________ __ ______ __ _ __ ____
/_ __/ /_ ___ / //_/ __ \ / / | | / /___ ___ __/ / /_
/ / / __ \/ _ \ / ,< / / / / / / | | / / __ `/ / / / / __/
/ / / / / / __/ / /| / /_/ / / /___ | |/ / /_/ / /_/ / / /_
/_/ /_/ /_/\___/ /_/ |_\___\_\/_____/ |___/\__,_/\__,_/_/\__/
This repo is a collection of my most used KQL queries for both Threat Hunting as well as Detection Rules.
Name | Description | Source |
---|---|---|
Remote Access Tools | Looks for common remote access tools | Defender |
File Sharing Sites | Looks for common file sharing sites | Defender |
IOCs | Checks for IOCs across Defender tables | Defender |
DC Usage | Shows DC usage metrics | Defender |
Emojis | Looks for Emojis in Emails and Command Lines | Defender |
Duplicate MFA | Looks for duplicate SMS numbers being registered by multiple users | Sentinel |
Name | Description | Source |
---|---|---|
Specula C2 | Detection of the TrustedSec Specula C2 Framework | Defender |
Defender Exclusion Modification | Detection of Defender For Endpoint Exclusion Modification | Defender |
Suspicious Bulk File Modification | Detection for Bulk file renaming in a set time window | Defender |
Warning
The KQL Queries in this repository are provided as a general reference for creating Detection Rules. Every environment is unique and will require tuning by the user before implementing these rules into production. It is up to the user to fully understand and test these KQL Queries before implementing them into their environments.