MITRE ATT&CK Mapping
Mapping
Query
# MITRE ATT&CK Mapping This page includes the mapping of KQL queries to the [MITRE ATT&CK](https://attack.mitre.org/) framework. The framework is a knowledge base of adversary tactics and techniques based on real-world observations. This section only includes references to queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of scope. ## Initial Access | Technique ID | Title | Query | | --- | --- | --- | ## Execution | Technique ID | Title | Query | | --- | --- | --- | | T1546.003 | Windows Management Instrumentation Event Subscription |[WMI Event Subscriptions](../Defender%20For%20Endpoint/MDE-WMIEventSubscription.md) | ## Persistence | Technique ID | Title | Query | | --- | --- | --- | | T1136.001 | Create Account: Local Account | [Create Local Account](../Defender%20For%20Endpoint/MDE-LocalAccountCreated.md) | | T1136.001 | Create Account: Local Account | [Create Local Account](../Defender%20For%20Endpoint/MDE-WindowsBuiltInGroupMemberChanges.md) | ## Privilege Escalation | Technique ID | Title | Query | | --- | --- | --- | ## Defense Evasion | Technique ID | Title | Query | | --- | --- | --- | | T1564.004 | Hide Artifacts: NTFS File Attributes | [NTFS File Attributes - alternate data streams](../Defender%20For%20Endpoint/MDE-NTFS%20File%20Attributes%20-%20alternate%20data%20streams.md) | | T1484.001 | Domain Policy Modification: Group Policy Modification | [AD Group Policy changes on devices](../Defender%20For%20Endpoint/MDE-GroupPolicyModificationEvents.md) | | T1562.001 | Impair Defenses: Disable or Modify Tools | [Defender Antivirus Exclusions](../Defender%20For%20Endpoint/MDE-DefenderAntivirusExclusions.md) | | T1562.004 | Impair Defenses: Disable or Modify System Firewall | [Defender Firewall Configurations](../Defender%20For%20Endpoint/DefenderFirewall//MDE-FirewallConfiguration.md) | | T1564.012 | Defense Evasion: Hide Artifacts: File/Path Exclusions | [Defender Antivirus Exclusion Enumeration](../Defender%20For%20Endpoint/MDE-DefenderExclusionsEnumerations.md) ## Credential Access | Technique ID | Title | Query | | --- | --- | --- | | T1110.003 | Brute Force: Password Spraying | [password spray attacks](/Defender%20365/MD365-PasswordSprayAttacks.md) | ## Discovery | Technique ID | Title | Query | | --- | --- | --- | | T1087.002 | Account Discovery - Domain Account | [Honey Token Accounts](../Defender%20For%20Identity/MDI-Honeytoken%20was%20queried%20via%20SAM-R.md) | ## Lateral Movement | Technique ID | Title | Query | | --- | --- | --- | ## Collection | Technique ID | Title | Query | | --- | --- | --- | | T1114.003 | Email Collection: Email Forwarding Rule | [E-Mail Forwarding](../Defender%20For%20Office%20365/MDO-InboxForwarding.md) | ## Command and Control | Technique ID | Title | Query | | --- | --- | --- | ## Exfiltration | Technique ID | Title | Query | | --- | --- | --- | ## Impact | Technique ID | Title | Query | | --- | --- | --- |
About this query
Explanation
This document is a mapping of KQL (Kusto Query Language) queries to the MITRE ATT&CK framework, which is a comprehensive knowledge base of adversary tactics and techniques observed in real-world cyber attacks. The mapping focuses on specific stages of an attack, excluding Reconnaissance and Resource Development.
Here's a summary of the sections covered:
-
Execution: Includes a query related to Windows Management Instrumentation (WMI) Event Subscription, which is a technique used by attackers to execute malicious code.
-
Persistence: Lists queries for detecting the creation of local accounts, which attackers might use to maintain access to a compromised system.
-
Defense Evasion: Contains queries for detecting various techniques attackers use to avoid detection, such as hiding artifacts using NTFS file attributes, modifying group policies, disabling security tools, and configuring firewall settings.
-
Credential Access: Features a query for identifying password spraying attacks, a method used to gain unauthorized access by trying common passwords across many accounts.
-
Discovery: Includes a query for detecting domain account discovery activities, which attackers use to gather information about user accounts.
-
Collection: Lists a query related to email forwarding rules, which attackers might use to collect sensitive information by automatically forwarding emails.
The document does not include queries for the Initial Access, Privilege Escalation, Lateral Movement, Command and Control, Exfiltration, and Impact stages, except for the ones mentioned above. Each query is linked to a specific technique ID from the MITRE ATT&CK framework, providing a structured approach to understanding and detecting cyber threats.
Details

Alex Verboon
Released: September 17, 2023
Tables
Keywords
Operators