This page includes the mapping of KQL queries to the MITRE ATT&CK framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations.
This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope.
| Technique ID | Title | Query |
|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts | New Authentication AppDetected |
| T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access Application Failures |
| T1078.004 | Valid Accounts: Cloud Accounts | Conditional Access User Failures |
| T1190 | Exploit Public-Facing Application | Internet Facing Devices With Available Exploits |
| T1566.001 | Phishing: Spearphishing Attachment | Executable Email Attachment Recieved |
| T1566.001 | Phishing: Spearphishing Attachment | Macro Attachment Opened From Rare Sender |
| T1566.001 | Phishing: Spearphishing Attachment | ASR Executable Content Triggered |
| T1566.001 | Phishing: Spearphishing Attachment | Hunt: AsyncRAT OneNote Delivery |
| T1566.002 | Phishing: Spearphishing Link | Email Safe Links Trigger |
| Technique ID | Title | Query |
|---|---|---|
| T1047 | Windows Management Instrumentation | WMIC Remote Command Execution |
| T1047 | Windows Management Instrumentation | WMIC Antivirus Discovery |
| T1059.001 | Command and Scripting Interpreter: PowerShell | AMSI Script Detection |
| Technique ID | Title | Query |
|---|---|---|
| T1098 | Account Manipulation | Password Change After Succesful Brute Force |
| T1136.001 | Create Account: Local Account | Local Account Creation |
| T1136.003 | Create Account: Cloud Account | Cloud Persistence Activity By User AtRisk |
| T1078.004 | Valid Accounts: Cloud Accounts | Cloud Persistence Activity By User AtRisk |
| T1137 | Office Application Startup | ASR Executable Office Content |
| T1556 | Modify Authentication Process | Deletion Conditional Access Policy |
| Technique ID | Title | Query |
|---|---|---|
| T1078.002 | Valid Accounts: Domain Accounts | User Added To Sensitive Group |
| T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
| T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Users Added To Sudoers Group |
| Technique ID | Title | Query |
|---|---|---|
| T1027 | Obfuscated Files or Information | PowerShell Encoded Commands Executed By Device |
| T1027 | Obfuscated Files or Information | All encoded Powershell Executions |
| T1027 | Obfuscated Files or Information | Encoded PowerShell with WebRequest |
| T1027 | Obfuscated Files or Information | Encoded Powershell Discovery Requests |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | Security Log Cleared |
| T1134.002 | Access Token Manipulation: Create Process with Token | Runas With Saved Credentials |
| T1218 | System Binary Proxy Execution | WMIC Remote Command Execution |
| T1218.010 | System Binary Proxy Execution: Regsvr32 | Regsvr32 Started as Office Child |
| T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | Hunt for rare ISO files |
| T1562.010 | Impair Defenses: Downgrade Attack | Potential Kerberos Encryption Downgrade |
| Technique ID | Title | Query |
|---|---|---|
| T1110 | Brute Force | Password Change After Succesful Brute Force |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Potential Kerberos Encryption Downgrade |
| Technique ID | Title | Query |
|---|---|---|
| T1018 | Remote System Discovery | Anomalous SMB Sessions Created |
| T1040 | Network Sniffing | Windows Network Sniffing |
| T1046 | Network Service Discovery | Database Discovery |
| T1069.003 | Permission Groups Discovery: Cloud Groups | Azure AD Download All Users |
| T1069.003 | Permission Groups Discovery: Cloud Groups | Cloud Discovery By User At Risk |
| T1087.002 | Account Discovery: Domain Account | Anomalous LDAP Traffic |
| T1087.004 | Account Discovery: Cloud Account | Azure AD Download All Users |
| T1087.004 | Account Discovery: Cloud Account | Encoded Powershell Discovery Requests |
| T1518.001 | Software Discovery: Security Software Discovery | WMIC Antivirus Discovery |
| T1615 | Group Policy Discovery | Anomalous Group Policy Discovery |
| Technique ID | Title | Query |
|---|---|---|
| T1021.002 | Remote Services: SMB/Windows Admin Shares | SMB File Copy |
to be implemented
| Technique ID | Title | Query |
|---|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols | Behavior - TelegramC2 |
| T1090 | Proxy | Anonymous Proxy Events Cloud App |
| T1219 | Remote Access Software | AnyDesk Remote Connections |
to be implemented
| Technique ID | Title | Query |
|---|---|---|
| T1486 | Data Encrypted for Impact | ASR Ransomware |
| T1486 | Data Encrypted for Impact | Ransomware Double Extention |
| T1490 | Inhibit System Recovery | Shadow Copy Deletion |