Detection rules › Kusto Query Language
RecordedFuture Threat Hunting Hash All Actors
'Recorded Future Threat Hunting hash correlation for all actors.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1189 Drive-by Compromise |
| Execution | T1059 Command and Scripting Interpreter |
| Persistence | T1554 Compromise Host Software Binary |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
| Sysmon | 23 | FileDelete (File Delete archived) |
| Sysmon | 26 | FileDeleteDetected (File Delete logged) |
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: source
imFileEvent
Stage 2: where
Hash is_not_null