Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
Jon and Sofia received the authorization and assistance they needed to pursue the threat actors behind the financial breach. They had identified the most likely candidates for the remote servers and the master wallet, and they were ready to take action.
They decided to split up and tackle each objective separately. Jon would focus on tracing the remote servers, while Sofia would focus on identifying the master wallet. They hoped that by doing so, they could locate the threat actors and recover the funds.
Jon used his KQL queries and Microsoft Defender Threat Intelligence to track down the IP addresses and domains of the remote servers.
// Get the list of remote servers
let remote_servers = dynamic(["server1.onion", "server2.onion", "server3.onion"]);
// Get the DeviceNetworkEvents table and filter by the remote servers
DeviceNetworkEvents
| where RemoteUrl in (remote_servers)
// Get the IP addresses and domains of the remote servers
| extend RemoteIP = tostring(split(RemoteUrl, ":")[0])
| extend RemoteDomain = tostring(split(RemoteUrl, ".")[0])
// Summarize the results by IP address and domain
| summarize count() by RemoteIP, RemoteDomain
// Order the results by count in descending order
| order by count_ desc
He also used some tools and techniques that he had learned from his hacker friends, such as port scanning, ping sweeping, and DNS spoofing. He was able to bypass some of the security measures and firewalls that the threat actors had set up, and gain access to some of the servers.
He found out that the servers were hosting a variety of malicious activities, such as phishing, spamming, botnet, and DDoS attacks. He also found out that the servers were communicating with each other using a protocol called Tor, which anonymized and encrypted their traffic. He realized that he had to find a way to intercept and decrypt the Tor traffic and find the hidden service that the threat actors were using to control the servers.
He remembered that he had read about a tool called OnionScan, which was designed to scan and analyze Tor hidden services. He decided to give it a try and downloaded the tool from its GitHub repository. He ran the tool with the following command:
onionscan --verbose --webport 8080 --jsonReport --reportFolder reportFolder serverList.txt
The command scanned the list of servers that he had obtained and generated a JSON report for each server. It also started a web server on port 8080, where he could view the results in a graphical interface. He opened his browser and navigated to the web server. He saw a dashboard that showed the summary and details of the scan results.
He looked for any clues or indicators that could lead him to the hidden service that he was looking for. He noticed that some of the servers had a high correlation score, which meant that they shared some characteristics or features. He also noticed that some of the servers had a low anonymity score, which meant that they leaked some information or metadata. He decided to investigate these servers further and clicked on their links.
He saw a detailed report for each server, which included information such as:
The hidden service address, which was a random string of characters followed by .onion
The web server fingerprint, which was a hash of the server’s configuration and software
The web pages and resources, which were the files and directories that the server hosted
The open ports and services, which were the network protocols and applications that the server ran
The SSH keys and certificates, which were the cryptographic keys and certificates that the server used
The email addresses and social media accounts, which were the contact information and identities that the server revealed
The bitcoin addresses and transactions, which were the cryptocurrency wallets and transfers that the server used
He analyzed the information and looked for any patterns or anomalies that could indicate the hidden service that he was looking for. He found out that some of the servers had a common web server fingerprint, which meant that they used the same software and configuration. He also found out that some of the servers had a common bitcoin address, which meant that they used the same wallet. He realized that these servers were part of the same network, and that the bitcoin address was the master wallet that Sofia was looking for.
He decided to share his findings with Sofia and contacted her through their secure communication channel. He sent her the bitcoin address and the web server fingerprint and asked her if she had any luck with her objective.
Sofia replied that she had used her KQL queries and Microsoft Defender Threat Intelligence to track down the cryptocurrency transactions and wallets.
// Get the list of wallets
let wallets = dynamic(["1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa", "1FfmbHfnpaZjKFvyi1okTjJJusN455paPH", "1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF"]);
// Get the CommonSecurityLog table and filter by the wallets
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DestinationIP in (wallets)
// Get the transactions and wallets of the threat actors
| extend TransactionID = tostring(split(DestinationPort, ":")[0])
| extend WalletID = tostring(split(DestinationPort, ":")[1])
// Summarize the results by transaction and wallet
| summarize count() by TransactionID, WalletID
// Order the results by count in descending order
| order by count_ desc
She also used some tools and techniques that she had learned from her hacker friends, such as blockchain analysis, graph visualization, and clustering algorithms. She was able to follow the money trail and identify the wallets that the threat actors used.
She found out that the wallets were using a service called CoinJoin, which mixed their coins with other users’ coins, and then sent them to new wallets. She also found out that the wallets were using a technique called stealth addresses, which generated new addresses for each transaction, and hid the real addresses. She realized that she had to find a way to de-anonymize and de-obfuscate the transactions and wallets and find the master wallet that controlled the other wallets.
She remembered that she had read about a tool called Chainalysis, which was designed to analyze and investigate cryptocurrency transactions and wallets. She decided to give it a try and signed up for a free trial account on its website. She logged in and uploaded the data that she had collected from the transactions and wallets. She saw a dashboard that showed the summary and details of the analysis results.
She looked for any clues or indicators that could lead her to the master wallet that she was looking for. She noticed that some of the wallets had a high-risk score, which meant that they were involved in illicit or suspicious activities. She also noticed that some of the wallets had a high complexity score, which meant that they used advanced techniques to hide their identity and origin. She decided to investigate these wallets further and clicked on their links.
She saw a detailed report for each wallet, which included information such as:
The wallet address, which was a string of alphanumeric characters
The wallet balance, which was the amount of cryptocurrency that the wallet held
The wallet activity, which was the number and frequency of transactions that the wallet made
The wallet connections, which were the other wallets that the wallet interacted with
The wallet labels, which were the tags and categories that the wallet belonged to
The wallet risk, which was the level of threat and danger that the wallet posed
The wallet complexity, which was the degree of difficulty and challenge that the wallet presented
She analyzed the information and looked for any patterns or anomalies that could indicate the master wallet that she was looking for. She found out that some of the wallets had a common connection, which meant that they sent or received money from the same wallet. She also found out that some of the wallets had a common label, which meant that they were part of the same group or organization. She realized that these wallets were part of the same network, and that the connection and label were the master wallet that Jon was looking for.
She decided to share her findings with Jon and contacted him through their secure communication channel. She sent him the connection and label and asked him if he had any luck with his objective.
Jon replied that he had received her message, and that he had found the same bitcoin address and web server fingerprint that she had sent him. He confirmed that they had identified the master wallet and the hidden service that the threat actors were using. He congratulated her on their success and suggested that they should report their findings to their manager and the authorities and request their assistance and authorization to proceed with the next steps.
Sofia agreed with him and thanked him for his collaboration. She said that they had done a great job, and that they were close to solving the mystery and stopping the threat actors.
They hoped that they had enough evidence and time to catch the threat actors and stop their malicious plans. It truly seemed like this was the end.
Stay tuned for Chapter 5…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]