Query Use-Case Examples

The use-cases in this section show you how to hunt or investigate given a scenario.

These queries are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation. In addition, after you run the queries and view the results, you may need to run a query multiple times after you have determined what the legitimate activity is.

Each of these examples is formatted with the individual Element in the query on its own separate line, in bold text. Filters (Features) applied to the Element follow the Element name in regular weight text.

Use these sample use-cases to understand how to create hunting queries or investigation queries

• Narrow Hunting Queries

• Generic Queries

• Asset Mapping Queries

• Penetration Queries

• Reconnaissance Queries

• Credential Theft Queries

• Persistence Queries

• Lateral Movement Queries

• Infection Queries

• Foothold Queries

• Privilege Escalation Queries

• Scanning Queries

• Malicious Communication Queries

• Malicious Process Execution Queries

• Windows Management Instrumentation Queries

• Data Theft Queries

• Actions on a Target Queries

• DMG File Information Queries

• MITRE ATT&CK Technique Examples

Watch this video to view a query example: searching for malicious processes on different OS.