Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
Jon and Sofia rushed to their bank's website to check their accounts and confirm the unauthorized transactions. They both saw that their savings had been drained and their credit cards had been maxed out. They quickly called their bank's customer service and reported the fraud. They were told that they were not the only ones affected, and that the bank was working with the authorities to investigate the breach and restore the funds.
Jon and Sofia felt a mix of anger, fear, and guilt. They wondered if they had anything to do with the attack, and if they could have prevented it. They also wondered how the threat actors had managed to bypass the bank's security measures and access millions of accounts.
They decided to go back to their office and see if they could find any clues or connections between the malware, they had found on the finance computer and the global financial breach. They hoped that their skills and tools could help them solve this mystery and stop the threat actors.
They logged into their Microsoft Sentinel workspace and started to run some KQL queries to analyze the data they had collected from the malware and the network traffic. They also used Microsoft Defender Threat Intelligence to look for any news or reports about the breach and the threat actors.
Jon ran the following query that looks for network connection events (EventID 3) from processes that are known to be associated with malware that steals data and sends it to remote servers:
SecurityEvent
| where EventID == 3 // Network connection event
| where ProcessName has_any ('MsMpEng.exe', 'cert.exe', 'agent.exe') // Malicious processes
| where RemoteAddress !in ('127.0.0.1', '::1') // Exclude local connections
| where RemotePort != 443 // Exclude HTTPS connections
| project TimeGenerated, ComputerName, Account, ProcessName, RemoteAddress, RemotePort // Select relevant fields
They found out that the malware they had found was a variant of a ransomware called Night Princess, which was known to encrypt files and demand payment in cryptocurrency. However, this variant had a different behavior. Instead of encrypting files, it was stealing data and sending it to remote servers. It also had a self-destruct mechanism that would erase itself after a certain amount of time.
They also found out that the threat actors behind the attack were a group of hackers who called themselves Night Princess, after the malware they used. They claimed to be fighting against the corrupt and greedy financial system and wanted to redistribute the wealth to the people. They had posted a manifesto on their website, along with a list of the banks they had targeted and the amount of money they had stolen.
Jon expanded his original query to locate remote servers where data was sent, and then identify the cryptocurrency wallets where the money was transferred:
SecurityEvent
| where EventID == 3 // Network connection event
| where ProcessName has_any ('MsMpEng.exe', 'cert.exe', 'agent.exe') // Malicious processes
| where RemoteAddress !in ('127.0.0.1', '::1') // Exclude local connections
| where RemotePort != 443 // Exclude HTTPS connections
| join kind=inner ( // Join with the blob storage table that contains the IP and domain information
externaldata (IP:string, Domain:string, Location:string, Owner:string, Reputation:string)
[h'https://storageaccount.blob.core.windows.net/container/blob.csv'] with (format="csv")
) on $left.RemoteAddress == $right.IP // Join on the remote address and IP columns
| join kind=inner ( // Join with the blob storage table that contains the cryptocurrency transaction and wallet information
externaldata (TransactionID:string, SourceWallet:string, DestinationWallet:string, Amount:double, Date:datetime)
[h'https://storageaccount.blob.core.windows.net/container/blob.csv'] with (format="csv")
) on $left.CommandLine contains $right.SourceWallet or $left.CommandLine contains $right.DestinationWallet // Join on the command line and wallet columns
| project TimeGenerated, ComputerName, Account, ProcessName, RemoteAddress, RemotePort, Domain, Location, Owner, Reputation, TransactionID, SourceWallet, DestinationWallet, Amount, Date // Select relevant fields
Jon and Sofia realized that they were dealing with a sophisticated and dangerous group of cybercriminals, who had managed to pull off one of the biggest financial heists in history. They also realized that they had to act fast, before the malware self-destructed and erased any evidence.
They decided to focus on two main objectives: tracing the remote servers where the data was sent, and identifying the cryptocurrency wallets where the money was transferred. They hoped that by doing so, they could locate the threat actors and recover the funds.
They used Microsoft Defender Threat Intelligence to look for any information or tools that could help them with their objectives. They found some useful resources, such as:
A website that allowed them to query the IP addresses and domains of the remote servers, and get information such as location, owner, and reputation.
A website that allowed them to query the cryptocurrency transactions and wallets, and get information such as amount, date, and history.
A website that allowed them to analyze the cryptocurrency transactions and wallets, and get information such as clustering, patterns, and anomalies.
They used these resources, along with their KQL queries, to analyze the data they had collected from the malware and the network traffic. They were able to find some interesting and useful insights, such as:
The remote servers were located in different countries, such as Russia, China, and Iran. They were using a technique called domain generation algorithm (DGA) to generate random and changing domains to avoid detection and blocking.
The cryptocurrency wallets were using a technique called mixing or tumbling to obfuscate the origin and destination of the transactions. They were using a service that mixed their coins with other users' coins, and then sent them to new wallets.
The cryptocurrency transactions and wallets showed some patterns and anomalies that indicated the presence of a master wallet that controlled the other wallets. They also showed some signs of human behavior, such as timing, frequency, and amount.
Jon and Sofia were able to narrow down their search and identify the most likely candidates for the remote servers and the master wallet. They decided to report their findings to their manager and the authorities and request their assistance and authorization to proceed with the next steps.
They hoped that they had enough evidence and time to catch the threat actors and stop their malicious plans. It truly seemed like this was just the beginning.
Stay tuned for Chapter 4…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]