├── Template.md
├── Microsoft Entra ID
    ├── User elevated to User Access Administrator.md
    ├── Monitor break the glass Groups.md
    └── Monitor Privileged Role Assignments.md
├── Microsoft 365 Defender For Office 365
    └── Detect Inbound Phish With Base64 Encoded Receipient.md
├── LICENSE
├── Vulnerabilty Management
    └── Curl-CVE-2023-38545.md
└── README.md


/Template.md:
--------------------------------------------------------------------------------
 1 | # TITLE
 2 | 
 3 | ## Query Information
 4 | 
 5 | ### MITRE ATT&CK Technique(s)
 6 | 
 7 | | Technique ID | Title    | Link    |
 8 | | ---  | --- | --- |
 9 | | T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |
10 | 
11 | ### Description
12 | 
13 | DESCRIPTION
14 | 
15 | 
16 | #### References
17 | 
18 | 
19 | 
20 | ### Microsoft 365 Defender
21 | 
22 | 
23 | 
24 | 
25 | ```kql
26 | ```
27 | 


--------------------------------------------------------------------------------
/Microsoft Entra ID/User elevated to User Access Administrator.md:
--------------------------------------------------------------------------------
 1 | # User elevated to User Access Administrator
 2 | 
 3 | ## Query Information
 4 | 
 5 | ### MITRE ATT&CK Technique(s)
 6 | 
 7 | | Technique ID | Title    | Link    |
 8 | | ---  | --- | --- |
 9 | | T1098.003 | Additional Cloud Roles | https://attack.mitre.org/techniques/T1098/003/ |
10 | 
11 | ### Description
12 | 
13 | This hunting query detects the elevation to User Access Administrator. This built-in role allows the user to assign themselves or others the Owner role to all subscriptions within a tenant.
14 | 
15 | #### References
16 | 
17 | ### Microsoft Sentinel
18 | 
19 | ```
20 | arg("").authorizationresources
21 | | where properties.roleDefinitionId == "/providers/Microsoft.Authorization/RoleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
22 | ```
23 | 


--------------------------------------------------------------------------------
/Microsoft 365 Defender For Office 365/Detect Inbound Phish With Base64 Encoded Receipient.md:
--------------------------------------------------------------------------------
 1 | # Detect Inbound Phish With Base64 Encoded Receipient
 2 | 
 3 | ## Query Information
 4 | 
 5 | ### MITRE ATT&CK Technique(s)
 6 | 
 7 | | Technique ID | Title    | Link    |
 8 | | ---  | --- | --- |
 9 | | T1566.002 | Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |
10 | 
11 | ### Description
12 | 
13 | This hunting query detects inbound E-mails which have not deliverd to quarantine, which contain URL's with base 64 encoded receipients E-mail address. 
14 | 
15 | #### References
16 | 
17 | ### Microsoft 365 Defender
18 | 
19 | ```
20 | EmailEvents
21 | | where EmailDirection == "Inbound"
22 |     and not(DeliveryLocation  == "Quarantine")
23 | | where AuthenticationDetails has_any("temperror","none","fail","softfail")
24 |     and UrlCount > 0
25 | | extend B64 = base64_encode_tostring(RecipientEmailAddress)
26 | | join kind=inner EmailUrlInfo on NetworkMessageId
27 | | where Url contains B64
28 | | project-away *1
29 | | join kind=leftouter UrlClickEvents on NetworkMessageId
30 | ```
31 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2023, KustoKing
 4 | 
 5 | Redistribution and use in source and binary forms, with or without
 6 | modification, are permitted provided that the following conditions are met:
 7 | 
 8 | 1. Redistributions of source code must retain the above copyright notice, this
 9 |    list of conditions and the following disclaimer.
10 | 
11 | 2. Redistributions in binary form must reproduce the above copyright notice,
12 |    this list of conditions and the following disclaimer in the documentation
13 |    and/or other materials provided with the distribution.
14 | 
15 | 3. Neither the name of the copyright holder nor the names of its
16 |    contributors may be used to endorse or promote products derived from
17 |    this software without specific prior written permission.
18 | 
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 | 


--------------------------------------------------------------------------------
/Vulnerabilty Management/Curl-CVE-2023-38545.md:
--------------------------------------------------------------------------------
 1 | # CURL High Severity Vulnerability
 2 | 
 3 | ## Query Information
 4 | 
 5 | #### Description
 6 | The maintainers of curl have informed us about two vulnerabilities in the software that will be fixed on the 11th of october. CVE-2023-38545 has a high serverity and affects both libcurl and the curl tool. This page can help you identify systems that run curl beforehand, in order for you to take imidiate action if needed. As advised by multiple security organisations your company should create an inventory of all systems that run curl. This can be done by running the following queries in Defender For Endpoint.
 7 | 
 8 | ### Defender For Endpoint
 9 | ```
10 | search 
11 |     InitiatingProcessFileName:"curl.exe" or 
12 |     InitiatingProcessVersionInfoOriginalFileName:"curl.exe" or 
13 |     ProcessVersionInfoOriginalFileName:"curl.exe" or 
14 |     ProcessVersionInfoInternalFileName:"curl" or 
15 |     InitiatingProcessVersionInfoInternalFileName:"curl"
16 | | distinct $table
17 | ```
18 | 
19 | ### Defender For Endpoint
20 | ```
21 | DeviceNetworkEvents
22 | | where ActionType endswith "ConnectionInspected"
23 | | where AdditionalFields contains "curl"
24 | | extend UserAgent = parse_json(AdditionalFields).user_agent
25 | | where UserAgent contains "curl"
26 | ```
27 | 
28 | #### References
29 | - https://www.kustoking.com/hunting-for-curl/
30 | - https://www.rezilion.com/blog/cve-2023-38545-a-high-severity-curl-and-libcurl-cve-to-be-published-on-october-11th/
31 | - https://blog.qualys.com/vulnerabilities-threat-research/2023/10/05/curl-8-4-0-proactively-identifying-potential-vulnerable-assets
32 | - https://www.docker.com/blog/security-advisory-high-severity-curl-vulnerability/
33 | 
34 | 


--------------------------------------------------------------------------------
/Microsoft Entra ID/Monitor break the glass Groups.md:
--------------------------------------------------------------------------------
 1 | # Monitor break the glass Groups
 2 | 
 3 | ## Query Information
 4 | 
 5 | ### MITRE ATT&CK Technique(s)
 6 | 
 7 | | Technique ID | Title    | Link    |
 8 | | ---  | --- | --- |
 9 | | T1098.003 | Additional Cloud Roles | https://attack.mitre.org/techniques/T1098/003/ |
10 | 
11 | ### Description
12 | 
13 | This hunting query monitors for additions and removals of users in groups designated for break-glass accounts, specifically by tracking defined group IDs. Break-glass accounts are high-privilege accounts intended for emergency access, typically restricted to critical administrators. Unauthorized changes to these groups could indicate privilege escalation or improper configuration, presenting a security risk if malicious actors add themselves or others to gain elevated permissions. The query tracks changes in membership over time, calculating the duration users remain in these sensitive groups and ensuring that break-glass privileges are granted only as needed and appropriately removed. By focusing on specific group IDs, this query provides targeted visibility into critical access controls.
14 | 
15 | #### References
16 | 
17 | ### Microsoft Sentinel
18 | 
19 | ```
20 | let BreakGlass = dynamic(["GUID"]);
21 | AuditLogs
22 | | where TimeGenerated > ago(730d)
23 | | where OperationName in("Add member to group", "Remove member from group")
24 | | where TargetResources has_any (BreakGlass)
25 | | project TimeGenerated, AADTenantId, TargetResources, OperationName, InitiatedBy
26 | | extend
27 |     TargetId    = tostring(TargetResources[0].id),
28 |     TargetUser  = tostring(TargetResources[0].userPrincipalName),
29 |     TargetGroup = trim('"', tostring(coalesce(TargetResources[0].modifiedProperties[0].oldValue, TargetResources[0].modifiedProperties[0].newValue))),
30 |     SourceId    = tostring(InitiatedBy.user.id),
31 |     SourceUser  = tostring(InitiatedBy.user.userPrincipalName),
32 |     SourceIP    = tostring(InitiatedBy.user.ipAddress)
33 | | project-away TargetResources, InitiatedBy
34 | | where TargetGroup in (BreakGlass)
35 | | sort by TargetId asc, TimeGenerated asc
36 | | scan with_match_id=Funnel declare (AddedDate: datetime, RemovedDate: datetime) with (
37 |     step Added: OperationName == "Add member to group" => AddedDate = TimeGenerated;
38 |     step Removed: OperationName == "Remove member from group" and TargetId == Added.TargetId and TargetGroup == Added.TargetGroup => RemovedDate = TimeGenerated, AddedDate = Added.TimeGenerated;
39 | )
40 | | summarize arg_max(TimeGenerated, *) by Funnel, TargetId, TargetGroup
41 | | extend HoursInGroup = case (isnotempty(RemovedDate), datetime_diff('hour', RemovedDate, AddedDate), datetime_diff('hour', now(), AddedDate))
42 | ```
43 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Hunting-Queries-Detection-Rules
 2 | KQL Detections for Microsoft Sentinel and Microsoft 365 Defender
 3 | 
 4 | # KQL for Defender For Endpoint & Microsoft Sentinel
 5 | The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on twitter [@castello_johnny](https://twitter.com/castello_johnny). 
 6 | 
 7 | **Presenting this material as your own is illegal and forbidden. A reference to Twitter [@castello_johnny](https://twitter.com/castello_johnny) or Github [KustoKing](https://github.com/KustoKing/Hunting-Queries-Detection-Rules) is much appriciated when sharing or using the content.**
 8 | 
 9 | # Credits
10 | 
11 | [@castello_johnny](https://twitter.com/castello_johnny) - The content structure of this repository was adopted from [KustoKings's KQL repository](https://github.com/KustoKing/Hunting-Queries-Detection-Rules)
12 | 
13 | KQL Queries: While I have personally authored the majority of the KQL queries stored here, it is important to note that as I continue to collect queries in my daily work, the repository may also include KQL code contributed by others. I make every effort to acknowledge and credit the original creators whenever I have information about them.
14 | 
15 | In addition to the queries I have written myself, it's worth mentioning that certain queries within the repository may be direct copies of those found in Microsoft's online documentation and blog posts.
16 | 
17 | # KQL Categories
18 | 
19 | The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framwork. The product section contains queries specific to Microsoft security products. 
20 | 
21 | ## Products
22 | 
23 | - [Active Directory](./Active%20Directory/)
24 | - [Microsoft 365 Defender](./Microsoft%20365%20Defender/)
25 | - [Microsoft 365 Defender For Endpoint](./Microsoft%20365%20Defender%20For%20Endpoint/)
26 | - [Microsoft 365 Defender For Identity](./Microsoft%20365%20Defender%20For%20Identity)
27 | - [Microsoft 365 Defender For Cloud Apps](./Microsoft%20365%20Defender%20For%20Cloud%20Apps)
28 | - [Microsoft 365 Defender For Office 365](./Microsoft%20365%20Defender%20For%20Office%20365/)
29 | - [Microosft 365 Defender External Attack Surface Management](./Microsoft%20365%20Defender%20External%20Attack%20Surface%20Management/)
30 | - [Microsoft Entra ID](./Microsoft%20Entra%20ID)
31 | - [Microsoft Sentinel](./Microsoft%20Sentinel)
32 | - [Vulnerability Management](./Vulnerability%20Management)
33 | 


--------------------------------------------------------------------------------
/Microsoft Entra ID/Monitor Privileged Role Assignments.md:
--------------------------------------------------------------------------------
 1 | # Monitor Privileged Role Assignments
 2 | 
 3 | ## Query Information
 4 | 
 5 | ### MITRE ATT&CK Technique(s)
 6 | 
 7 | | Technique ID | Title    | Link    |
 8 | | ---  | --- | --- |
 9 | | T1098.001 | Account Manipulation: Additional Cloud Roles | https://attack.mitre.org/techniques/T1098/001/ |
10 | 
11 | ### Description
12 | 
13 | This hunting query identifies additions of users to privileged roles, specifically focusing on high-risk and administrative roles. Privileged roles grant elevated permissions, and unauthorized assignments can lead to privilege escalation or compromise of critical systems. The query detects both time-bound and permanent role assignments, allowing security teams to investigate potential misuse or abuse of administrative privileges. By monitoring defined roles using a comprehensive list of role GUIDs, this query ensures visibility into changes to sensitive role assignments across the organization. It also provides insight into the initiator of the action and the target user, helping to ensure accountability and traceability of privilege changes.
14 | 
15 | #### References
16 | 
17 | - [Entra ID Privileged Roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference)
18 | 
19 | ### Microsoft Sentinel Query
20 | 
21 | ```kql
22 | let PrivilegedRoles = datatable(RoleName:string, RoleGuid:string)
23 | [
24 | "Application Administrator", "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
25 | "Application Developer", "cf1c38e5-3621-4004-a7cb-879624dced7c",
26 | "Authentication Administrator", "c4e39bd9-1100-46d3-8c65-fb160da0071f",
27 | "Authentication Extensibility Administrator", "25a516ed-2fa0-40ea-a2d0-12923a21473a",
28 | "B2C IEF Keyset Administrator", "aaf43236-0c0d-4d5f-883a-6955382ac081",
29 | "Cloud Application Administrator", "158c047a-c907-4556-b7ef-446551a6b5f7",
30 | "Cloud Device Administrator", "7698a772-787b-4ac8-901f-60d6b08affd2",
31 | "Conditional Access Administrator", "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
32 | "Directory Writers", "9360feb5-f418-4baa-8175-e2a00bac4301",
33 | "Domain Name Administrator", "8329153b-31d0-4727-b945-745eb3bc5f31",
34 | "External Identity Provider Administrator", "be2f45a1-457d-42af-a067-6ec1fa63bc45",
35 | "Global Administrator", "62e90394-69f5-4237-9190-012177145e10",
36 | "Global Reader", "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
37 | "Helpdesk Administrator", "729827e3-9c14-49f7-bb1b-9608f156bbb8",
38 | "Hybrid Identity Administrator", "8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2",
39 | "Intune Administrator", "3a2c62db-5318-420d-8d74-23affee5d9d5",
40 | "Lifecycle Workflows Administrator", "59d46f88-662b-457b-bceb-5c3809e5908f",
41 | "Password Administrator", "966707d0-3269-4727-9be2-8c3a10f19b9d",
42 | "Privileged Authentication Administrator", "7be44c8a-adaf-4e2a-84d6-ab2649e08a13",
43 | "Privileged Role Administrator", "e8611ab8-c189-46e8-94e1-60213ab1f814",
44 | "Security Administrator", "194ae4cb-b126-40b2-bd5b-6091b380977d",
45 | "Security Operator", "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f",
46 | "Security Reader", "5d6b6bb7-de71-4623-b4af-96380a352509",
47 | "User Administrator", "fe930be7-5e62-47db-91af-98c3a49a38b1"
48 | ];
49 | AuditLogs
50 | | where TimeGenerated > ago(730d)
51 | | where OperationName has_all ("add","member to role","completed")
52 | | where OperationName has_any('timebound','permanent')
53 | | where TargetResources has_any(PrivilegedRoles | project RoleGuid)
54 | | project TimeGenerated, AADTenantId,TargetResources, OperationName, InitiatedBy, AdditionalDetails
55 | | extend
56 |     TargetId = tostring(TargetResources[2].id),
57 |     TargetType = tostring(TargetResources[2].type),
58 |     TargetUser = tostring(TargetResources[2].userPrincipalName),
59 |     TargetDisplayName = tostring(TargetResources[2].displayName),
60 |     TargetRole = tostring(TargetResources[0].displayName),
61 |     SourceId = tostring(InitiatedBy.user.id),
62 |     SourceUser = tostring(InitiatedBy.user.userPrincipalName),
63 |     SourceDisplayName = tostring(InitiatedBy.user.displayName)
64 | | parse AdditionalDetails with * 'ipaddr","value":"' IPAdress '"' *
65 | | project-away InitiatedBy, AdditionalDetails, TargetResources
66 | ```


--------------------------------------------------------------------------------