A curated collection of threat hunting queries developed and refined during real-world incident response investigations. These queries are primarily designed for use in:
- Microsoft Defender for Endpoint (MDE)
- Any platform that supports Kusto Query Language (KQL)
This repository serves as a practical reference for investigating suspicious activities, adversary techniques, and common attack patterns. It enables rapid identification of behaviors and tactics across endpoints, user accounts, and network activity.
Each folder represents a category mapped (where possible) to the MITRE ATT&CK framework:
Initial_Access/— Phishing, credential abusePersistence/— Registry keys, scheduled tasks, startup foldersPrivilege_Escalation/— UAC bypass, token manipulationExecution/— Command and Scripting, user executionDefense_Evasion/— EDR tampering, obfuscated code, log deletionCredential_Access/— LSASS dumps, SAM hive accessDiscovery/— System, domain, and network reconLateral_Movement/— PsExec, RDP, WMI, SMB, remote servicesCollection/— Clipboard access, screenshot toolsExfiltration/— Cloud sync tools, browser uploads, data stagingCommand_and_Control/— DNS tunneling, HTTP C2, beaconingGeneral_Hunting/— High-signal anomaly and utility queriesCustom_Tools/— Detection of Velociraptor etc.
- Log into your Microsoft Defender for Endpoint portal.
- Open Investigation & response > Hunting > Advanced Hunting.
- Paste the query from the relevant folder.
- Adjust parameters like
DeviceNameorAccountNameas needed. - Run and review the results. Investigate suspicious artifacts or behavior further.
- Many queries are tagged with MITRE Tactics & Techniques for easier correlation.
- Queries are built to be modular i.e, chain them or combine based on context.
- Always test in a non-production environment before wide-scale deployment.
- Tune false positives by excluding known good tools, domains, or processes.
- Use additional telemetry sources (e.g., Defender for Identity, Defender for Cloud Apps) to enrich investigations.
- Add Sigma rule equivalents for cross-platform integration
- Include queries for Linux/macOS endpoints
- Tag each query with severity and detection confidence level
This repository is maintained by me, built on real-world investigations across enterprise environments.
Inspired by the collective work of the security community, including:
- Microsoft Threat Intelligence (MSTIC)
- Sentinel Threat Hunters
- ThreatHunter-Playbook
- Open Threat Research community
- Detections.ai
- Community Queries
MIT License — You are free to use, modify, and share these queries with proper attribution.