Skip to content

egrzeszczak/kql

Repository files navigation

kql

A collection of my KQL queries

Table of contents

Detection rules (for Microsoft Defender XDR)

Name Description MITRE ATT&CK
Adobe Reader created a child process Attack Surface Reduction rule for Microsoft Defender for Endpoint that detects attempts to create a child process by Adobe Reader.
Documentation →
T1204.002: Malicious File
Base encoded PowerShell command Detect PowerShell processes ran with encoded parameters, which is often used as a defense evasion technique. T1027: Obfuscated Files or Information
T1027 T1027.010: Command Obfuscation
T1059: Command and Scripting Interpreter
T1059.001: PowerShell
T1086: PowerShell
Email forwarding to external domain (Classic) Detects creation of mailbox rules that have ForwardTo, ForwardAsAttachmentTo, or RedirectTo set to an external, untrusted domain (in Outlook Classic). You specify trusted domains in the query. T1114: Email Collection
T1114.003: Email Forwarding Rule
Email forwarding to external domain Detects creation of mailbox rules that have ForwardTo, ForwardAsAttachmentTo, or RedirectTo set to an external, untrusted domain (in Outlook, or Outlook Web Access). You specify trusted domains in the query. T1114: Email Collection
T1114.003: Email Forwarding Rule
Email sent via forwarding to external domain Detects email messages that were forwarded to an external domain. You specify trusted domains in the query. T1114: Email Collection
T1114.003: Email Forwarding Rule
Executable email content detected by ASR Attack Surface Reduction rule for Microsoft Defender for Endpoint. Rule detects instances of email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from running executable file types.
Documentation →
T1204: User Execution
T1204.002: Malicious File
Obfuscated script detected by ASR Attack Surface Reduction rule for Microsoft Defender for Endpoint. Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times.
Documentation →
T1027: Obfuscated Files or Information
T1027.010: Command Obfuscation
Ransomware detected by ASR Attack Surface Reduction rule for Microsoft Defender for Endpoint. Detects when both client and/or cloud heuristics determine a file to resemble ransomware.
Documentation →
T1486: Data Encrypted for Impact
Script downloaded an executable detected by ASR Attack Surface Reduction rule for Microsoft Defender for Endpoint. Rule detects scripts that launch potentially malicious downloaded content.
Documentation →
T1059: Command and Scripting Interpreter
T1059.005: Visual Basic
T1059.007: JavaScript
Sign in blocked by Conditional Access policy Detects failed Conditional Access actions for a specified rule ID has been detected. You set the RuleID in the query. T1556.009: Conditional Access Policies
Trusted domain blocked by Defender Checks for web filtering blocks to trusted domains. You specify trusted domains in the query. T1071: Application Layer Protocol
T1071.001: Web Protocols
Win32 API called by an Office macro Attack Surface Reduction rule for Microsoft Defender for Endpoint that detects VBA macros that are trying to call Win32 APIs.
Documentation →
T1106: Native API
XOR operator in PowerShell command Detect PowerShell processes that contain XOR operators, which indicate possible defense evasion activities. T1027: Obfuscated Files or Information
T1027.010: Command Obfuscation
T1059: Command and Scripting Interpreter
T1059.001: PowerShell
T1086: PowerShell
Distributed brute force attack on identity Detect malicious failed logins (dependent on: IdentitiesTargetedByBruteForce()) T1110: Brute Force
T1110.003: Password Spraying
T1110.004: Credential Stuffing
T1110.001: Password Guessing

Functions

Name Description
IdentitiesTargetedByBruteForce() This function will return identities that are being targeted by a brute force attack from multiple sources

Resources

Name Description
Microsoft Entra categorized error codes with descriptions Microsoft Entra error codes with descriptions and categories

About

A collection of my KQL queries

Topics

Resources

Stars

Watchers

Forks

Contributors