├── Azure └── Oauth │ ├── CylarisTRG-MaliciousAppAuth_EmailLinkClicked.json │ └── CylarisTRG-MaliciousAppAuth_LinkVisited.json ├── CNAME ├── LICENSE ├── README.md ├── articles └── readme.md ├── helpful ├── dataexfilview.json ├── impossibletravelview.json ├── logSource-tableVolume.json ├── phishing-join-context.json └── phishingorsomething.json ├── lolbas ├── lol-appinstaller-sentinel-kql.txt ├── lol-bitsadmin-abuse-download.json ├── lol-certutil-abuse-download.json ├── lol-cscript-ads-sentinel-kql.txt └── lol-findstr-abuse-sentinel-kql ├── malwaretracking ├── hafnium │ └── hafnium-ioc-disclosed-mar-21.txt ├── qakbot │ ├── CylairsTRG-QBot-ObamaBotnet200+.json │ └── CylarisTRG-QBot-ObamaBotnet-KQL-200.json ├── ransomware │ └── CylarisTRG-BlackCat-Ransomware-Indicators-KQL.json └── readme.md ├── threathunting ├── phishing │ ├── CylarisTRG-TH-Browser-Spawn-URLClick.json │ └── CylarisTRG-TH-LinkTracker-KQL.json └── readme.md ├── threatintel └── scraping │ ├── cti-twitter-ioc-ingestion.json │ └── cti-twitter-ioc-mapping.json └── vulnerabilities ├── CVE-2021-28310[DWM] └── CylarisTRG-Mitigations-and-Sysmon-Detection.json ├── CVE-2022-30190[FOLLINA] ├── CylarisTRG-Follina-Abnormal-Request.json └── CylarisTRG-Follina-Spawn-Tree-Indicators.json └── CVE-2022-40140[ProxyNotShell] ├── CylarisTRG-ProxyNotShell-Exploit-Sysmon-Indicators-KQL.json └── ProxyNotShellCylarisTRG-ProxyNotShell-Exploit-W3CIISLog-Indicators-KQL.json /Azure/Oauth/CylarisTRG-MaliciousAppAuth_EmailLinkClicked.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/Azure/Oauth/CylarisTRG-MaliciousAppAuth_EmailLinkClicked.json -------------------------------------------------------------------------------- /Azure/Oauth/CylarisTRG-MaliciousAppAuth_LinkVisited.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/Azure/Oauth/CylarisTRG-MaliciousAppAuth_LinkVisited.json -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | detections.cylaris.org -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/README.md -------------------------------------------------------------------------------- /articles/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /helpful/dataexfilview.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/helpful/dataexfilview.json -------------------------------------------------------------------------------- /helpful/impossibletravelview.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/helpful/impossibletravelview.json -------------------------------------------------------------------------------- /helpful/logSource-tableVolume.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/helpful/logSource-tableVolume.json -------------------------------------------------------------------------------- /helpful/phishing-join-context.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/helpful/phishing-join-context.json -------------------------------------------------------------------------------- /helpful/phishingorsomething.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/helpful/phishingorsomething.json -------------------------------------------------------------------------------- /lolbas/lol-appinstaller-sentinel-kql.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/lolbas/lol-appinstaller-sentinel-kql.txt -------------------------------------------------------------------------------- /lolbas/lol-bitsadmin-abuse-download.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/lolbas/lol-bitsadmin-abuse-download.json -------------------------------------------------------------------------------- /lolbas/lol-certutil-abuse-download.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/lolbas/lol-certutil-abuse-download.json -------------------------------------------------------------------------------- /lolbas/lol-cscript-ads-sentinel-kql.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/lolbas/lol-cscript-ads-sentinel-kql.txt -------------------------------------------------------------------------------- /lolbas/lol-findstr-abuse-sentinel-kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/lolbas/lol-findstr-abuse-sentinel-kql -------------------------------------------------------------------------------- /malwaretracking/hafnium/hafnium-ioc-disclosed-mar-21.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/malwaretracking/hafnium/hafnium-ioc-disclosed-mar-21.txt -------------------------------------------------------------------------------- /malwaretracking/qakbot/CylairsTRG-QBot-ObamaBotnet200+.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/malwaretracking/qakbot/CylairsTRG-QBot-ObamaBotnet200+.json -------------------------------------------------------------------------------- /malwaretracking/qakbot/CylarisTRG-QBot-ObamaBotnet-KQL-200.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/malwaretracking/qakbot/CylarisTRG-QBot-ObamaBotnet-KQL-200.json -------------------------------------------------------------------------------- /malwaretracking/ransomware/CylarisTRG-BlackCat-Ransomware-Indicators-KQL.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/malwaretracking/ransomware/CylarisTRG-BlackCat-Ransomware-Indicators-KQL.json -------------------------------------------------------------------------------- /malwaretracking/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /threathunting/phishing/CylarisTRG-TH-Browser-Spawn-URLClick.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/threathunting/phishing/CylarisTRG-TH-Browser-Spawn-URLClick.json -------------------------------------------------------------------------------- /threathunting/phishing/CylarisTRG-TH-LinkTracker-KQL.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/threathunting/phishing/CylarisTRG-TH-LinkTracker-KQL.json -------------------------------------------------------------------------------- /threathunting/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /threatintel/scraping/cti-twitter-ioc-ingestion.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/threatintel/scraping/cti-twitter-ioc-ingestion.json -------------------------------------------------------------------------------- /threatintel/scraping/cti-twitter-ioc-mapping.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/threatintel/scraping/cti-twitter-ioc-mapping.json -------------------------------------------------------------------------------- /vulnerabilities/CVE-2021-28310[DWM]/CylarisTRG-Mitigations-and-Sysmon-Detection.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/vulnerabilities/CVE-2021-28310[DWM]/CylarisTRG-Mitigations-and-Sysmon-Detection.json -------------------------------------------------------------------------------- /vulnerabilities/CVE-2022-30190[FOLLINA]/CylarisTRG-Follina-Abnormal-Request.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/vulnerabilities/CVE-2022-30190[FOLLINA]/CylarisTRG-Follina-Abnormal-Request.json -------------------------------------------------------------------------------- /vulnerabilities/CVE-2022-30190[FOLLINA]/CylarisTRG-Follina-Spawn-Tree-Indicators.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/vulnerabilities/CVE-2022-30190[FOLLINA]/CylarisTRG-Follina-Spawn-Tree-Indicators.json -------------------------------------------------------------------------------- /vulnerabilities/CVE-2022-40140[ProxyNotShell]/CylarisTRG-ProxyNotShell-Exploit-Sysmon-Indicators-KQL.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/vulnerabilities/CVE-2022-40140[ProxyNotShell]/CylarisTRG-ProxyNotShell-Exploit-Sysmon-Indicators-KQL.json -------------------------------------------------------------------------------- /vulnerabilities/CVE-2022-40140[ProxyNotShell]/ProxyNotShellCylarisTRG-ProxyNotShell-Exploit-W3CIISLog-Indicators-KQL.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cylaris/awesomekql/HEAD/vulnerabilities/CVE-2022-40140[ProxyNotShell]/ProxyNotShellCylarisTRG-ProxyNotShell-Exploit-W3CIISLog-Indicators-KQL.json --------------------------------------------------------------------------------