Giving Copilot for Security the Request it Needs to Generate Proper KQL Detections

Ask verbosely and you shall receive

Someone recently asked for a KQL query to use to detect an older threat called SocGhoulish that does some very specific things in an attempt to hijack accounts using drive-by-downloads masquerading as software updates for initial access.

Even with the amount of expertise and experience I have with KQL, more often these days, I switch almost immediately to Copilot for Security to see if it can produce what I need quickly and efficiently. I mean, that’s it’s job, right?

But to do so, I needed some specific information to supply so that Copilot for Security knows exactly how to respond. I thought our own Microsoft Defender Threat Intelligence might offer details on SocGhoulish, but unfortunately it didn’t due to the threat being several years old. Off to research…

Red Canary wrote a blog post about the threat and in the blog, included the descriptors I needed.

The blog post: Emu-lation: Validating detections for SocGholish with Atomic Red Team

I ended up forgoing my own recommendation about using a KQL Request Template, but I still recommend doing so. In this case, I simply created my prompt based on Red Canary’s descriptors.

• browsers spawning the Windows Scripting Host (wscript.exe) process

• running the whoami command and redirecting the output to a file

• domain trust discovery checks with nltest and related commands

The prompt:

Create a KQL query to detect all of the following: 
1. browsers spawning the Windows Scripting Host (wscript.exe) process
2. running the whoami command and redirecting the output to a file
3. domain trust discovery checks with nltest and related commands

What resulted was a very effective KQL query that could be used to detect SocGhoulish.

Nice job, Copilot for Security!

The query:

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "iexplore.exe", "edge.exe") and InitiatingProcessCommandLine has "wscript.exe"
or InitiatingProcessCommandLine has "whoami" and InitiatingProcessCommandLine has ">"
or InitiatingProcessCommandLine has "nltest"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine

Supplying all the details you need is probably the toughest part of using one of the many Copilots, but it’s a highly necessary activity to ensure you get something valuable and actionable.

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly SIEM and XDR Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

** Need a Tech break?? Sure, we all do! Check out my fiction novels:

• Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria

• Isolde Frostbane: Legacy of the Ice Priestess

• WW2045: Alien Revenge

• Mistaken for Dead: Rebellion of the Reanimated

• Ethan Veritas: The Twin Within