You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
msuserstats is a comprehensive powershell tool to manage accounts from Microsoft EntraID and Active Directory. It supports: a unified view on users across EntraID and AD; allows to find the latest sign-in from both worlds; reports on MFA methods and can support enforcement of MFA.
Used to create a new calculated column and add it to the result set
Perf | extend AlertThreshold = 80
count
Calculates the number of records in a table
SecurityAlert | count()
join
Combines data from multiple tables based on common columns
LeftTable | join [JoinParameters] ( RightTable ) on Attributes
union
Combines two or more tables and returns all their rows
OfficeActivity | union SecurityEvent
range
Specifies a time range for your query
range LastWeek from ago(7d) to now() step 1d
summarize
Aggregates data based on specified columns and aggregation functions
Perf | summarize count() by CounterName
top
Returns the top N records based on a specified column (optional)
SigninLogs | top 5 by TimeGenerated desc
parse
Evaluates a string expression and parses its value into one or more calculated columns using regular expressions. And used for structuring unstructured data
parse kind=regex Col with * var1:string var2:long
render
Renders results as a graphical output
`SecurityEvent
distinct
Removes duplicate records from the table and returns a table with a distinct combination of the provided columns
SecurityEvent | distinct Account , Activity
bin
Rounds all values in a timeframe and groups them
bin(StartTime, 1d)
let
Allows you to create and set a variable or assign a name to an expression
let aWeekAgo = ago(7d);SigninLogs | where TimeGenerated >= aWeekAgo
Detect Credential Dumping via Suspicious Modules
DeviceImageLoadEvents| where InitiatingProcessFileName in~ ("mimikatz.exe", "procdump.exe")| where FileName in~ ("dbgcore.dll", "comsvcs.dll")
Detect LSASS Memory Access
DeviceProcessEvents| where FileName in~ ("procdump.exe", "mimikatz.exe", "taskmgr.exe")| where ProcessCommandLine contains "lsass"
Unusual Access to SAM/SECURITY/NTDS Files
DeviceFileEvents| where FileName in~ ("SAM", "SECURITY", "SYSTEM", "ntds.dit")| where FolderPath has_any ("\\Windows\\System32\\config", "C:\\Windows\\NTDS")| where ActionType == "FileRead"
PowerShell Commands Related to Credential Dumping
DeviceProcessEvents| where FileName =~ "powershell.exe"| where ProcessCommandLine has_any ("Get-Credential", "Invoke-Mimikatz", "DumpCreds", "lsass")| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
File Creations and Modifications
DeviceFileEvents| where DeviceName contains "<RHOST>"| where ActionType has_any("FileCreated", "FileModified")| project Timestamp, ActionType, FileName, FolderPath, InitiatingProcessFileName| sort by Timestamp desc
Successful Sign-Ins
SigninLogs| where UserPrincipalName contains "<USERNAME>@<DOMAIN>"| where ResultSignature contains "SUCCESS"| project TimeGenerated, IPAddress, Location, AppDisplayName, UserAgent| sort by TimeGenerated desc
Blast Radius Assessment (Lateral Movement)
let lookback = 2h;DeviceProcessEvents| where Timestamp > ago(lookback)| summarize hosts=make_set(DeviceName), executions=count() by FileName, FolderPath| where FileName contains "<FILE>"| where array_length(hosts) > 1| order by executions desc
DeviceLogonEvents| where AccountName containss "<USERNAME>"| where ActionType == "LogonSuccess"| summarize LastLogon = max(Timestamp), LogonCount = count() by DeviceName, LogonType| sort by LastLogon desc
Identifying Outbound C2 "Heartbeats"
DeviceNetworkEvents| where DeviceName contains "<RHOST>"| where RemoteIPType == "Public"| summarize ConnectionCount = count(), UniquePorts = dcount(RemotePort), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by RemoteIP, RemoteUrl| where ConnectionCount > 5| sort by ConnectionCount desc
Common Persistence Mechanisms
DeviceRegistryEvents| where DeviceName contains "<RHOST>"| where RegistryKey contains @"\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains @"\\Microsoft\\Windows\\CurrentVersion\\RunOnce"| where ActionType == "RegistryValueSet"| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessFileName| sort by Timestamp desc
DeviceProcessEvents| where DeviceName contains "<RHOST>"| where FileName =~ "schtasks.exe"| where ProcessCommandLine has_any("/create", "/change", "/run")| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName| sort by Timestamp desc
Named Pipes
Common Named Pipes
Named Pipe
Name
Description
\PIPE\svcctl
Service Control Manager (SCM)
Manages system services remotely, allowing control over starting, stopping, and configuring services. Attackers may use this to manipulate services for persistence or remote command execution.
\PIPE\samr
Security Account Manager (SAM)
Provides access to the SAM database, which stores user credentials. Often used by attackers to enumerate accounts or retrieve password hashes.
\PIPE\netlogon
Netlogon Service
Used for authentication and domain trust operations. Attackers can exploit it to perform pass-the-hash attacks or gain unauthorized domain access.
\PIPE\lsarpc
Local Security Authority Remote Procedure Call (LSARPC)
Grants access to security policies and account privileges. Attackers might use this pipe to gather information on security configurations and user privileges.
\PIPE\atsvc
AT Service / Task Scheduler
Facilitates remote task scheduling, often abused by attackers to execute commands on a remote system at specified times. Commonly used for persistence, lateral movement, and privilege escalation.
\PIPE\eventlog
Event Log Service
Manages event logging. Attackers may interact with this to clear or manipulate event logs to hide their tracks after malicious actions.
\PIPE\spoolss
Print Spooler Service
Manages print jobs. Historically vulnerable (e.g., PrintNightmare), making it a target for remote code execution and lateral movement.
\PIPE\wmi
Windows Management Instrumentation (WMI)
Provides an interface for querying and managing system configurations. Attackers use WMI for remote system management, often for enumeration or remote command execution.
\PIPE\browser
Browser Service
Supports network browsing and domain controller location services. Attackers may use it to identify network hosts and domains.
\PIPE\msrpc
Microsoft RPC Endpoint Mapper
Acts as a gateway for RPC-based services. The pipe provides access to various RPC services, making it a high-value target for attackers to gain access to multiple functions.
Hexadecimal Notation
5c:00:50:00:49:00:50:00:45
5c:00: The Unicode encoding for the character \ (backslash).50:00: The Unicode encoding for the character P.49:00: The Unicode encoding for the character I.50:00: The Unicode encoding for the character P.45:00: The Unicode encoding for the character E.