├── Azure Identity Attacks ├── Google Chrome Pass-The-Cookie MFA Bypass Detection ├── Pass-The-Cookie General Detection └── Pass-The-PRT Attack ├── Credential Access | Harvesting ├── Detect Accounts using Network NTLM Authentication Request ├── Detect Clear-Text Credential Enumeration in PowerShell Scripts ├── Detect Possible Credential Manager Exfiltration ├── Detect Possible WDigest Downgrade Attacks ├── Detect SSP Credential Dumping Attempts ├── Detect Windows AutoLogon Credential Tampering ├── Detect overall Credential Attacks based on MDE Intelligence ├── Find Basic Credential Dumping Binaries ├── Finding Clear-Text WIFI Credentials ├── Local SAM & SYSTEM Registry Exfiltration └── Local User Creation with Possible Clear-Text Credentials ├── Domain Enumeration ├── Basic Domain Enumeration Detection ├── Bloodhound Binary Detection ├── Clear-Text Credentials in net.exe Argument ├── Credentials Exfiltration Binaries Detection ├── Evil-WinRM Detection ├── LDAP Clear-Text Credentials Over Network ├── LSASS ProcDump Detection ├── Local AS-REP Roasting Detection ├── PowerShell Creation of Credential Objects ├── PsExec File Creation ├── Remote AS-REP Roasting Detection ├── SMB Enumeration Detection └── Windows Privilege Escalation Automation Script Detection ├── Fileless Attacks | One-Liners ├── Bitsadmin Remote Connection Detection ├── Certutil Remote Activity Detection ├── Office 365 Macro & DDE One-Liners ├── PowerShell Base64 Arguments Detection └── PowerShell Remote URL Calls ├── Persistence ├── Malicious Powershell Service ├── Scheduled Tasks ├── Suspicious Registry Key Added └── Windows Startup Files ├── README.md └── atp.jpg /Azure Identity Attacks/Google Chrome Pass-The-Cookie MFA Bypass Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Azure Identity Attacks/Google Chrome Pass-The-Cookie MFA Bypass Detection -------------------------------------------------------------------------------- /Azure Identity Attacks/Pass-The-Cookie General Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Azure Identity Attacks/Pass-The-Cookie General Detection -------------------------------------------------------------------------------- /Azure Identity Attacks/Pass-The-PRT Attack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Azure Identity Attacks/Pass-The-PRT Attack -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect Accounts using Network NTLM Authentication Request: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect Accounts using Network NTLM Authentication Request -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect Clear-Text Credential Enumeration in PowerShell Scripts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect Clear-Text Credential Enumeration in PowerShell Scripts -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect Possible Credential Manager Exfiltration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect Possible Credential Manager Exfiltration -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect Possible WDigest Downgrade Attacks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect Possible WDigest Downgrade Attacks -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect SSP Credential Dumping Attempts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect SSP Credential Dumping Attempts -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect Windows AutoLogon Credential Tampering: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect Windows AutoLogon Credential Tampering -------------------------------------------------------------------------------- /Credential Access | Harvesting/Detect overall Credential Attacks based on MDE Intelligence: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Detect overall Credential Attacks based on MDE Intelligence -------------------------------------------------------------------------------- /Credential Access | Harvesting/Find Basic Credential Dumping Binaries: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Find Basic Credential Dumping Binaries -------------------------------------------------------------------------------- /Credential Access | Harvesting/Finding Clear-Text WIFI Credentials: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Finding Clear-Text WIFI Credentials -------------------------------------------------------------------------------- /Credential Access | Harvesting/Local SAM & SYSTEM Registry Exfiltration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Local SAM & SYSTEM Registry Exfiltration -------------------------------------------------------------------------------- /Credential Access | Harvesting/Local User Creation with Possible Clear-Text Credentials: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Credential Access | Harvesting/Local User Creation with Possible Clear-Text Credentials -------------------------------------------------------------------------------- /Domain Enumeration/Basic Domain Enumeration Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Basic Domain Enumeration Detection -------------------------------------------------------------------------------- /Domain Enumeration/Bloodhound Binary Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Bloodhound Binary Detection -------------------------------------------------------------------------------- /Domain Enumeration/Clear-Text Credentials in net.exe Argument: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Clear-Text Credentials in net.exe Argument -------------------------------------------------------------------------------- /Domain Enumeration/Credentials Exfiltration Binaries Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Credentials Exfiltration Binaries Detection -------------------------------------------------------------------------------- /Domain Enumeration/Evil-WinRM Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Evil-WinRM Detection -------------------------------------------------------------------------------- /Domain Enumeration/LDAP Clear-Text Credentials Over Network: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/LDAP Clear-Text Credentials Over Network -------------------------------------------------------------------------------- /Domain Enumeration/LSASS ProcDump Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/LSASS ProcDump Detection -------------------------------------------------------------------------------- /Domain Enumeration/Local AS-REP Roasting Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Local AS-REP Roasting Detection -------------------------------------------------------------------------------- /Domain Enumeration/PowerShell Creation of Credential Objects: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/PowerShell Creation of Credential Objects -------------------------------------------------------------------------------- /Domain Enumeration/PsExec File Creation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/PsExec File Creation -------------------------------------------------------------------------------- /Domain Enumeration/Remote AS-REP Roasting Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Remote AS-REP Roasting Detection -------------------------------------------------------------------------------- /Domain Enumeration/SMB Enumeration Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/SMB Enumeration Detection -------------------------------------------------------------------------------- /Domain Enumeration/Windows Privilege Escalation Automation Script Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Domain Enumeration/Windows Privilege Escalation Automation Script Detection -------------------------------------------------------------------------------- /Fileless Attacks | One-Liners/Bitsadmin Remote Connection Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Fileless Attacks | One-Liners/Bitsadmin Remote Connection Detection -------------------------------------------------------------------------------- /Fileless Attacks | One-Liners/Certutil Remote Activity Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Fileless Attacks | One-Liners/Certutil Remote Activity Detection -------------------------------------------------------------------------------- /Fileless Attacks | One-Liners/Office 365 Macro & DDE One-Liners: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Fileless Attacks | One-Liners/Office 365 Macro & DDE One-Liners -------------------------------------------------------------------------------- /Fileless Attacks | One-Liners/PowerShell Base64 Arguments Detection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Fileless Attacks | One-Liners/PowerShell Base64 Arguments Detection -------------------------------------------------------------------------------- /Fileless Attacks | One-Liners/PowerShell Remote URL Calls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Fileless Attacks | One-Liners/PowerShell Remote URL Calls -------------------------------------------------------------------------------- /Persistence/Malicious Powershell Service: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Persistence/Malicious Powershell Service -------------------------------------------------------------------------------- /Persistence/Scheduled Tasks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Persistence/Scheduled Tasks -------------------------------------------------------------------------------- /Persistence/Suspicious Registry Key Added: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Persistence/Suspicious Registry Key Added -------------------------------------------------------------------------------- /Persistence/Windows Startup Files: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/Persistence/Windows Startup Files -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/README.md -------------------------------------------------------------------------------- /atp.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RoqueNight/DefenderATP-Proactive-Threat-Hunting-Queries-KQL/HEAD/atp.jpg --------------------------------------------------------------------------------