KustQueryLanguage_kql

Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting

Use at your own risk. Some queries have been tested and verified within the lab. Others have resulted from research into threat reports or those shared by researchers with the community.

MITRE ATT&CK Mapping

Initial Access

Technique	Description	Link	Tag

Execution

Technique	Description	Link
Turla Snake malware hunt queries	Potential SNAKE Malware Installation CLI Arguments Indicator	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries	SNAKE Malware Installer Name Indicators	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries	Potential SNAKE Malware Installation Binary Indicator	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Batloader Execution Procedures	Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline)	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md
Batloader Execution Procedures	Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline)	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md
Batloader Execution Procedures	Possible Batloader Malware Execution by Gpg4Win Tool (via process creation)	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/MDE_Execution_BatloaderTTPs.md

Persistence

Name	Description	Link
Turla Snake malware hunt queries	SNAKE Malware Service Persistence	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries	SNAKE Malware WerFault Persistence File Creation	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries	SNAKE Malware Covert Store Registry Key	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md
Turla Snake malware hunt queries	SNAKE Malware Service Persistence	https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/APT_turla_snake_hunt.md

Privilege Escalation

Technique	Description	Link	Tag

Defense Evasion

Technique	Description	Link	Tag

Credential Access

Technique	Description	Link	Tag

Discovery

Technique	Description	Link	Tag

Lateral Movement

Technique	Description	Link	Tag

Collection

Technique	Description	Link	Tag

Command and Control

Technique	Description	Link	Tag

Exfiltration

Technique	Description	Link	Tag

Impact

Technique	Description	Link	Tag

Other Mappings

CVE's

Name	Description	Link	Tag
CVE-2023-23397		https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-23397_kusto_queries.md
CVE-2023-21554		https://github.com/m4nbat/KustQueryLanguage_kql/blob/main/CVE-2023-21554-Queuejump.md

APT

Name	Description	Link	Tag
3CX DLL Side Loading

Uncategorised

Name	Description	Link	Tag
3CX DLL Side Loading

Name		Name	Last commit message	Last commit date
Latest commit History 300 Commits
3cx_DLL_SideLoading_IoC_Kusto.md		3cx_DLL_SideLoading_IoC_Kusto.md
APT_turla_snake_hunt.md		APT_turla_snake_hunt.md
CVE-2023-21554-Queuejump.md		CVE-2023-21554-Queuejump.md
CVE-2023-23397_kusto_queries.md		CVE-2023-23397_kusto_queries.md
Cloud_Service_Discovery_SnaffPoint.md		Cloud_Service_Discovery_SnaffPoint.md
GC2_Command_and_Control.md		GC2_Command_and_Control.md
Gamarue_Kusto_Queries.md		Gamarue_Kusto_Queries.md
ISO_MOTW_Kusto_Queries.md		ISO_MOTW_Kusto_Queries.md
JavaScript_spawned_from_ISO.md		JavaScript_spawned_from_ISO.md
LOLBIN_MSHTA.md		LOLBIN_MSHTA.md
LolBin_Winlogon_Suspicious_Network_Connection.md		LolBin_Winlogon_Suspicious_Network_Connection.md
MDE_Execution_BatloaderTTPs.md		MDE_Execution_BatloaderTTPs.md
MasatdonC2_Kusto_Query.md		MasatdonC2_Kusto_Query.md
OneNote_Related_Hunting_Queries.md		OneNote_Related_Hunting_Queries.md
PASTE_SITES_HUNT_KUSTO_QUERIES.MD		PASTE_SITES_HUNT_KUSTO_QUERIES.MD
PLAY_Ransomware_Kusto.md		PLAY_Ransomware_Kusto.md
PSExec_Process_Creation_Impacket_Metasploit.md		PSExec_Process_Creation_Impacket_Metasploit.md
PowerShell_create_LNK_in_startup.md		PowerShell_create_LNK_in_startup.md
Qakbot_Kusto_Queries.md		Qakbot_Kusto_Queries.md
README.md		README.md
Raspberry_Robin_Kusto_Queries.md		Raspberry_Robin_Kusto_Queries.md
RedCanary2023-ObfuscatedFilesorInfo.md		RedCanary2023-ObfuscatedFilesorInfo.md
RedCanary2023-ProcessInjection.md		RedCanary2023-ProcessInjection.md
RedCanary2023-ServiceExecution.md		RedCanary2023-ServiceExecution.md
RedCanary2023-WMI.md		RedCanary2023-WMI.md
RedCanary2023-Windows_Command_Shell.md		RedCanary2023-Windows_Command_Shell.md
RedCanary2023-rundll32.md		RedCanary2023-rundll32.md
RedCanary2023_IngressToolTransfer.md		RedCanary2023_IngressToolTransfer.md
RedCanary2023_PowerShell.md		RedCanary2023_PowerShell.md
Regsvr32ExternalScriptLoad.md		Regsvr32ExternalScriptLoad.md
Remote_Access_Tools.md		Remote_Access_Tools.md
Rundll32_executing_DLL_from_Temp.md		Rundll32_executing_DLL_from_Temp.md
Scheduled_Task_Kusto_Queries.md		Scheduled_Task_Kusto_Queries.md
SecurityIncidentStats		SecurityIncidentStats
ShareFinder_Kusto_Query.md		ShareFinder_Kusto_Query.md
T1003.001_LASS_dumping_werfault_exe.md		T1003.001_LASS_dumping_werfault_exe.md
T1036.003_Masquerading-RenameSystemUtilities.md		T1036.003_Masquerading-RenameSystemUtilities.md
T1087.001_AccountDiscovery-LocalAccount.md		T1087.001_AccountDiscovery-LocalAccount.md
Telegram_Shortened_Domains.md		Telegram_Shortened_Domains.md
USB_Device_Hunting.md		USB_Device_Hunting.md
Ursniff_Kusto_Queries_DFIRReport.md		Ursniff_Kusto_Queries_DFIRReport.md
VBScript_stored_in_non-run_reg_key.md		VBScript_stored_in_non-run_reg_key.md
Vidar_Kusto_Query.md		Vidar_Kusto_Query.md
_template.md		_template.md
admin_share_kusto_query.md		admin_share_kusto_query.md
autostart_persistence_kusto_query.md		autostart_persistence_kusto_query.md
aws_ec2_kusto_queries.md		aws_ec2_kusto_queries.md
blacklotus-registry-modification.md		blacklotus-registry-modification.md
brute_ratel_C4.md		brute_ratel_C4.md
bumblebee_dfirreport_20221114.md		bumblebee_dfirreport_20221114.md
chrome_browser_unusual_child_process.md		chrome_browser_unusual_child_process.md
chromeloader.md		chromeloader.md
command_and_control-GC2-Tool.md		command_and_control-GC2-Tool.md
command_and_control_NotionC2.md		command_and_control_NotionC2.md
commandandcontrol_stealer_redline_pastebin.md		commandandcontrol_stealer_redline_pastebin.md
emotet-2023-new-ttps.md		emotet-2023-new-ttps.md
external_data_botnets_tracker_abuse_ch.kusto		external_data_botnets_tracker_abuse_ch.kusto
external_data_lookup_bazaar_abuse_ch.kusto		external_data_lookup_bazaar_abuse_ch.kusto
gootloader.md		gootloader.md
hiding_in_plain_sight_service_names.md		hiding_in_plain_sight_service_names.md
impacket_kusto_queries.md		impacket_kusto_queries.md
inmemory_load_of_hacktool-powersploit.md		inmemory_load_of_hacktool-powersploit.md
inmemory_load_of_hacktool.md		inmemory_load_of_hacktool.md
internal_phishing.md		internal_phishing.md
ipfs_phishing_kusto_query.md		ipfs_phishing_kusto_query.md
lolbin_certutil_download_direct_ip.md		lolbin_certutil_download_direct_ip.md
lolbins_kusto_query.md		lolbins_kusto_query.md
m365_email_hunt_rules.md		m365_email_hunt_rules.md
m365_phishing_coronation_lures.md		m365_phishing_coronation_lures.md
mal_clearfake_appx_download.md		mal_clearfake_appx_download.md
mal_clearfake_c2.md		mal_clearfake_c2.md
mal_clearfake_test.md		mal_clearfake_test.md
mal_ttp_socgholish_suspicious_wscript_network_connetion.md		mal_ttp_socgholish_suspicious_wscript_network_connetion.md
md_cloudflared_akira.md		md_cloudflared_akira.md
mde_AAD_recon_tools.md		mde_AAD_recon_tools.md
mde_SQLServerAbuse_CMD.md		mde_SQLServerAbuse_CMD.md
mde_ZIPdomains.md		mde_ZIPdomains.md
mde_bunny_loader_detections_2023.md		mde_bunny_loader_detections_2023.md
mde_commandandcontrol_.md		mde_commandandcontrol_.md
mde_darkgate_autoitScript.md		mde_darkgate_autoitScript.md
mde_darkgate_detections.md		mde_darkgate_detections.md
mde_darkgate_sharepoint_ceo_link.md		mde_darkgate_sharepoint_ceo_link.md
mde_darkgate_vbs_download.md		mde_darkgate_vbs_download.md
mde_exfiltration_to_S3.md		mde_exfiltration_to_S3.md
mde_exploitguard_events.md		mde_exploitguard_events.md
mde_file_downloads.md		mde_file_downloads.md
mde_headlessBrowserChromium.md		mde_headlessBrowserChromium.md
mde_initiaaccess_qr_code.md		mde_initiaaccess_qr_code.md
mde_mal_munchkin_raas.md		mde_mal_munchkin_raas.md
mde_persistence_registry_winlogon_t1547.md		mde_persistence_registry_winlogon_t1547.md
mde_rmm_tools.md		mde_rmm_tools.md
mde_scatteredspider.md		mde_scatteredspider.md
mde_script_execution_from_explorer_ZIP_function.md		mde_script_execution_from_explorer_ZIP_function.md
mde_smartscreen_events.md		mde_smartscreen_events.md
mde_smb_filecopy.md		mde_smb_filecopy.md
mde_stealer.md		mde_stealer.md
mde_unusual_discord_network_connection.md		mde_unusual_discord_network_connection.md
mde_various_loldrivers.md		mde_various_loldrivers.md
med_tampering_event.md		med_tampering_event.md
nf_mal_ttp_cve-2023-36025_phemedroneStealer.md		nf_mal_ttp_cve-2023-36025_phemedroneStealer.md

m4nbat/KustQueryLanguage_kql

Folders and files

Latest commit

History