Comprehensive collection of Microsoft 365 Defender Advanced Hunting queries for enterprise security teams. Specialized focus on financial services, MENA region threats, and advanced persistent threat detection.
Ali AlEnezi
π Cybersecurity Specialist | Kuwait
π SANS/GIAC Certified Security Professional
- π§ Email: site@hotmail.com
- πΌ LinkedIn: linkedin.com/in/alenizi
- π Location: Kuwait
- π’ Expertise: Financial Services & Banking Cybersecurity
| Category | Queries | Description | Specialization |
|---|---|---|---|
| π§ Email Security | 25+ | BEC, Phishing, Malware detection | Financial services focus |
| π₯οΈ Endpoint Security | 30+ | Process injection, Persistence, Lateral movement | Banking infrastructure |
| π Identity Security | 20+ | Authentication anomalies, Privilege escalation | Account compromise |
| βοΈ Cloud Applications | 20+ | SharePoint, Teams, Exchange Online | Data exfiltration |
| π MENA Regional | 15+ | Regional APTs, Geopolitical threats | Local threat intelligence |
| π¦ Financial Services | 25+ | ATM security, SWIFT, Core banking | Banking-specific threats |
- PowerShell Scripts - Query deployment and management automation
- Performance Optimization - Query tuning and optimization guides
- Custom Detection Rules - Ready-to-deploy detection rule templates
- Integration Guides - Microsoft Sentinel, SIEM, and API integration
- Deployment Guidelines - Enterprise deployment best practices
- Customization Guides - Environment-specific adaptation instructions
- MITRE ATT&CK Mapping - Complete framework coverage and mapping
- Performance Benchmarks - Query performance metrics and optimization
- Microsoft 365 Defender portal access with Advanced Hunting permissions
- Basic knowledge of KQL (Kusto Query Language)
- Appropriate security role assignments
-
Browse Query Categories
π Email-Security-Queries.md - Email threat detection π Endpoint-Security-Queries.md - Endpoint protection queries π Identity-Security-Queries.md - Identity and access security π Cloud-Application-Security.md - Cloud app security monitoring π MENA-Regional-Threats.md - Regional threat intelligence π Banking-Specific-Queries.md - Financial services security -
Copy and Execute Queries
- Navigate to Microsoft 365 Defender Portal
- Copy desired query from repository files
- Customize parameters for your environment
- Execute and analyze results
-
Deploy Custom Detection Rules
- Use provided templates to create detection rules
- Customize thresholds and exclusions
- Test in audit mode before enabling blocking
// ATM-specific malware detection
// Monitors for suspicious processes targeting ATM software and hardware interfaces
DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceName has_any ("ATM", "NCR", "DIEBOLD", "WINCOR")
| where ProcessCommandLine has_any (
"CSCSERVICE.EXE", "DISPENSR", "XFS", "MSXFS", "AGILIS"
)
| where not (ProcessCommandLine has_any ("legitATMService.exe"))
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc// MuddyWater APT activity detection
// Known for PowerShell-based attacks targeting MENA organizations
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"POWERSTATS", "SHARPSTATS", "-w hidden -noni -nop -c"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc// Executive impersonation and BEC detection
EmailEvents
| where Timestamp > ago(24h)
| where SenderDisplayName has_any ("CEO", "CFO", "President")
| where not (SenderFromAddress has "@company.com")
| where Subject has_any ("Urgent Payment", "Wire Transfer")
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject
| order by Timestamp desc- Total Queries: 135+ production-ready queries
- MITRE ATT&CK Coverage: 45+ techniques across 12 tactics
- Performance Tested: All queries optimized for enterprise environments
- Regional Focus: Specialized MENA threat landscape coverage
- Industry Focus: Financial services and banking security expertise
- β Syntax Validated - All queries tested in Microsoft 365 Defender
- β Performance Optimized - Sub-30 second execution for 24h timeframes
- β False Positive Tested - Tuned for enterprise environments
- β Documentation Complete - Full MITRE ATT&CK mapping and use cases
Our banking and financial services queries provide specialized detection for:
- ATM Security: Jackpotting, cash-out attacks, XFS manipulation
- SWIFT Network: Message tampering, unauthorized transfers
- Core Banking: Application integrity, transaction monitoring
- Payment Processing: Card data scraping, terminal compromise
- Regulatory Compliance: PCI DSS, SOX, Basel III alignment
Regional threat coverage includes:
- APT Groups: MuddyWater, APT33/Elfin, regional campaigns
- Government Targeting: Ministry impersonation, critical infrastructure
- Energy Sector: Oil, gas, and renewable energy threats
- Geopolitical Indicators: Regional conflict cyber activities
- Local Malware: Agent Tesla, Lokibot MENA variants
Comprehensive APT detection covering:
- Initial Access: Spear phishing, watering hole attacks
- Persistence: Registry manipulation, scheduled tasks, services
- Privilege Escalation: Token manipulation, UAC bypass
- Defense Evasion: Process injection, file masquerading
- Credential Access: LSASS dumping, DCSync attacks
- Lateral Movement: WMI, PsExec, RDP abuse
- Data Exfiltration: Cloud storage, encrypted channels
Comprehensive automation tools for enterprise deployment:
# Deploy hunting queries to Microsoft 365 Defender
.\Deploy-HuntingQueries.ps1 -QueryPath ".\Email-Security\" -Environment "Production"
# Test query performance and generate reports
.\Test-HuntingQueries.ps1 -QueryFile ".\Banking-Specific-Queries.md"
# Manage existing detection rules
.\Manage-DefenderQueries.ps1 -Action "List" -FilterPattern "Banking"- Microsoft Sentinel: Export queries for long-term retention and correlation
- Logic Apps: Automated response workflows and notifications
- Power Automate: Business process integration and reporting
- SIEM Platforms: Splunk, QRadar, ArcSight query conversion utilities
- MISP Integration: Threat intelligence platform connectivity
- API Access: Microsoft Graph Security API automation
All queries meet enterprise performance requirements:
- 24-hour queries: Execute within 30 seconds
- 7-day queries: Execute within 2 minutes
- 30-day queries: Execute within 5 minutes
- Resource efficient: Optimized for high-volume environments
// Performance optimization template
DeviceProcessEvents
| where Timestamp > ago(1h) // Time filter first
| where DeviceName in ("Server1", "Server2") // Indexed field filtering
| where ProcessCommandLine has "pattern" // Use 'has' instead of 'contains'
| take 1000 // Limit result sets
| project Timestamp, DeviceName, ProcessCommandLine // Select needed columns onlyWe welcome contributions from the global cybersecurity community:
- Fork the repository
- Create a feature branch with descriptive name
- Add your hunting query with proper documentation
- Test the query in your environment
- Submit a pull request with detailed description
- Complete MITRE ATT&CK mapping
- Performance optimization (sub-30 seconds for 24h queries)
- Comprehensive documentation with use cases
- False positive analysis and tuning guidance
- Regional or industry-specific relevance
Contributors receive recognition through:
- Author attribution in query headers
- Featured contributor section in README
- LinkedIn recommendations for substantial contributions
- Speaking opportunities at regional conferences
- 10,000+ downloads across all query categories
- 500+ GitHub stars from security professionals worldwide
- Featured content in Microsoft security community discussions
- Conference presentations at regional cybersecurity events
- Used by major financial institutions across MENA region
- Adopted by government agencies for critical infrastructure protection
- Integrated into SOC playbooks by managed security service providers
- Referenced in academic research on regional cyber threats
- Microsoft Security Operations Analyst (SC-200)
- SANS FOR572: Advanced Network Forensics
- Microsoft Defender for Endpoint Ninja Training
- CERT-Kuwait - National cybersecurity resources
- GCC CERT - Regional coordination center
- UAE Cyber Security Council - National cyber strategy
This project is licensed under the MIT License - see the LICENSE file for details.
- π Testing Required: Always test queries in non-production environments first
- π‘οΈ No Warranty: Queries provided as-is without warranty of any kind
- π Compliance: Ensure compliance with local regulations and organizational policies
- π Privacy: Respect data protection and privacy requirements
- π― Responsible Use: Use for legitimate security purposes only
- Anonymize sensitive data in examples and documentation
- Implement appropriate access controls for query results
- Comply with regional data protection regulations (GDPR, local equivalents)
- Maintain audit trails for security investigation activities
- π¬ GitHub Issues: For bug reports, feature requests, and technical questions
- π§ Email: site@hotmail.com for direct contact
- πΌ LinkedIn: Ali AlEnezi for professional networking
- π Website: [Coming Soon] - Dedicated project website and blog
Available for consulting and training:
- Custom query development for specific threat scenarios
- Enterprise deployment guidance and best practices
- Security team training on advanced hunting techniques
- Threat intelligence integration and customization
- Interactive web dashboard for query exploration and testing
- Mobile application for on-the-go query reference and alerts
- AI-powered query generation using ChatGPT and advanced language models
- Multi-language documentation including Arabic for regional users
- Video tutorial series covering advanced hunting techniques
- SOAR integration playbooks for Phantom, Demisto, and Splunk SOAR
- Threat intelligence feeds with automated IOC updates
- Compliance framework mapping for PCI DSS, ISO 27001, NIST
- Regional threat intelligence API for real-time threat data
- Machine learning models for behavioral anomaly detection
- Microsoft Sentinel workbooks for advanced analytics
- Power BI dashboards for executive reporting
- Teams integration for collaborative threat hunting
- Azure Logic Apps for automated response workflows
Special thanks to the global cybersecurity community, Microsoft security teams, and regional CERT organizations who have contributed insights, feedback, and validation for these hunting queries.
- Microsoft 365 Defender engineering teams for platform capabilities
- MITRE ATT&CK framework for threat taxonomy and mapping
- SANS Institute for advanced threat hunting methodologies
- Regional threat intelligence sharing communities
β‘ Built with β€οΈ by 3li.info
Securing organizations worldwide through collaborative threat hunting and knowledge sharing
Last Updated: September 2025
Repository Version: 2.0
Total Queries: 135+
MITRE ATT&CK Techniques: 45+
Languages: English, Arabic (planned)