Attacker Tools Threat Protection Essentials
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.3 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-11-16 |
| Last Updated | 2026-01-29 |
| Solution Folder | Attacker Tools Threat Protection Essentials |
| Marketplace | Azure Marketplace · Popularity: 🟡 Low (18%) |
| Pre-requisites | Windows Security Events, Windows Server DNS, Windows Forwarded Events, Microsoft Entra ID |
The Attacker Tools Threat Protection Essentials solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.
For details on the required solutions, see the Pre-requisites section below.
Keywords: attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire
Contents
Pre-requisites
This solution depends on 4 other solution(s):
| Solution |
|---|
| Microsoft Entra ID |
| Windows Forwarded Events |
| Windows Security Events |
| Windows Server DNS |
Data Connectors
This solution does not include its own data connectors but uses connectors from dependency solutions:
- Windows DNS Events via AMA (dependency on Windows Server DNS)
- Microsoft Entra ID (dependency on Microsoft Entra ID)
- DNS (dependency on Windows Server DNS)
- Security Events via Legacy Agent (dependency on Windows Security Events)
- Windows Forwarded Events (dependency on Windows Forwarded Events)
- Windows Security Events via AMA (dependency on Windows Security Events)
Tables Used
This solution queries 6 table(s) from its content items:
| Table | Used By Content |
|---|---|
DeviceProcessEvents |
Analytics |
DnsEvents |
Hunting |
Event |
Analytics |
SecurityEvent |
Analytics, Hunting |
VMConnection |
Hunting |
WindowsEvent |
Analytics, Hunting |
Content Items
This solution includes 6 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 4 |
| Hunting Queries | 2 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Credential Dumping Tools - File Artifacts | High | CredentialAccess | Event |
| Credential Dumping Tools - Service Installation | High | CredentialAccess | Event |
| Powershell Empire Cmdlets Executed in Command Line | Medium | Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, LateralMovement, Persistence, PrivilegeEscalation | SecurityEventWindowsEvent |
| Probable AdFind Recon Tool Usage | High | Discovery | DeviceProcessEvents |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Cobalt Strike DNS Beaconing | CommandAndControl | DnsEventsVMConnection |
| Potential Impacket Execution | CredentialAccess | SecurityEventWindowsEvent |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.3 | 06-06-2024 | Added missing AMA Data Connector reference in Analytic rules and Hunting Queries |
| 3.0.2 | 07-02-2024 | Tagged for dependent solutions for deployment |
| 3.0.1 | 23-01-2024 | Added subTechniques in Template |
| 3.0.0 | 06-11-2023 | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊