is live! 🛡️ I thought about starting a blog page for a while now, the first steps have been taken. In the next period, I will start uploading more
#KQL
and security related content.
🔍🛡️Incident Response PowerShell V2.0.0 is out!
The update includes SIEM exports, new artefact collections and more! A blog about the script and the integration with ADX and MDE Live Response will follow next week.
🔗
Let's start a twitter new series named
#MITREKQL
🧵. Each week I will discuss a
@MITREattack
tactic and the
#KQL
queries that can be used to detect some of the techniques. We start today with Initial Access and each week we take a step towards Impact.
New
#KQL
queries. This time I spend some time in the mail logs and created the following queries:
1. Macro attachment opened from rare sender
2. Executable file attachment received
3. ISO attachment received
4. Rarest attachment extensions received.
#MDE
Pushed a new
#KQL
to search for vulnerable XZ devices (CVE-2024-3094). Since it seems related to SSH server compromise I also created a KQL query to list all inbound SSH connections to vulnerable XZ devices, you may want to review those.
New day new
#KQL
queries:
1. List all AAD Role Additions
2. Cloud Discovery by User At Risk
3. Cloud Persistence by User At Risk
4. Security Alerts triggered by users at risk
5. User Risk Visualization
6. Vulnerabilities with available POC
#MDE
#Sentinel
Last summer I developed a
#KQL
Incident Response Query Pack for Azure and Microsoft 365. This is for the
@InvictusIR
Hands-On Incident Response In The Cloud Training 🛡️. The query pack is available on GitHub for all of you to try out!
#MicrosoftSentinel
I recently created my own GitHub repo to share
#KQL
hunting queries and detection rules. This is inspired by
@reprise_99
and
@msftsecurity
. The following categories have been added so far: DFIR, VM, Threat Hunting, 0-day & DFE detection rules.
🛡️I have published an updated
#KQL
security sources list with over 25+ GitHub Repos, Blogs and Guides. Since more and more people are adopting KQL it was time for an update. Containing 1000s of detections and hunting queries for you to investigate! 🏹
🔗
🛡️ The new version of the Incident Response Powershell script is released.
Two updates:
1. Collect the PowerShell history of all users.
2. Different approach to retrieving MPLogs.
New Living Of The Land
#KQL
queries! 🚨 I have added queries for:
- LOLBAS
- LOLDriver
- LOTS
For the queries see:
More queries will be added later!
Happy hunting! 🏹
#MDE
#Sentinel
#LOL
#LOLBas
#LOLDriver
Just finished updating my repository which contains links to a lot of free IOC / Threat Intel feeds which you can implement in your security solutions. Most (if not all) of them can be combined with
#KQL
as well.
New queries!
1. WMIC Remote Executions
2. List all devices that have WLS installed
3. DFIR: list all internal connections made by a compromised device
#MDE
#Sentinel
#KQL
(1/5) Hunt for suspicious
#PowerShell
in your environment! A Thread about encoded PowerShell commands. Various Threat Actors use this to obfuscate their activities.
#ThreatHunting
#MDE
#KQL
[New Blog! 🛡] Incident Response Part 1: IR on Microsoft Security Incidents (
#KQL
edition).
The new incident response blog series consists of three parts (see 🧵).
#MicrosoftDefender
#MicrosoftSentinel
Domain Response is Live! 🚨 This new tool helps you to quickly collect all domain information needed to perform a domain investigation. This is done by collecting:
- WHOIS
- Cert
- DNS
For more info see link!
#phishing
#DomainResponse
Writing a new version of the DFIR PS script. This will include CSV exports that can be ingested in your SIEM/ADX/Sentinel, to analyse the content in your preferred query language.
Question: Would you rather have one file with all data or separate files?
🔗
🛡️New
#KQL
queries! Created some detections based on APT28 activities reported by
@_CERT_UA
.
1. PowerShell No Profile Execution
2. Hunting for APT28 commands
3. PowerShell WebDav Folder File Collection
All individual links in 🧵Happy hunting! 🏹🎯
Three new
#KQL
queries have been added! The queries are based on MDE and Office 365 logs
1. ASR Executable Content detection and enrichment.
2. PsExec usage
3. SafeLinks block enrichment
For individual query links see below.
#Sentinel
#MDE
#Office365
[New
#KQL
Queries!🛡️]
1. List *.All Graph API Permissions
2. AAD Signins by Operating System
3. List Defender Config Discovery Activities
4. IPv4 command detected in lolbin execution
5. Comparison between devices in Intune and MDE
Individual links in 🧵
Thanks all for the 100 stars!⭐️ If you are looking for free IOC feeds, then have a look at the repository (details in 🧵). Almost 100 feeds are listed at the moment. For the
#KQL
fans, almost all of those can be used in the externaldata operator.
🚨 In two days the high severity curl vulnerability (CVE-2023-38545) will be disclosed.
The
#KQL
queries below create an inventory of all systems that run curl. This will allow you to react quickly once a patch has been pushed, to prevent exploitation.
[New
#KQL
Queries!🛡️]
1. Successful sign-in from new country
2. Local Group Created
3. Local Administrator Additions
4. Connected Plug and Play Types
5. List Connected USB Devices
All individual links in 🧵
#MicrosoftSentinel
#MDE
Do you want to find malicious activities that have been performed on a device? Then use this
#KQL
query to look for:
- ASR Triggers
- SmartScreen Events
- Antivirus Detections
- Tampering Detections
- Exploit Guard Triggers
- AMSI Events
#DFIR
#MDE
(1/4)
#KQL
Dump! 8 new queries.
- 2 Sentinel Threat Intelligence Visualizations
- Multiple open port detections
- Telegram C2 behaviour
- Global Admin List
- Devices With the most browser extensions
#MDE
#Sentinel
[NEW BLOG 🛡️] Threat Hunting: Encoded PowerShell!
I have written a blog that uses
#KQL
to hunt for encoded PowerShell. The focus is on identifying suspicious executions in your environment. Examples and queries are included.
Happy hunting! 🏹
🚨 NEW KQL QUERIES! This time 3 new active directory queries that use MDI logs.
1. Potential Kerberos Encryption Downgrade
2. Password Change After Succesful Brute Force
3. Anomalous LDAP Traffic
All
#KQL
queries:
Details 🧵
Now that all the parts of the incident response series have been published, it is up to you to prepare for the next incident.
🛠 All tools featured in the blogs can be used in a free test environment, more on that in the🧵
📚 IR Blogs:
[🛡 NEW BLOG 🛡]
From Threat Report to (KQL) Hunting Query
Writing valuable hunting queries based on TI reports can be challenging. This blog explores the steps involved in going from a TI report to a
#KQL
query, based on two
#StopRansomware
reports.
🔗
CISApy is live! 💻 CISAPy is a small command line tool that lets you interact with the
@CISACyber
Known Exploited Vulnerabilities Catalog. It can return filtered results and statistics.
🔜 More in the next blog that will be published later this week.
🔗
Happy hunting for CVE-2023-36884!
let CVE_2023_36884 = dynamic(['74.50.94.156', '104.234.239.26', '94.232.40.34' , '66.23.226.102']);
EmailEvents
| where SenderIPv4 in (CVE_2023_36884)
Want to hunt for all Twitter IOCs with one query? Check ⬇️
🚨 New
#KQL
queries!
1. Guest users with AAD Roles
2. DFIR: Inbound connections to a compromised device
3. DFIR: Office 365 audit activities performed by compromised account
4. Detected devices by external scan
For links to all queries see🧵
#MDE
#Sentinel
A month ago I published . The views on the blogs have been way above expectations with already more than 5K visitors.
Thanks for all the support! ❤️
More
#KQL
blogs will follow, the next one being: Incident Response Part 2: What about everything else? 🛡️
New
#KQL
Queries 🚨🛡️ A list of the recent additions to the repo. Full links in 🧵.
1. RG: Tag Search
2. RG: List all used public IPs
3. List EntraID signing based on UPN
4. TI Feed: MontySecurity C2 Tracker All IPs
5. Longest outstanding password resets
KQL TIP: is the perfect place to monitor for new
#KQL
queries🎯. The home page shows all newly released queries first, which makes it a perfect KQL backlog. If you check this once a week you will be on top of all the released content.
Thanks
@UgurKocDe
!
🚨 KQL MISP is live! 🛡️ The first batch of 18
@MISPProject
feeds are translated to
#KQL
queries for
#MDE
and
#Sentinel
. This solution only requires KQL and no additional configuration as shown in the image below.
For all the content & queries see
This week I have spent some time developing a detection for T1046 (Service Discovery) and specifically for database discovery. The
#KQL
query is listed below, depending on your needs you can tweak the query for better results!
#MDE
#Sentinel
#Discovery
[New Blog 🛡] Detecting Post-Exploitation Behaviour
This blog explains how you can detect some of the ScreenConnect (and other) post-exploitation activities and will share multiple KQL queries to hunt for this behaviour in your environment.
[NEW BLOG 🛡️] Excited to announce my first blog post! KQL Functions For Security Operations.
The blog describes different functions that can be used for SOC operations, incident response, threat hunting, and detection engineering. Check it
#MDE
#Sentinel
Added a script to the IR PowerShell repo that lists all configured exclusions. This lists:
- IP
- Process
- FolderPath
- File Extension
‼️ Proactively run this in your environment to determine if the exclusions are still valid or need to be removed.
This is utter crap for AV advice from Microsoft
It's bad enough that Teams still runs in a user-writable location (AppData), but lets combine that with AV exclusions AND not specify path based vs process based exclusions
I would highly advise against path based exclusions here
500 STARS! ⭐️Thanks all for the support on the
#KQL
repository, I did not expect this when I started.
Of course, more queries will be added and I am working on a new repo to deliver even more KQL content.
🖥 New project! Sentinel Automation
The Logic Apps/Playbooks are aimed to:
- Enrich Incidents
- Perform Incident Response Steps
First automation is already available, this automation flow collects the last 10 inbound connections to a device.
New
#KQL
query alert! 🚨 The new BehaviorInfo and BehaviorEntities have been used to create a detection based on a user performing multiple
@MITREattack
techniques. All entities related to those actions are collected for further investigation.🏹
#MDE
#MCAS
New
#KQL
Queries! 🚨 Had some fun combining the
@CISACyber
Known Exploited vulnerability list and KQL.
1. ListCISAExploitedVulnerabilites()
2. New Active CISA Know Exploited Vulnerability Detected
3. Due Date Passed CISA Known Exploited Vulnerabilities
🧵
A great document to be aware of is the Security Operations Guide for AAD. This also includes which activities should be monitored and what the conditions are. If a Sentinel Analytics or Sigma rule is already available, it will also be linked.
New
#KQL
queries! 6 new queries have been added to the repository.
- 4 Browser Extension based queries
- 2 DFIR queries to collect LDAP queries and triggered ASR events from a compromised host.
#MDE
#MDI
#DFIR
#VM
The results are in, from today on I start the
#KQLADS
(KQL Adversary Detection Series) 🛡️🏹
We start with a
#KQL
query that is used to identify suspicious database discovery activities. Why you want to monitor this is described in the 🧵
#MDE
#Sentinel
The
#KQL
repository now contains 200+ KQL queries, which cover various areas. Should I create a small series/thread that covers the best x queries and explains why they should be used?
If you want this to focus on a specific area please share below!
Repo:
🛡️I have updated the MITRE ATT&CK Mapping in the
#KQL
GitHub Repository with a Statistics section. This lists the amount of mapped KQL queries for each MTIRE Tactic. At this moment 60 queries are mapped to a tactic.
Interested in all the mapped queries?🔗
New
#KQL
query! This time focussed on Vulnerability Management. List all devices that are internet-facing and have a vulnerability with an available exploit. Planning to add more internet-facing queries soon!
#VM
#MDE
Many thanks to the twitter community for sharing their IOCs! The IOCs from twitter have now been integrated in a
#KQL
query (Thanks
@0xDanielLopez
!). Hunt for C2, Malware, Phishing and Ransomware IOCs in your environment🧵
#ThreatHunting
#MDE
#Sentinel
(1/4) 3 new
#DFIR
#KQL
queries have been added.
1. The last 100 PowerShell commands executed from a compromised device.
2. All URLs opened by Outlook from a compromised device.
3. All activities that triggered a browser to open a URL.
Details in thread
This for AiTM ⬇️. Alternatively for the empty deviceid you can hunt for OfficeHome in combination with 0, 50140, 50074 or 53000 depending on your tenant setup.
Have some fun with the
#KQL
from
@reprise_99
:
In our last few IR engagements we have found “OfficeHome” a pretty reliable application for detecting threat actors, in particular when the DeviceID field is empty. Happy Hunting!
#CyberSecurity
#DFIR
For all the Threat Hunters and Detection Engineers, I have just pushed a new
#KQL
function that lists all ActionTypes, Operations and OperationNames in a single view. This enables you to get easy insight into all the activities in your Sentinel data.
The
#MITREKQL
series continues with persistence. Each week we take a look at a different
@MITREattack
tactic and the
#KQL
queries which can detect some of the related techniques.
#MDE
#Sentinel
[New Blog! 🛡] Incident Response Part 2: What about the other logs?
This blog explains how you can perform incident response on data that you do not have in Sentinel or M365D with
#KQL
. Windows Security Events and Unified Audit logs are used as examples!
Ever wondered what accounts use clear text credentials on the command line? Use this
#KQL
query to collect the users, devices and the executed command lines. If possible start improving your security posture today, by getting rid of clear text passwords🛡️
More of you see many unsuccessful sign-ins on your personal Microsoft Accounts? I extracted all the 279 failed sign-ins in the last 7 days and visualised them in ADX to get some statistics. Almost all of them originate from IPv6 addresses hosted in Europe.
Big
#KQL
repo update!
1. KQL Queries are now mapped to MITRE ATT&CK (see link) and contain more context. The page includes a list of all tactics and the queries that can be used for each technique.
2. New detections (see below)
#MITRE
#MDE
#Sentinel
Created a
#KQL
query that lists all the Graph Mail permissions that have been granted to applications in your tenant. Mail permissions can be very permissive and should be scoped to specific mailboxes only.
🎯 Query:
Two new
#KQL
queries!
- IP Lookup
- URL Lookup
The lookups are done both on the created network events as the commandline references of the IP or URL.
#Sentinel
#MDE
#DFIR
URL Link below ⬇️
In our last few IR engagements we have found “OfficeHome” a pretty reliable application for detecting threat actors, in particular when the DeviceID field is empty. Happy Hunting!
#CyberSecurity
#DFIR
Aaaaand that is the third repo with 100 ⭐️s! Unbelievable support on all the delivered content ❤️, totally unexpected when I started publishing content. More to come for sure! 🛡️
Have a good weekend all!
GitHub:
In this week's episode of
#MITREKQL
the tactic Privilege Escalation is discussed 🧵. Each week a new
@MITREattack
tactic is discussed with the
#KQL
queries that detect some of the techniques.
#MDE
#Sentinel
I will release some
#KQL
queries in the upcoming days. As
@HuntressLabs
mentions very clearly "Most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding"
Thus having detection in place for these techniques is a must!
New
#KQL
queries. In the last update of the year some less serious queries to have some fun:
- Teams Emojis used
- Teams Emojis used by department
- visits
- visits
All queries:
New
#KQL
queries for SOC Operations! 🛡️
I have added another KQL query category to the repository. This category provides statistical insights and visualisations to manage your SOC.
#Sentintel
#MDE
If you want to hunt 🏹for LockBit 3.0 behavior I have a new
#KQL
query for your toolkit. The
#StopRansomware
campaign shared interesting indicators that can be used to hunt for the killing of SQL processes.
🔗
More details will follow in the upcoming blog!
I have given the
#KQL
@MISPProject
implementation an update. If you are looking for KQL MISP queries then have a look at the repository. Both Sentinel and MDE are included.
If you have an incident on a device and want to know what other malicious activities have happened, without going through the full timeline. Use this
#KQL
query to quickly list a summary of malicious activities from that device to determine the next steps.
Three new
#KQL
queries have been added to the repository.
1.
@abuse_ch
's botnet IOC detection
2. Visualization - Unautorized Login attempts by domain and username
3. Visualization - Logon failure reasons
#MDE
#Sentinel
New
#KQL
functions! 🛡️ I have added a new section for KQL functions. The following functions that I often use are added:
IsDomainController()
ListDomainControllers()
LastPowerShellExecutions()
UserRiskStatus()
For the functions see:
#MDE
#Sentinel
Two new
#kql
detections have been added to the repo. Both based on
#MDE
data.
1. Qakbot post compromise commands executed.
2. AnyDesk remote connection made
#Qakbot
#CyberSecurity
Created new
#KQL
queries based on the post-exploitation activities of actors abusing the ScreenConnect vulnerability.
1. PowerShell Invoke-Webrequest:
2. Certutil Remote Download:
Blog and more queries follow soon! Happy hunting!🏹
📚 New Blog:
Sentinel Automation Part 1: Enriching Sentinel Incidents with KQL Results.
The blog includes two Sentinel Playbooks to automate your incidents:
- Device Enrichment
- Inbound Device Connections
Sentinel Playbooks:
Blog:
You probably ingest more in Sentinel than you know, friendly reminder to look at 'new' data sources to investigate by looking at the tables with the least events.
union *
| where TimeGenerated > ago(30d)
| summarize TotalEvents = count() by Type
| sort by TotalEvents asc
[New Blog 🛡 ] KQL Functions For Network Operations!
Data in Sentinel, MDE or ADX will contain columns with IPs. To be able to effectively query the logs this blog explains functions that help you filter to get the right results quickly using
#KQL
.
🔗Link:
Do you want to hunt for CVE-2023-23397, then remote SMB connections can be your starting point. Not only for this vulnerability but in general you would not want devices to connect with SMB remotely.
#MDE
#Sentinel
[New Blog 🛡️] The last part of the incident response series: Leveraging Live Response.
This blog will explore how LR can help you to perform IR in MDE. This will include useful commands and most interesting custom IR scripts.
#MicrosoftSecurity
#MDE
This week in
#MITREKQL
the tactic Execution. The list also includes two new
#KQL
queries. The execution is the first activity an adversary performs after getting initial access. See the 🧵for all queries!
#MDE
#Sentinel
When using custom detection rules in MDE in which results have a column with hashes, try to use the FileProfile() function to enrich your results. This will return information about the prevalence and certificates. Note that there is a limit of 1000 lookups, so use it wisely.
Do you want to get insight into the efficiency of your sentinel detection rules? Just published a
#KQL
query to get insights into the TP/FP/BP statistics for each analytics rule to help prioritize detections that need attention.
#Sentinel
[New
#KQL
Queries!🛡️] Focused on some conditional access:
1. Deletion, Addition and updates of CA policies.
2. CA Application Failures
3. CA User Failures
4. Visualize SignIn Failures due to CA policies.
#MicrosoftSentinel
New
#KQL
Queries! 🚨 Played around with net(1).exe discovery activities:
1. Net Query Statistics, who is most queried?
2. Detectect suspicious amounts of discovery activities
3. Local Group Discovery
4. Rare net parameter execution
🔗
Individual links in🧵