A collection of my KQL queries
| Name | Description | MITRE ATT&CK |
|---|---|---|
| Adobe Reader created a child process | Attack Surface Reduction rule for Microsoft Defender for Endpoint that detects attempts to create a child process by Adobe Reader. Documentation → |
T1204.002: Malicious File |
| Base encoded PowerShell command | Detect PowerShell processes ran with encoded parameters, which is often used as a defense evasion technique. | T1027: Obfuscated Files or Information T1027 T1027.010: Command Obfuscation T1059: Command and Scripting Interpreter T1059.001: PowerShell T1086: PowerShell |
| Email forwarding to external domain (Classic) | Detects creation of mailbox rules that have ForwardTo, ForwardAsAttachmentTo, or RedirectTo set to an external, untrusted domain (in Outlook Classic). You specify trusted domains in the query. | T1114: Email Collection T1114.003: Email Forwarding Rule |
| Email forwarding to external domain | Detects creation of mailbox rules that have ForwardTo, ForwardAsAttachmentTo, or RedirectTo set to an external, untrusted domain (in Outlook, or Outlook Web Access). You specify trusted domains in the query. | T1114: Email Collection T1114.003: Email Forwarding Rule |
| Email sent via forwarding to external domain | Detects email messages that were forwarded to an external domain. You specify trusted domains in the query. | T1114: Email Collection T1114.003: Email Forwarding Rule |
| Executable email content detected by ASR | Attack Surface Reduction rule for Microsoft Defender for Endpoint. Rule detects instances of email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from running executable file types. Documentation → |
T1204: User Execution T1204.002: Malicious File |
| Obfuscated script detected by ASR | Attack Surface Reduction rule for Microsoft Defender for Endpoint. Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Documentation → |
T1027: Obfuscated Files or Information T1027.010: Command Obfuscation |
| Ransomware detected by ASR | Attack Surface Reduction rule for Microsoft Defender for Endpoint. Detects when both client and/or cloud heuristics determine a file to resemble ransomware. Documentation → |
T1486: Data Encrypted for Impact |
| Script downloaded an executable detected by ASR | Attack Surface Reduction rule for Microsoft Defender for Endpoint. Rule detects scripts that launch potentially malicious downloaded content. Documentation → |
T1059: Command and Scripting Interpreter T1059.005: Visual Basic T1059.007: JavaScript |
| Sign in blocked by Conditional Access policy | Detects failed Conditional Access actions for a specified rule ID has been detected. You set the RuleID in the query. | T1556.009: Conditional Access Policies |
| Trusted domain blocked by Defender | Checks for web filtering blocks to trusted domains. You specify trusted domains in the query. | T1071: Application Layer Protocol T1071.001: Web Protocols |
| Win32 API called by an Office macro | Attack Surface Reduction rule for Microsoft Defender for Endpoint that detects VBA macros that are trying to call Win32 APIs. Documentation → |
T1106: Native API |
| XOR operator in PowerShell command | Detect PowerShell processes that contain XOR operators, which indicate possible defense evasion activities. | T1027: Obfuscated Files or Information T1027.010: Command Obfuscation T1059: Command and Scripting Interpreter T1059.001: PowerShell T1086: PowerShell |
| Distributed brute force attack on identity | Detect malicious failed logins (dependent on: IdentitiesTargetedByBruteForce()) | T1110: Brute Force T1110.003: Password Spraying T1110.004: Credential Stuffing T1110.001: Password Guessing |
| Name | Description |
|---|---|
| IdentitiesTargetedByBruteForce() | This function will return identities that are being targeted by a brute force attack from multiple sources |
| Name | Description |
|---|---|
| Microsoft Entra categorized error codes with descriptions | Microsoft Entra error codes with descriptions and categories |