Query Details
Mapping
Query
# MITRE ATT&CK Mapping This page includes the mapping of KQL queries to the [MITRE ATT&CK](https://attack.mitre.org/) framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations. This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope. ## Initial Access | Technique ID | Title | Query | | --- | --- | --- | ## Execution | Technique ID | Title | Query | | --- | --- | --- | | T1546.003 | Windows Management Instrumentation Event Subscription |[WMI Event Subscriptions](../Defender%20For%20Endpoint/MDE-WMIEventSubscription.md) | ## Persistence | Technique ID | Title | Query | | --- | --- | --- | ## Privilege Escalation | Technique ID | Title | Query | | --- | --- | --- | ## Defense Evasion | Technique ID | Title | Query | | --- | --- | --- | | T1564.004 | Hide Artifacts: NTFS File Attributes | [NTFS File Attributes - alternate data streams](../Defender%20For%20Endpoint/MDE-NTFS%20File%20Attributes%20-%20alternate%20data%20streams.md) | | T1484.001 | Domain Policy Modification: Group Policy Modification | [AD Group Policy changes on devices](../Defender%20For%20Endpoint/MDE-GroupPolicyModificationEvents.md) | ## Credential Access | Technique ID | Title | Query | | --- | --- | --- | | T1110.003 | Brute Force: Password Spraying | [password spray attacks](/Defender%20365/MD365-PasswordSprayAttacks.md) | ## Discovery | Technique ID | Title | Query | | --- | --- | --- | ## Lateral Movement | Technique ID | Title | Query | | --- | --- | --- | ## Collection | Technique ID | Title | Query | | --- | --- | --- | ## Command and Control | Technique ID | Title | Query | | --- | --- | --- | ## Exfiltration | Technique ID | Title | Query | | --- | --- | --- | ## Impact | Technique ID | Title | Query | | --- | --- | --- |
Explanation
This page provides a mapping of KQL queries to the MITRE ATT&CK framework, which is a database of tactics and techniques used by adversaries. The queries listed here are specifically related to certain techniques within the framework. The page does not cover reconnaissance and resource development techniques. Each section corresponds to a different phase of an attack, such as initial access, execution, persistence, etc. The table under each section lists the technique ID, title, and the specific query associated with that technique.
Details
Alex Verboon
Released: September 17, 2023
Tables
MDE-WMIEventSubscription.mdMDE-NTFS File Attributes - alternate data streams.mdMDE-GroupPolicyModificationEvents.mdMD365-PasswordSprayAttacks.md
Keywords
Devices,Intune,User
Operators
[../Defender%20For%20Endpoint/MDE-WMIEventSubscription.md][../Defender%20For%20Endpoint/MDE-NTFS%20File%20Attributes%20-%20alternate%20data%20streams.md][../Defender%20For%20Endpoint/MDE-GroupPolicyModificationEvents.md][/Defender%20365/MD365-PasswordSprayAttacks.md]