Forgot to post it here but:
Finally took the time to write a quick blog post on my #100DaysOfKQL challenge.
medium.com/@securityaur...
tl;dr: I'm never doing anything like this again, at least, not before I have a LOT more free time than I have now. But very happy to have gone through with it!
#100DaysOfKQL
Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process
IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.
(cont)
t.co/lwO1hmrqUk
#100DaysOfKQL
Day 99 - RDP Connection to X New Devices In The Last X Day by User
One more to go! Basic investigative query that you can use as a starting point to dig into recent, new RDP activity per user.
github.com/SecurityAura...
#100DaysOfKQL
Day 98 - Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows
I promise you I'm going somewhere with all these FileProfile() queries. Gotta wait a bit more.
github.com/SecurityAura...
#100DaysOfKQL
Day 97 - PowerShell ComObject Interaction
I wish I was getting some $ kickbacks from ClickFix for their queries ๐ฅฒ In the latest variant that I've seen, they basically throw everything in the book:
PowerShell
curl
WScript[.]Shell
cscript
github.com/SecurityAura...
#100DaysOfKQL
Day 96 - certutil.exe Used to Decode a File into a PE
Harshly remembered that this technique exists ... because of a CSAT tool.
IYKYK.
github.com/SecurityAura...
#100DaysOfKQL
Day 95 - Logon Attempts from LDAP Bind Accounts to Systems other than DCs
MDI query will be provided later because life throws unexpected stuff at you sometime.
Perfect for those edge devices that keeps getting popped, uh, keeping TAs out
github.com/SecurityAura...
#100DaysOfKQL
Day 94 - Archive Created at the Root of a Drive
Another query to detect something threat actors do which I consider more of a default (to not say lazy) behavior than anything else.
Always fun to see if these archives still exists in an IR
github.com/SecurityAura...
#100DaysOfKQL
Day 93 - PowerShell IEX or Invoke-Expression
Today's query is sponsored by ClickFix and that one purple EDR who looks even more shady than ClickFix because of what you can catch it doing with this.
github.com/SecurityAura...
#100DaysOfKQL
Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder
Thanks to today's #ClickFix / #Lumma (#LummaStealer) infection combo for giving me an idea!
github.com/SecurityAura...
#100DaysOfKQL
Day 91 - Large EXE or MSI File Observed in User Downloads Folder
Featuring a shoutout to debloat by the awesome @squiblydoo.bsky.social ! Go check it out (and also his certReport tool, #ImposeCost as they say)
github.com/SecurityAura...
#100DaysOfKQL
Day 90 - Network Connection from MSBuild.exe with ASN Enrichment
10 more days (and queries) to go! We're almost at the finish line!
Seen MSBuild.exe being (ab)used so many times. Spotted in a random SecTopRAT incident today.
github.com/SecurityAura...
#100DaysOfKQL
Day 89 - WmiPrvSE.exe Launching Command Executed Remotely
May be renamed in the future because now that I look at it, it's weird but whatever.
Probably the first (?) non-Defender XDR, Entra ID or M365 centric entry in my 100DaysOfKQL.
github.com/SecurityAura...
#100DaysOfKQL
Day 88 - ESENTUTL Used to Copy a File
Another one for the "man, ntds.dit is locked, how can i access it and get it out of that system?" Threat Actor crowd.
Or OffSec crowd, I don't judge.
Or Blue Team wanting to get dem Web DBs out๐
github.com/SecurityAura...
#100DaysOfKQL
Day 87 - Command Line Interpreter Launched as Service
Cobalt Strike goes brrrr. Probably one of the most basic thing you can observe from it if you're lucky enough to have EDR, Sysmon or EID 4688 on IRs.
PS: I'm never that lucky.
github.com/SecurityAura...
#100DaysOfKQL
Day 86 - Summarized Processes Launched by PowerShell or Command Line Scripts
More of an investigative query which gives you a "clean" output which makes it easier to see and understand what a script (or multiple scripts) does.
github.com/SecurityAura...
#100DaysOfKQL
Day 85 - Command Line Spawned by Microsoft SQL Server
The thing that almost ruined my Friday night.
Remember kids, deconflicting between OffSec and Defenders is important ๐ค
github.com/SecurityAura...
#100DaysOfKQL
Day 84 - CLR DLLs Loaded by Process with Low Prevalence
The day FileProfile() becomes available in Sentinel is the day everyone is going to abuse the hell out of it.
github.com/SecurityAura...
#100DaysOfKQL
Day 83 - Password Accessed By User in Google Chrome or Microsoft Edge
Little behavior I learned about while doing some Threat Hunting for runas-like events.
You can spot users within your orgs that uses these browsers' Password Managers
github.com/SecurityAura...
#100DaysOfKQL
Day 82 - File Downloaded from Uncommon TLD
A little follow-up, with a twist, to Day 81 query. A bit different now since we have more events with URLs to play with.
Can also play with FileOriginReferrerUrl if needed? ๐
github.com/SecurityAura...
#100DaysOfKQL
Day 81 - Executable File or Script Fetched during Network Connection
Fun little query which can be expanded upon (winkwink DeviceFileEvents) to see files that are fetched during network connections (HTTP only AFAIK).
github.com/SecurityAura...
#100DaysOfKQL
Day 80 - mshta.exe Executing Raw Script From Command Line
Some something about mshta.exe today that reminded me this. Poweliks used to be all the rage back when I was on teh forums and it used that as persistence in the Run key.
Memories.
github.com/SecurityAura...
#100DaysOfKQL
Day 79 - PowerShell Process Launching PowerShell Process with Encoded Command
Similar to PowerShell launching cmd.exe, seeing encoded PowerShell launching itself, or PowerShell launching another PowerShell with -Encoded is interesting.
github.com/SecurityAura...
#100DaysOfKQL
Day 78 - Sign-In Events From IP Address Associated With Malicious Domain
A rare investigative query appears in front of your eyes with a very ugly hack that I'll fix later but this week has been quite draining so pls forgive.
github.com/SecurityAura...
#100DaysOfKQL
Day 77 - Database Dump To Disk via sqlcmd.exe
First time seeing this from a Ransomware actor, so quite interesting.
Not talking about using sqlcmd.exe, but using it to dump tables to disk and then exfil them.
github.com/SecurityAura...
#100DaysOfKQL
Day 76 - Cloudflared Usage
This query of the day may or may not be sponsored by the current ransomware engagement I'm working on.
Will let you guess (but not confirm) which group that is.
Also: no metadata on cloudflared.exe :(
github.com/SecurityAura...
#100DaysOfKQL
Day 75 - Activity From Suspicious User-Agent
I think I have one last after this piggybacking on @lethalforensics.bsky.social / @Evild3ad79 awesome CSV blacklists then I'm done.
Remember: if it can be done in the UAL, it can be done in Sentinel or MCAS.
github.com/SecurityAura...
#100DaysOfKQL
Day 74 - Consent to Application With Dangerous Delegated Permissions
Another one that uses a very helpful blacklist (CSV <3) from @LETHAL_DFIR / @Evild3ad79 (on Twitter).
Anything that can be found in UAL can be found in Sentinel logging.
github.com/SecurityAura...
#100DaysOfKQL
Day 73 - Activity From Known Abused Application in Entra ID
All credits for the blacklist used (CSV <3) goes to @LETHAL_DFIR / @evild3ad79 (on Twitter)
I once again invite you to explore the amazing tool that is Microsoft-Analyzer-Suite on Github.
github.com/SecurityAura...
#100DaysOfKQL
Day 72 - New Service Principal Added Following Consent to Application
User being able to consent to apps and creating Service Principals is bad mmmmkay? You don't want to have TAs add eM Client, PERFECTDATA, rclone, etc. through BECs.
github.com/SecurityAura...
