The KQL Mysteries Season 1: Chapter 2
Phase 1
Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
Sofia quickly replied, “I’ll be there in 10 minutes, Jon. Don’t worry, we’ll figure this out together.” Jon let out a sigh of relief and started to gather more information on the threat. He ran a few more queries to see if he could find any clues as to how the malware had entered the network, and what data it was trying to steal.
As he was deep in thought, Sofia walked into his office. “Hey Jon, what’s going on?” she asked, noticing the look of concern on his face.
Jon quickly briefed her on the situation and showed her the data he had collected so far. Sofia nodded, and asked, “Have you isolated the infected computers yet?”
Jon shook his head, “Not yet. I wanted to get your input first.”
Sofia suggested they start by isolating the IP address that was sending the most data to the remote IP addresses. Jon quickly modified the original query and ran it to locate the top offender, and they both looked at the results.
NetworkCommunicationEvents
| where RemoteIP has "192.168.0.255" and RemotePort == 4444
| summarize EventCount = count() by ComputerName
| order by EventCount desc
| top 1The query displayed the computer name, ORG_FIN_90321, and the number of events for the top offender that communicated with the remote IP address 192.168.0.255 on port 4444. The computer name wasn’t unusual. It was based on the company’s policy for asset nomenclature. The assigned computer name showed it was part of the finance department, and it was sending out data at an alarming rate.
Sofia nodded, “Let’s go talk to the finance team and see if they have noticed anything unusual.”
Jon and Sofia made their way to the finance department and quickly found the computer in question. They talked to the employee, Lila Kaur, who was using the computer and asked if she had noticed anything unusual. The employee shook her head, “No, everything has been running smoothly.”
Sofia decided to take a closer look at the computer’s logs and ran a few more KQL queries in both Microsoft Defender XDR and Microsoft Sentinel.
//Microsoft Defender query: Identifies files downloaded through a web browser in the last month that may coincide with a Malware alert.
DeviceFileEvents
| where Timestamp > ago(30d) // change this value to adjust the time range
| where InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "edge.exe", "iexplore.exe") // change this list to include other browsers
| where FileOriginUrl has_any (".exe", ".msi", ".bat", ".ps1", ".vbs", ".jar") // change this list to include other executable file extensions
| where isnotempty(FileOriginUrl)
| join kind=inner (
AlertEvidence
| where Timestamp > ago(30d) // change this value to match the time range above
| where Title has "Malware"
| project DeviceId, FileName, SHA1
) on DeviceId, FileName, SHA1
| project Timestamp, DeviceName, InitiatingProcessFileName, FileOriginUrl, FileName, SHA1
| order by Timestamp desc//Microsoft Sentinel query: Identifies malware that has been hidden in the recycle bin within the last 3 weeks.
let timeframe = 21d;
let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);
let ProcessCreationEvents=() {
let processEvents=SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,
FileName = Process, CommandLine, ParentProcessName;
processEvents};
ProcessCreationEvents
| where TimeGenerated >= ago(timeframe)
| where FileName in~ (procList)
| where CommandLine contains ":\\recycler"
| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = ComputerIt didn’t take long for her to find the malware. It had been disguised as a legitimate application and had been downloaded using the web browser on this computer a few weeks ago. The file was located in the computer’s Recycle Bin where it had hidden itself to hopefully avoid detection. Sofia had seen this type of activity before where a piece of malware would get accidentally downloaded, the code would bide it’s time before releasing its payload, and then try to disguise itself and hopefully be removed through normal cleanup processes by the unsuspecting computer user.
Jon and Sofia quickly got to work, isolating the infected computer and removing the malware from it. They then ran a full scan of the network to make sure there were no other infected computers.
After a few hours of work, they were finally able to contain the threat. Jon and Sofia breathed a sigh of relief, feeling like they had prevented a disaster. They both knew that they had to remain vigilant, however, as new threats could emerge at any time.
Jon thanked Sofia for her help and scheduled a debrief with the entire security team the following morning. It was policy for even minor events to be discussed with the corporate security teams both locally and remote for knowledge sharing and awareness. Additionally, Lila’s manager would be notified with recommendations, links to training resources, and copies of corporate policy and procedures to continue end-user education.
…
Later, as Jon and Sofia were packing up their things to go home, they both received notifications on their phones. It was an alert from their bank, warning them of strange activity on both their accounts. Jon quickly opened his banking app and saw that there had been several unauthorized transactions. Sofia's situation was the same. They both looked out across the office due to the noise from the flurry of activity. They both looked at each other, realizing that they were not the only ones affected. Jon quickly pulled up a news site on his phone and he and Sofia watched in horror to see that there had been a global financial breach, affecting millions of people around the world. A threat actor group called Night Princess was taking responsibility for the attack.
Jon and Sofia exchanged concerned glances. “Nah. It’s not possible…” Sofia tried to reassure as her voice trailed off, before mouthing ORG_FIN_90321.
They both knew that this was just the beginning of a much bigger problem.
Stay tuned for Chapter 3…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]