KustQueryLanguage_kql
May 27, 2023 ยท View on GitHub
Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting
Use at your own risk. Some queries have been tested and verified within the lab. Others have resulted from research into threat reports or those shared by researchers with the community.
MITRE ATT&CK Mapping
Initial Access
| Technique | Description | Link | Tag |
|---|---|---|---|
Execution
| Technique | Description | Link | Tag |
|---|---|---|---|
| Turla Snake malware hunt queries | Potential SNAKE Malware Installation CLI Arguments Indicator | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
| Turla Snake malware hunt queries | SNAKE Malware Installer Name Indicators | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
| Turla Snake malware hunt queries | Potential SNAKE Malware Installation Binary Indicator | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
| Batloader Execution Procedures | Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md | |
| Batloader Execution Procedures | Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline) | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md | |
| Batloader Execution Procedures | Possible Batloader Malware Execution by Gpg4Win Tool (via process creation) | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md |
Persistence
| Name | Description | Link | Tag |
|---|---|---|---|
| Turla Snake malware hunt queries | SNAKE Malware Service Persistence | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
| Turla Snake malware hunt queries | SNAKE Malware WerFault Persistence File Creation | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
| Turla Snake malware hunt queries | SNAKE Malware Covert Store Registry Key | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
| Turla Snake malware hunt queries | SNAKE Malware Service Persistence | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md | |
Privilege Escalation
| Technique | Description | Link | Tag |
|---|---|---|---|
Defense Evasion
| Technique | Description | Link | Tag |
|---|---|---|---|
Credential Access
| Technique | Description | Link | Tag |
|---|---|---|---|
Discovery
| Technique | Description | Link | Tag |
|---|---|---|---|
Lateral Movement
| Technique | Description | Link | Tag |
|---|---|---|---|
Collection
| Technique | Description | Link | Tag |
|---|---|---|---|
Command and Control
| Technique | Description | Link | Tag |
|---|---|---|---|
Exfiltration
| Technique | Description | Link | Tag |
|---|---|---|---|
Impact
| Technique | Description | Link | Tag |
|---|---|---|---|
Other Mappings
CVE's
| Name | Description | Link | Tag |
|---|---|---|---|
| CVE-2023-23397 | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-23397_kusto_queries.md | ||
| CVE-2023-21554 | https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-21554-Queuejump.md | ||
APT
| Name | Description | Link | Tag |
|---|---|---|---|
| 3CX DLL Side Loading | |||
Uncategorised
| Name | Description | Link | Tag |
|---|---|---|---|
| 3CX DLL Side Loading | |||