detection.wiki

Detection rules › Kusto Query Language

RecordedFuture Threat Hunting IP All Actors

Source
upstream

'Recorded Future Threat Hunting IP correlation for all actors.'

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1568 Dynamic Resolution
ExfiltrationT1041 Exfiltration Over C2 Channel

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.

Stages and Predicates

Stage 1: source

_Im_NetworkSession

Stage 2: where

DstIpAddr is_not_null

Stage 3: join

Stage 4: mv-expand

Stage 5: project