LightNews LightNews
securityaura.bsky.social
@securityaura.bsky.social
400 followers 210 following 130 posts
GCIH, GCFE | DFIR, Threat Hunting, Detection Engineering | @CuratedIntel DFIR Member SecurityAura.com http://infosec.exchange/@SecurityAura
infosec.exchange
Posts Media Videos Starter Packs
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Jun 2
#KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).

github.com/SecurityAura...

Huge thanks to @RacWatchin8872 (on Twitter/X) for making the data available in a way that can be accessed via externaldata 🙏
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · May 25
Forgot to post it here but:

Finally took the time to write a quick blog post on my #100DaysOfKQL challenge.

medium.com/@securityaur...

tl;dr: I'm never doing anything like this again, at least, not before I have a LOT more free time than I have now. But very happy to have gone through with it!
Looking Back On #100DaysOfKQL
Living your life, 1 query a day, for 100 days
medium.com
1 1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 13
I'll probably never do another 100Days challenge again because man, that thing is taxing. However, I do plan to continue posting KQL queries in that repo and even enhance the ones that were posted during that challenge.

Thank you to everyone who supported me! See you soon!
3
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 13
So stay tuned for it!

In the meantime, I hope that these queries helped you in some way: detection, hunting, learning some KQL operators/functions, serve as base ideas for more complex queries or even give you a starting point to learn KQL.

(cont)
1 2
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 13
This challenge ended right on time, as I'm about to embark on a SANS training starting tomorrow, which means, I wouldn't have any time next week to work on this. Life is funny sometimes.

As mentioned previously, I'll be publishing a blog post reflecting on that challenge.
(cont)
1 1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 13
#100DaysOfKQL

Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process

IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.

(cont)

t.co/lwO1hmrqUk
https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%20100%20-%20CScript.exe%2C%20WScript.exe%20or%20MSHTA.exe%20Executed%20from%20Web%20Browser%20Process.md
t.co
2 1 5
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 12
#100DaysOfKQL

Day 99 - RDP Connection to X New Devices In The Last X Day by User

One more to go! Basic investigative query that you can use as a starting point to dig into recent, new RDP activity per user.

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 11
#100DaysOfKQL

Day 98 - Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows

I promise you I'm going somewhere with all these FileProfile() queries. Gotta wait a bit more.

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 10
#100DaysOfKQL

Day 97 - PowerShell ComObject Interaction

I wish I was getting some $ kickbacks from ClickFix for their queries 🥲 In the latest variant that I've seen, they basically throw everything in the book:

PowerShell
curl
WScript[.]Shell
cscript

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 9
#100DaysOfKQL

Day 96 - certutil.exe Used to Decode a File into a PE

Harshly remembered that this technique exists ... because of a CSAT tool.

IYKYK.

github.com/SecurityAura...
github.com
2
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 8
#100DaysOfKQL

Day 95 - Logon Attempts from LDAP Bind Accounts to Systems other than DCs

MDI query will be provided later because life throws unexpected stuff at you sometime.

Perfect for those edge devices that keeps getting popped, uh, keeping TAs out

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 7
#100DaysOfKQL

Day 94 - Archive Created at the Root of a Drive

Another query to detect something threat actors do which I consider more of a default (to not say lazy) behavior than anything else.

Always fun to see if these archives still exists in an IR

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 6
#100DaysOfKQL

Day 93 - PowerShell IEX or Invoke-Expression

Today's query is sponsored by ClickFix and that one purple EDR who looks even more shady than ClickFix because of what you can catch it doing with this.

github.com/SecurityAura...
github.com
2
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 5
#100DaysOfKQL

Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder

Thanks to today's #ClickFix / #Lumma (#LummaStealer) infection combo for giving me an idea!

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 4
#100DaysOfKQL

Day 91 - Large EXE or MSI File Observed in User Downloads Folder

Featuring a shoutout to debloat by the awesome @squiblydoo.bsky.social ! Go check it out (and also his certReport tool, #ImposeCost as they say)

github.com/SecurityAura...
github.com
3
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 3
#100DaysOfKQL

Day 90 - Network Connection from MSBuild.exe with ASN Enrichment

10 more days (and queries) to go! We're almost at the finish line!

Seen MSBuild.exe being (ab)used so many times. Spotted in a random SecTopRAT incident today.

github.com/SecurityAura...
github.com
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 2
#100DaysOfKQL

Day 89 - WmiPrvSE.exe Launching Command Executed Remotely

May be renamed in the future because now that I look at it, it's weird but whatever.

Probably the first (?) non-Defender XDR, Entra ID or M365 centric entry in my 100DaysOfKQL.

github.com/SecurityAura...
github.com
1 1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Apr 1
#100DaysOfKQL

Day 88 - ESENTUTL Used to Copy a File

Another one for the "man, ntds.dit is locked, how can i access it and get it out of that system?" Threat Actor crowd.

Or OffSec crowd, I don't judge.
Or Blue Team wanting to get dem Web DBs out👀

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 31
#100DaysOfKQL

Day 87 - Command Line Interpreter Launched as Service

Cobalt Strike goes brrrr. Probably one of the most basic thing you can observe from it if you're lucky enough to have EDR, Sysmon or EID 4688 on IRs.

PS: I'm never that lucky.

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 30
#100DaysOfKQL

Day 86 - Summarized Processes Launched by PowerShell or Command Line Scripts

More of an investigative query which gives you a "clean" output which makes it easier to see and understand what a script (or multiple scripts) does.

github.com/SecurityAura...
github.com
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 29
#100DaysOfKQL

Day 85 - Command Line Spawned by Microsoft SQL Server

The thing that almost ruined my Friday night.

Remember kids, deconflicting between OffSec and Defenders is important 🤝

github.com/SecurityAura...
github.com
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 27
#100DaysOfKQL

Day 84 - CLR DLLs Loaded by Process with Low Prevalence

The day FileProfile() becomes available in Sentinel is the day everyone is going to abuse the hell out of it.

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 26
#100DaysOfKQL

Day 83 - Password Accessed By User in Google Chrome or Microsoft Edge

Little behavior I learned about while doing some Threat Hunting for runas-like events.

You can spot users within your orgs that uses these browsers' Password Managers

github.com/SecurityAura...
github.com
1
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 25
#100DaysOfKQL

Day 82 - File Downloaded from Uncommon TLD

A little follow-up, with a twist, to Day 81 query. A bit different now since we have more events with URLs to play with.

Can also play with FileOriginReferrerUrl if needed? 👀

github.com/SecurityAura...
github.com
securityaura.bsky.social
securityaura.bsky.social @securityaura.bsky.social · Mar 24
#100DaysOfKQL

Day 81 - Executable File or Script Fetched during Network Connection

Fun little query which can be expanded upon (winkwink DeviceFileEvents) to see files that are fetched during network connections (HTTP only AFAIK).

github.com/SecurityAura...
github.com
1