | 6 |
| Exfiltration | 0 |
| Impact | 5 |
| Technique ID | Title | Query |
|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts | New Authentication AppDetected |
| T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access Application Failures |
| T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access User Failures |
| T1190 | Exploit Public-Facing Application | Internet Facing Devices With Available Exploits |
| T1190 | Exploit Public-Facing Application | New Active CISA Known Exploited Vulnerability Detected |
| T1566.001 | Phishing: Spearphishing Attachment | Executable Email Attachment Recieved |
| T1566.001 | Phishing: Spearphishing Attachment | Macro Attachment Opened From Rare Sender |
| T1566.001 | Phishing: Spearphishing Attachment | ASR Executable Content Triggered |
| T1566.001 | Phishing: Spearphishing Attachment | Hunt: AsyncRAT OneNote Delivery |
| T1566.002 | Phishing: Spearphishing Link | Email Safe Links Trigger |
| T1566.002 | Phishing: Spearphishing Link | Potential Phishing Campaign |
| Technique ID | Title | Query |
|---|---|---|
| T1047 | Windows Management Instrumentation | WMIC Remote Command Execution |
| T1047 | Windows Management Instrumentation | WMIC Antivirus Discovery |
| T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell Launching Scripts From WindowsApps Directory (FIN7) |
| T1059.001 | Command and Scripting Interpreter: PowerShell | AMSI Script Detection |
| T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell Invoke-Webrequest |
| Technique ID | Title | Query |
|---|---|---|
| T1098 | Account Manipulation | Password Change After Succesful Brute Force |
| T1136.001 | Create Account: Local Account | Local Account Creation |
| T1136.001 | Create Account: Local Account | Local Administrator Account Creations |
| T1136.003 | Create Account: Cloud Account | Cloud Persistence Activity By User AtRisk |
| T1136.002 | Create Account: Domain Account | Commandline User Addition |
| T1078.004 | Valid Accounts: Cloud Accounts | Cloud Persistence Activity By User AtRisk |
| T1137 | Office Application Startup | ASR Executable Office Content |
| T1505.003 | Server Software Component: Web Shell | WebShell Detection |
| T1543 | Create or Modify System Process | Azure ARC Related Persistence Detection |
| T1556 | Modify Authentication Process | Deletion Conditional Access Policy |
| T1556 | Modify Authentication Process | Change Conditional Access Policy |
| Technique ID | Title | Query |
|---|---|---|
| T1078.002 | Valid Accounts: Domain Accounts | User Added To Sensitive Group |
| T1078.002 | Valid Accounts: Domain Accounts | Multiple Sentitive Group Additions From Commandline |
| T1098 | Account Manipulation | *.All Graph Permissions Added |
| T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
| T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Users Added To Sudoers Group |
| Technique ID | Title | Query |
|---|---|---|
| T1027 | Obfuscated Files or Information | PowerShell Encoded Commands Executed By Device |
| T1027 | Obfuscated Files or Information | All encoded Powershell Executions |
| T1027 | Obfuscated Files or Information | Encoded PowerShell with WebRequest |
| T1027 | Obfuscated Files or Information | Encoded Powershell Discovery Requests |
| T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | Suspicious network connection from MSBuild |
| T1027.010 | Obfuscated Files or Information: Command Obfuscation | PowerShell Encoded Command |
| T1070.001 | Indicator Removal | Custom Detection Deletion |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | Security Log Cleared |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | Wevutil Clear Windows Event Logs |
| T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
| T1218 | System Binary Proxy Execution | WMIC Remote Command Execution |
| T1218.010 | System Binary Proxy Execution: Regsvr32 | Regsvr32 Started as Office Child |
| T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | Hunt for rare ISO files |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Abusing PowerShell to disable Defender components |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Scattered Spider Defense Evasion via Conditional Access Policies Detection |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Defender For Endpoint Offboarding Package Downloaded |
| T1562.010 | Impair Defenses: Downgrade Attack | Potential Kerberos Encryption Downgrade |
| Technique ID | Title | Query |
|---|---|---|
| T1003 | OS Credential Dumping: NTDS | NTDS.DIT File Modifications |
| T1110 | Brute Force | Password Change After Succesful Brute Force |
| T1110 | Brute Force | Multiple Accounts Locked |
| T1552 | Unsecured Credentials | Commandline with cleartext password |
| T1557 | Adversary-in-the-Middle | STORM-0539 URL Paths Email |
| T1557 | Adversary-in-the-Middle | Potential Adversary in The Middle Phishing |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Potential Kerberos Encryption Downgrade |
| Technique ID | Title | Query |
|---|---|---|
| T1018 | Remote System Discovery | Anomalous SMB Sessions Created |
| T1040 | Network Sniffing | Windows Network Sniffing |
| T1046 | Network Service Discovery | Database Discovery |
| T1069 | Permission Groups Discovery | Net(1).exe Discovery Activities |
| T1069 | Permission Groups Discovery | Net(1).exe Discovery Activities Detected |
| T1069.001 | Permission Groups Discovery: Local Groups | Local Group Discovery |
| T1069.003 | Permission Groups Discovery: Cloud Groups | Azure AD Download All Users |
| T1069.003 | Permission Groups Discovery: Cloud Groups | Cloud Discovery By User At Risk |
| T1069.003 | Permission Groups Discovery: Cloud Groups | AzureHound |
| T1087 | Account Discovery | Net(1).exe Discovery Activities |
| T1087 | Account Discovery | Net(1).exe Discovery Activities Detected |
| T1087.002 | Account Discovery: Domain Account | Anomalous LDAP Traffic |
| T1087.004 | Account Discovery: Cloud Account | Azure AD Download All Users |
| T1087.004 | Account Discovery: Cloud Account | Encoded Powershell Discovery Requests |
| T1087.004 | Account Discovery: Cloud Account | AzureHound |
| T1518.001 | Software Discovery: Security Software Discovery | WMIC Antivirus Discovery |
| T1518.001 | Software Discovery: Security Software Discovery | Defender Discovery Activities |
| T1201 | Password Policy Discovery | Net(1).exe Discovery Activities |
| T1201 | Password Policy Discovery | Net(1).exe Discovery Activities Detected |
| T1482 | Domain Trust Discovery | Security Events - Nltest Discovery Activities |
| T1482 | Domain Trust Discovery | MDE - Nltest Discovery Activities |
| T1615 | Group Policy Discovery | Anomalous Group Policy Discovery |
| Technique ID | Title | Query |
|---|---|---|
| T1021.002 | Remote Services: SMB/Windows Admin Shares | SMB File Copy |
| Technique ID | Title | Query |
|---|---|---|
| T1530 | Data from Cloud Storage | OneDrive Sync From Rare IP |
| Technique ID | Title | Query |
|---|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols | Behavior - TelegramC2 |
| T1090 | Proxy | Anonymous Proxy Events Cloud App |
| T1105 | Ingress Tool Transfer | Certutil Remote Download |
| T1219 | Remote Access Software | AnyDesk Remote Connections |
| T1219 | Remote Access Software | Detect Known RAT RMM Process Patterns |
| T1219 | Remote Access Software | NetSupport running from unexpected directory (FIN7) |
to be implemented
| Technique ID | Title | Query |
|---|---|---|
| T1485 | Data Destruction | (Mass) Cloud Resource Deletion |
| T1486 | Data Encrypted for Impact | ASR Ransomware |
| T1486 | Data Encrypted for Impact | Ransomware Double Extention |
| T1489 | Service Stop | Kill SQL Processes |
| T1490 | Inhibit System Recovery | Shadow Copy Deletion |