This repository contains a selection of Kusto Query Language (KQL) queries designed for proactive threat hunting. Aligned with the MITRE ATT&CK framework, these queries are crafted to detect and address potential threats effectively.
The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries.
Presenting this material as your own is illegal and forbidden. A reference to Github H1dd3n00b is much appreciated when sharing or using the content.
@BertJanCyber - The content structure of this repository was adopted from Bert-Jan's KQL repository
@cyb3rmik3 - The template utilized for threat detections was inspired by cyb3rmik3's threat hunting template
KQL Queries: While I have authored most of the KQL queries here, it's worth noting that as I gather queries in my daily work, the repository may include contributions from others. I strive to acknowledge and credit the original creators whenever possible.
For the sake of clarity and organization, the queries within this repository have been structured into categories in accordance with the MITRE ATT&CK framework. Each category encompasses hunting queries tailored to specific tactics outlined within the MITRE Framework.
| MITRE Enterprise Tactic | Tactic ID |
|---|---|
| Reconnaissance | TA0043 |
| Resource Development | TA0042 |
| Initial Access | TA0001 |
| Execution | TA0002 |
| Persistence | TA0003 |
| Privilege Escalation | TA0004 |
| Defense Evasion | TA0005 |
| Credential Access | TA0006 |
| Discovery | TA0007 |
| Lateral Movement | TA0008 |
| Collection | TA0009 |
| Command and Control | TA0011 |
| Exfiltration | TA0010 |
| Impact | TA0040 |