The KQL Mysteries Season 1: Chapter 6
The Betrayal
Catch up on this series by going to: https://aka.ms/KQLMysteries
New chapters release weekly.
Jon hypothesized what might have happened and got to work. After about 20 minutes Jon sat back in his chair, stunned.
He couldn't believe what he was seeing on his screen. The Night Princess was the one behind the cyber-attacks that had been plaguing his company for weeks. She had been using her skills and access to manipulate the data, plant false clues, and cover her tracks. She had been playing him all along.
How could he have been so blind? How could he have missed the signs? He felt a surge of anger and betrayal, mixed with a pang of regret. But now, he realized that it was all a lie. She had been using him for her own nefarious purposes, and he had fallen for it.
He quickly checked the logs and confirmed his suspicions. The Night Princess had been the one who had hacked into the company's network, stolen the sensitive data, and leaked it to the dark web. She had also been the one who had planted the malware that had caused the system failures, the data corruption, and the financial losses. She had diverted his attention to the wrong suspects. She had been the one who had sent him the fake messages, the false leads, and the misleading hints. She had been the one who had orchestrated the whole scheme, and had made him look like a fool.
He felt a surge of adrenaline and determination. He had to stop her, and expose her. He had to find out why she had done it, and what she was planning to do next. He had to use his KQL skills to track her down, and bring her to justice. He had to do it fast, before she could do more damage, or escape.
He opened his KQL console, and typed in a query. He decided to start from the beginning, and retrace the steps of the Night Princess. He wanted to see how she had hacked into the network, and what she had done afterwards.
He used the DeviceLogonEvents table, which contained the records of all the logon events on the devices in the network. He filtered the table by the username of the Night Princess, which he had learned from her messages. He also filtered the table by the time range of the first cyber-attack, which he had determined from the Incident table.
He used the project operator to select the columns that he wanted to see, such as DeviceName, LogonType, and LogonTime. He used the order by operator to sort the results by LogonTime in ascending order. He used the take operator to limit the results to the first 10 rows. He ran the query, and got the following output:
| DeviceName | LogonType | LogonTime |
|------------|-----------|-----------|
| PC-001 | Remote | 2023-01-01 12:34:56 |
| PC-002 | Remote | 2023-01-01 12:35:12 |
| PC-003 | Remote | 2023-01-01 12:35:34 |
| PC-004 | Remote | 2023-01-01 12:35:56 |
| PC-005 | Remote | 2023-01-01 12:36:12 |
| PC-006 | Remote | 2023-01-01 12:36:34 |
| PC-007 | Remote | 2023-01-01 12:36:56 |
| PC-008 | Remote | 2023-01-01 12:37:12 |
| PC-009 | Remote | 2023-01-01 12:37:34 |
| PC-010 | Remote | 2023-01-01 12:37:56 |
The query was:
DeviceLogonEvents
| where UserName == "NightPrincess"
| where LogonTime between (datetime(2023-01-01 12:00:00) .. datetime(2023-01-01 13:00:00))
| project DeviceName, LogonType, LogonTime
| order by LogonTime asc
| take 10 Jon analyzed the results and noticed a pattern. The Night Princess had logged on to 10 different devices in the network, using a remote logon type. She had done it in a sequential order, with a gap of about 16 seconds between each logon. She had started from PC-001 and ended with PC-010. Jon wondered what she had done on each device, and why she had chosen those devices. He decided to investigate further and see what other activities she had performed on the network.
He modified his query, and joined the DeviceLogonEvents table with the DeviceNetworkEvents table, which contained the records of all the network events on the devices in the network.
He used the inner join operator to combine the two tables by the DeviceName column, which was the common key between them. He also used the on operator to specify the join condition, which was that the NetworkTime column in the DeviceNetworkEvents table had to be greater than or equal to the LogonTime column in the DeviceLogonEvents table. This meant that he only wanted to see the network events that occurred after the logon events.
He used the project operator to select the columns that he wanted to see, such as DeviceName, LogonType, LogonTime, NetworkTime, NetworkProtocol, NetworkSource, and NetworkDestination.
He used the order by operator to sort the results by LogonTime and NetworkTime in ascending order.
He ran the query, and got the following output:
DeviceNameLogonTypeLogonTimeNetworkTimeNetworkProtocolNetworkSourceNetworkDestinationPC-001Remote2023-01-01 12:34:562023-01-01 12:35:00SSHPC-001Server-001PC-001Remote2023-01-01 12:34:562023-01-01 12:35:04FTPPC-001Server-002PC-002Remote2023-01-01 12:35:122023-01-01 12:35:16SSHPC-002Server-003PC-002Remote2023-01-01 12:35:122023-01-01 12:35:20FTPPC-002Server-004PC-003Remote2023-01-01 12:35:342023-01-01 12:35:38SSHPC-003Server-005PC-003Remote2023-01-01 12:35:342023-01-01 12:35:42FTPPC-003Server-006PC-004Remote2023-01-01 12:35:562023-01-01 12:36:00SSHPC-004Server-007PC-004Remote2023-01-01 12:35:562023-01-01 12:36:04FTPPC-004Server-008PC-005Remote2023-01-01 12:36:122023-01-01 12:36:16SSHPC-005Server-009PC-005Remote2023-01-01 12:36:122023-01-01 12:36:20FTPPC-005Server-010PC-006Remote2023-01-01 12:36:342023-01-01 12:36:38SSHPC-006Server-011PC-006Remote2023-01-01 12:36:342023-01-01 12:36:42FTPPC-
So, while “CyberGhost” and “DarkAngel” may have taken the baton and run with the attack, they did not deliver the initial attack. They had clearly been working together with the Night Princess.
But another lingering question remained: Who is the Night Princess?
Stay tuned for Chapter 7…
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]