Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
The KQL Mysteries Season 1: Chapter 5
Copy link
Facebook
Email
Notes
More

The KQL Mysteries Season 1: Chapter 5

The Capture?

Rod Trent
Jan 18, 2024
23

Share this post

Rod’s Blog
Rod’s Blog
The KQL Mysteries Season 1: Chapter 5
Copy link
Facebook
Email
Notes
More
Share

Catch up on this series by going to: https://aka.ms/KQLMysteries

New chapters release weekly.

Jon and Sofia had reported their findings to their manager and the authorities and requested their assistance and authorization to proceed with the next steps. They had identified the master wallet and the hidden service that the threat actors were using to control the remote servers and the financial breach. They had enough evidence and time to catch the threat actors and stop their malicious plans.

They decided to work together and tackle the final objective: capturing the threat actors and recovering the funds. They hoped that by doing so, they could solve the mystery and stop the threat.

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Jon and Sofia used their KQL queries and Microsoft Defender Threat Intelligence to track down the location and identity of the threat actors.

// Get the master wallet and the hidden service
let master_wallet = “1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF”;
let hidden_service = “server1.onion”;
// Get the CommonSecurityLog table and filter by the master wallet
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DestinationIP == master_wallet
// Get the transactions and IP addresses of the threat actors
| extend TransactionID = tostring(split(DestinationPort, “:”)[0])
| extend IPAddress = tostring(split(DestinationPort, “:”)1)
// Summarize the results by transaction and IP address
| summarize count() by TransactionID, IPAddress
// Order the results by count in descending order
| order by count_ desc
// Get the DeviceNetworkEvents table and filter by the hidden service
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where RemoteUrl == hidden_service
// Get the IP addresses and domains of the threat actors
| extend IPAddress = tostring(split(RemoteUrl, “:”)[0])
| extend Domain = tostring(split(RemoteUrl, “.”)[0])
// Summarize the results by IP address and domain
| summarize count() by IPAddress, Domain
// Order the results by count in descending order
| order by count_ desc

They also used some tools and techniques that they had learned from their hacker friends, such as geolocation, reverse DNS, and OSINT. They were able to map the IP addresses and domains to the physical locations and identities of the threat actors.

They found out that the threat actors were operating from a basement in a suburban house in Seattle, Washington. They also found out that the threat actors were a couple of teenage hackers, who went by the online aliases of “CyberGhost” and “DarkAngel”. They realized that they had to act fast and alert the local law enforcement and the FBI.

They decided to share their findings with their manager and the authorities and contacted them through their secure communication channel. They sent them the location and identity of the threat actors and asked them to initiate a raid and an arrest.

They received a confirmation that the authorities had received their message, and that they had dispatched a team of agents and officers to the location. They thanked them for their cooperation and asked them to stand by for further instructions.

Jon and Sofia waited anxiously for the news of the raid and the arrest. They hoped that the authorities would succeed and that the threat actors would be captured and brought to justice.

They received a message from the authorities that the raid and the arrest had been successful, and that the threat actors had been apprehended and taken into custody. They also received a message that the funds had been recovered and returned to the rightful owners. They congratulated them on their achievement and praised them for their skills and efforts.

Jon and Sofia replied that they were glad to hear the good news, and that they were happy to help. They said that they had learned a lot from the experience, and that they had enjoyed working together.

They realized that they had solved the mystery and stopped the threat. It truly seemed like this was the end.

But there was one nagging question. Jon looked at Sofia as she was packing up to go home. Sofia sensed Jon was unsure about what had just transpired.

“What is it, Jon?” Sofia asked.

“It just seems too easy,” Jon replied. “I know I’m sure about the contents of the data, but I think we missed something. There’s no way this duo represents the Night Princess hacker group (from Chapter 2). Either Night Princess wasn’t involved, and it took credit anyway, or Night Princess is still in play, and we may have been purposely distracted.”

Stay tuned for Chapter 6…

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

23

Share this post

Rod’s Blog
Rod’s Blog
The KQL Mysteries Season 1: Chapter 5
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More