Skip to content

cylaris/awesomekql

Repository files navigation

Cylaris AwesomeKQL

Cylaris AWESOMEKQL is an awesome repository of detection R&D created exclusively by the Cylaris Threat Research Group (TRG)

This repo is for:

  • SOC Analysts (Threat Hunting)
  • SOC Engineers (Detection Packs)
  • Researchers
  • Linux Nerds

Content

  • Network Level Indicators These are a first-effort response which use the earliest possible IOCs uncovered by bad actors exploiting vulnerabilities. Usually unreliable but good for a first response.

  • Static Indicators Static Indicators are attributes that artifacts have that have been seen historically, again, these are unreliable but can prevent many attacks nonetheless.

  • Behavioural Patterns (Heuristic) After analysis is carried out on various research, as well as tests, most malware families and even APT's share many similar traits. This is where we are able to identify these patterns. Most of our detection packs use this - however these take a LOT of time, for research and testing. So you may see us release the previous types initially as a first-effort mitigation and detection.

detections - awesomekql

Content

Azure

OAuth App Abuse

LOLBAS

App Installer abuse

BITSAdmin Abuse

Certutil Abuse

CScript Abuse

Findstr Abuse

Malware Tracking

HAFNIUM

QakBot

Ransomware

Threat Intel

Scraping

Vulnerabilities Tracking

Threat Hunting

Phishing

Contributors

Releases

No releases published

Packages

No packages published