Description of the query and the bahavior we are trying to detect.
// Paste your query here
DeviceEvents
| where Sth == "sth"| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1087 | Account Discovery |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1114 | Email Collection |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
| Version | Date | Comments |
|---|---|---|
| 1.0 | 2025-01-15 | Initial query published |
| 1.1 | 2025-01-16 | Changes to the query |