Skip to content
/ KustQueryLanguage_kql Public

Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting

57 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

m4nbat/KustQueryLanguage_kql

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

332 Commits
APT_turla_snake_hunt.md
APT_turla_snake_hunt.md
 
 
CVE-2023-21554-Queuejump.md
CVE-2023-21554-Queuejump.md
 
 
CVE-2023-23397_kusto_queries.md
CVE-2023-23397_kusto_queries.md
 
 
Cloud_Service_Discovery_SnaffPoint.md
Cloud_Service_Discovery_SnaffPoint.md
 
 
GC2_Command_and_Control.md
GC2_Command_and_Control.md
 
 
Gamarue_Kusto_Queries.md
Gamarue_Kusto_Queries.md
 
 
ISO_MOTW_Kusto_Queries.md
ISO_MOTW_Kusto_Queries.md
 
 
JavaScript_spawned_from_ISO.md
JavaScript_spawned_from_ISO.md
 
 
LOLBIN_MSHTA.md
LOLBIN_MSHTA.md
 
 
LolBin_Winlogon_Suspicious_Network_Connection.md
LolBin_Winlogon_Suspicious_Network_Connection.md
 
 
MDE_Execution_BatloaderTTPs.md
MDE_Execution_BatloaderTTPs.md
 
 
MasatdonC2_Kusto_Query.md
MasatdonC2_Kusto_Query.md
 
 
OneNote_Related_Hunting_Queries.md
OneNote_Related_Hunting_Queries.md
 
 
PASTE_SITES_HUNT_KUSTO_QUERIES.MD
PASTE_SITES_HUNT_KUSTO_QUERIES.MD
 
 
PLAY_Ransomware_Kusto.md
PLAY_Ransomware_Kusto.md
 
 
PSExec_Process_Creation_Impacket_Metasploit.md
PSExec_Process_Creation_Impacket_Metasploit.md
 
 
PowerShell_create_LNK_in_startup.md
PowerShell_create_LNK_in_startup.md
 
 
Qakbot_Kusto_Queries.md
Qakbot_Kusto_Queries.md
 
 
README.md
README.md
 
 
Raspberry_Robin_Kusto_Queries.md
Raspberry_Robin_Kusto_Queries.md
 
 
RedCanary2023-ObfuscatedFilesorInfo.md
RedCanary2023-ObfuscatedFilesorInfo.md
 
 
RedCanary2023-ProcessInjection.md
RedCanary2023-ProcessInjection.md
 
 
RedCanary2023-ServiceExecution.md
RedCanary2023-ServiceExecution.md
 
 
RedCanary2023-WMI.md
RedCanary2023-WMI.md
 
 
RedCanary2023-Windows_Command_Shell.md
RedCanary2023-Windows_Command_Shell.md
 
 
RedCanary2023-rundll32.md
RedCanary2023-rundll32.md
 
 
RedCanary2023_IngressToolTransfer.md
RedCanary2023_IngressToolTransfer.md
 
 
RedCanary2023_PowerShell.md
RedCanary2023_PowerShell.md
 
 
Regsvr32ExternalScriptLoad.md
Regsvr32ExternalScriptLoad.md
 
 
Remote_Access_Tools.md
Remote_Access_Tools.md
 
 
Rundll32_executing_DLL_from_Temp.md
Rundll32_executing_DLL_from_Temp.md
 
 
Scheduled_Task_Kusto_Queries.md
Scheduled_Task_Kusto_Queries.md
 
 
SecurityIncidentStats
SecurityIncidentStats
 
 
ShareFinder_Kusto_Query.md
ShareFinder_Kusto_Query.md
 
 
T1003.001_LASS_dumping_werfault_exe.md
T1003.001_LASS_dumping_werfault_exe.md
 
 
T1036.003_Masquerading-RenameSystemUtilities.md
T1036.003_Masquerading-RenameSystemUtilities.md
 
 
T1087.001_AccountDiscovery-LocalAccount.md
T1087.001_AccountDiscovery-LocalAccount.md
 
 
Telegram_Shortened_Domains.md
Telegram_Shortened_Domains.md
 
 
USB_Device_Hunting.md
USB_Device_Hunting.md
 
 
Ursniff_Kusto_Queries_DFIRReport.md
Ursniff_Kusto_Queries_DFIRReport.md
 
 
VBScript_stored_in_non-run_reg_key.md
VBScript_stored_in_non-run_reg_key.md
 
 
Vidar_Kusto_Query.md
Vidar_Kusto_Query.md
 
 
_template.md
_template.md
 
 
admin_share_kusto_query.md
admin_share_kusto_query.md
 
 
attackReport.md
attackReport.md
 
 
autostart_persistence_kusto_query.md
autostart_persistence_kusto_query.md
 
 
aws_ec2_kusto_queries.md
aws_ec2_kusto_queries.md
 
 
blacklotus-registry-modification.md
blacklotus-registry-modification.md
 
 
brute_ratel_C4.md
brute_ratel_C4.md
 
 
bumblebee_dfirreport_20221114.md
bumblebee_dfirreport_20221114.md
 
 
chrome_browser_unusual_child_process.md
chrome_browser_unusual_child_process.md
 
 
chromeloader.md
chromeloader.md
 
 
command_and_control-GC2-Tool.md
command_and_control-GC2-Tool.md
 
 
command_and_control_NotionC2.md
command_and_control_NotionC2.md
 
 
commandandcontrol_stealer_redline_pastebin.md
commandandcontrol_stealer_redline_pastebin.md
 
 
emotet-2023-new-ttps.md
emotet-2023-new-ttps.md
 
 
external_data_botnets_tracker_abuse_ch.kusto
external_data_botnets_tracker_abuse_ch.kusto
 
 
external_data_lookup_bazaar_abuse_ch.kusto
external_data_lookup_bazaar_abuse_ch.kusto
 
 
gootloader.md
gootloader.md
 
 
hiding_in_plain_sight_service_names.md
hiding_in_plain_sight_service_names.md
 
 
impacket_kusto_queries.md
impacket_kusto_queries.md
 
 
inmemory_load_of_hacktool-powersploit.md
inmemory_load_of_hacktool-powersploit.md
 
 
inmemory_load_of_hacktool.md
inmemory_load_of_hacktool.md
 
 
internal_phishing.md
internal_phishing.md
 
 
ipfs_phishing_kusto_query.md
ipfs_phishing_kusto_query.md
 
 
lactrodectus.md
lactrodectus.md
 
 
lolbin_certutil_download_direct_ip.md
lolbin_certutil_download_direct_ip.md
 
 
lolbins_kusto_query.md
lolbins_kusto_query.md
 
 
m365_email_hunt_rules.md
m365_email_hunt_rules.md
 
 
m365_phishing_coronation_lures.md
m365_phishing_coronation_lures.md
 
 
mal_clearfake_appx_download.md
mal_clearfake_appx_download.md
 
 
mal_clearfake_c2.md
mal_clearfake_c2.md
 
 
mal_clearfake_test.md
mal_clearfake_test.md
 
 
mal_ttp_socgholish_suspicious_wscript_network_connetion.md
mal_ttp_socgholish_suspicious_wscript_network_connetion.md
 
 
md_cloudflared_akira.md
md_cloudflared_akira.md
 
 
mde_AAD_recon_tools.md
mde_AAD_recon_tools.md
 
 
mde_SQLServerAbuse_CMD.md
mde_SQLServerAbuse_CMD.md
 
 
mde_ZIPdomains.md
mde_ZIPdomains.md
 
 
mde_bunny_loader_detections_2023.md
mde_bunny_loader_detections_2023.md
 
 
mde_commandandcontrol_.md
mde_commandandcontrol_.md
 
 
mde_darkgate_autoitScript.md
mde_darkgate_autoitScript.md
 
 
mde_darkgate_detections.md
mde_darkgate_detections.md
 
 
mde_darkgate_sharepoint_ceo_link.md
mde_darkgate_sharepoint_ceo_link.md
 
 
mde_darkgate_vbs_download.md
mde_darkgate_vbs_download.md
 
 
mde_exfiltration_to_S3.md
mde_exfiltration_to_S3.md
 
 
mde_exploitguard_events.md
mde_exploitguard_events.md
 
 
mde_file_downloads.md
mde_file_downloads.md
 
 
mde_headlessBrowserChromium.md
mde_headlessBrowserChromium.md
 
 
mde_initiaaccess_qr_code.md
mde_initiaaccess_qr_code.md
 
 
mde_mal_munchkin_raas.md
mde_mal_munchkin_raas.md
 
 
mde_persistence_registry_winlogon_t1547.md
mde_persistence_registry_winlogon_t1547.md
 
 
mde_rmm_tools.md
mde_rmm_tools.md
 
 
mde_scatteredspider.md
mde_scatteredspider.md
 
 
mde_script_execution_from_explorer_ZIP_function.md
mde_script_execution_from_explorer_ZIP_function.md
 
 
mde_smartscreen_events.md
mde_smartscreen_events.md
 
 
mde_smb_filecopy.md
mde_smb_filecopy.md
 
 
mde_stealer.md
mde_stealer.md
 
 
mde_unusual_discord_network_connection.md
mde_unusual_discord_network_connection.md
 
 
mde_various_loldrivers.md
mde_various_loldrivers.md
 
 
med_tampering_event.md
med_tampering_event.md
 
 

Repository files navigation

KustQueryLanguage_kql

Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting

Use at your own risk. Some queries have been tested and verified within the lab. Others have resulted from research into threat reports or those shared by researchers with the community.

MITRE ATT&CK Mapping

Initial Access

Technique Description Link Tag

Execution

Technique Description Link Tag
Turla Snake malware hunt queries Potential SNAKE Malware Installation CLI Arguments Indicator https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware Installer Name Indicators https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries Potential SNAKE Malware Installation Binary Indicator https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Batloader Execution Procedures Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md
Batloader Execution Procedures Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md
Batloader Execution Procedures Possible Batloader Malware Execution by Gpg4Win Tool (via process creation) https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md

Persistence

Name Description Link Tag
Turla Snake malware hunt queries SNAKE Malware Service Persistence https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware WerFault Persistence File Creation https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware Covert Store Registry Key https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware Service Persistence https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md

Privilege Escalation

Technique Description Link Tag

Defense Evasion

Technique Description Link Tag

Credential Access

Technique Description Link Tag

Discovery

Technique Description Link Tag

Lateral Movement

Technique Description Link Tag

Collection

Technique Description Link Tag

Command and Control

Technique Description Link Tag

Exfiltration

Technique Description Link Tag

Impact

Technique Description Link Tag

Other Mappings

CVE's

Name Description Link Tag
CVE-2023-23397 https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-23397_kusto_queries.md
CVE-2023-21554 https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-21554-Queuejump.md

APT

Name Description Link Tag
3CX DLL Side Loading

Uncategorised

Name Description Link Tag
3CX DLL Side Loading

About

Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting

Resources

Readme
Activity

Stars

57 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages