Skip to content

Latest commit

 

History

History
203 lines (167 loc) · 4.79 KB

README.md

File metadata and controls

203 lines (167 loc) · 4.79 KB

KustQueryLanguage_kql

Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting

Use at your own risk. Some queries have been tested and verified within the lab. Others have resulted from research into threat reports or those shared by researchers with the community.

MITRE ATT&CK Mapping

Initial Access

Technique Description Link Tag

Execution

Technique Description Link Tag
Turla Snake malware hunt queries Potential SNAKE Malware Installation CLI Arguments Indicator https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware Installer Name Indicators https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries Potential SNAKE Malware Installation Binary Indicator https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Batloader Execution Procedures Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md
Batloader Execution Procedures Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md
Batloader Execution Procedures Possible Batloader Malware Execution by Gpg4Win Tool (via process creation) https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md

Persistence

Name Description Link Tag
Turla Snake malware hunt queries SNAKE Malware Service Persistence https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware WerFault Persistence File Creation https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware Covert Store Registry Key https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries SNAKE Malware Service Persistence https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md

Privilege Escalation

Technique Description Link Tag

Defense Evasion

Technique Description Link Tag

Credential Access

Technique Description Link Tag

Discovery

Technique Description Link Tag

Lateral Movement

Technique Description Link Tag

Collection

Technique Description Link Tag

Command and Control

Technique Description Link Tag

Exfiltration

Technique Description Link Tag

Impact

Technique Description Link Tag

Other Mappings

CVE's

Name Description Link Tag
CVE-2023-23397 https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-23397_kusto_queries.md
CVE-2023-21554 https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-21554-Queuejump.md

APT

Name Description Link Tag
3CX DLL Side Loading

Uncategorised

Name Description Link Tag
3CX DLL Side Loading