The KQL Mysteries Season 1: Chapter 1
Discovery
Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
Jon loved his job. He enjoyed hunting for threats and anomalies in the vast amount of data collected by his company, using the powerful KQL search operator. The search operator was Jon’s go-to first step when trying to expose potential threats in his company’s environment. It is simple, yet powerful.
For example, a simple…
search “192.168.0”…would search all the data - across all the various data tables - that his company was collecting for any text strings that contained 192.168.0.
Jon was always looking for new ways to improve his skills and learn new techniques.
More on the search operator: Must Learn KQL Part 4: Search for Fun and Profit
One day, after running the search operator and looking at the results, he stumbled upon something that caught his attention. He began to dig a bit deeper, this time. Instead of running search across all data, he started to pinpoint the results to a specific table: NetworkCommunicationEvents.
search in (NetworkCommunciationEvents) “192.168.0”The results returned were suspicious. So, Jon decided to pivot to query the NetworkCommunicationEvents table directly to expose any suspicious network activity. He used the has operator to filter out the results. He typed in the following query:
NetworkCommunicationEvents
| where RemoteIP has "192.168.0."
| summarize count() by RemoteIP, RemotePort
He expected to see a list of internal IP addresses and the ports they were communicating with, but instead he saw something strange. There was one IP address that had a very high count of network events, and it was not in the range of 192.168.0.0/24. It was 192.168.0.255, and it was communicating with port 4444 on hundreds of different remote IP addresses.
Jon was puzzled. He knew that 192.168.0.255 was a broadcast address, meaning that it was used to send messages to all devices on the same network segment. But why would it be sending so much traffic to port 4444, which was commonly used by malware and hackers? And why were the remote IP addresses so diverse, spanning across different countries and continents?
He decided to investigate further. He modified his query to look at the details of the network events involving 192.168.0.255 and port 4444. He typed in the following query:
NetworkCommunicationEvents
| where RemoteIP has "192.168.0.255" and RemotePort == 4444
| project TimeGenerated, ComputerName, RemoteIP, RemotePort, Protocol, EventDescription
He was shocked by what he saw. The network events were happening every second, and they were all outbound connections from different computers in his company. The event description field showed that the computers were sending encrypted data to the remote IP addresses, using the TCP protocol. It looked like a massive data exfiltration operation, and it was happening right under his nose.
Jon realized that he had discovered a new, but as yet undiscovered cyber threat. He wondered how it had infected his company’s network, and what it was trying to steal. He knew he had to act fast, before it was too late. He grabbed his phone and called his teammate, Sofia Vega, hoping to alert her to the situation. Sofia had been his trusted teammate for the last 3 years. Sofia began her career as a network architect and had proven herself over and over again against network anomalies, so Jon knew she would be the best to contact first. Sofia could supply the second set of eyes needed to dispel or confirm the threat.
“Hello, this is Jon. I need to talk to you about something urgent. I think we have a serious security breach in our network. I found a new malware that is using the broadcast address to send data to port 4444 on hundreds of remote IP addresses. I believe it’s happening right now, and I need your verification. Can you please come to my office as soon as possible?”
He waited for Sofia to reply. He hoped that it was not too late, and that the company could be saved from a disaster.
Stay tuned for Chapter 2…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]
Discovered this new series today, and can't wait to see what is going to happen next :)
The only thing that I didn't particularly like was a choice of background music - found it both too loud, and too 'cheerful'. I think something slower and darker would match a subject and a setting better.
Nonetheless, I look forward to the next chapter. Sofia is already a prime suspect!