Forgot to post it here but:
Finally took the time to write a quick blog post on my #100DaysOfKQL challenge.
https://medium.com/@securityaura/looking-back-on-100daysofkql-bf526b3d214e
tl;dr: I'm never doing anything like this again, at least, not before I have a LOT more free time than I have now. But very happy to have gone through with it!
Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process
IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.
This challenge ended right on time, as I'm about to embark on a SANS training starting tomorrow, which means, I wouldn't have any time next week to work on this. Life is funny sometimes.
As mentioned previously, I'll be publishing a blog post reflecting on that challenge.
So stay tuned for it!
In the meantime, I hope that these queries helped you in some way: detection, hunting, learning some KQL operators/functions, serve as base ideas for more complex queries or even give you a starting point to learn KQL.
I'll probably never do another 100Days challenge again because man, that thing is taxing. However, I do plan to continue posting KQL queries in that repo and even enhance the ones that were posted during that challenge.
Thank you to everyone who supported me! See you soon!
Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration). - SecurityAura/DE-TH-Aura
Day 99 - RDP Connection to X New Devices In The Last X Day by User
One more to go! Basic investigative query that you can use as a starting point to dig into recent, new RDP activity per user.
Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration). - SecurityAura/DE-TH-Aura
Day 98 - Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows
I promise you I'm going somewhere with all these FileProfile() queries. Gotta wait a bit more.
Day 97 - PowerShell ComObject Interaction
I wish I was getting some $ kickbacks from ClickFix for their queries 🥲 In the latest variant that I've seen, they basically throw everything in the book:
PowerShell
curl
WScript[.]Shell
cscript
Day 96 - certutil.exe Used to Decode a File into a PE
Harshly remembered that this technique exists ... because of a CSAT tool.
IYKYK.
Day 95 - Logon Attempts from LDAP Bind Accounts to Systems other than DCs
MDI query will be provided later because life throws unexpected stuff at you sometime.
Perfect for those edge devices that keeps getting popped, uh, keeping TAs out
Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration). - SecurityAura/DE-TH-Aura
Day 94 - Archive Created at the Root of a Drive
Another query to detect something threat actors do which I consider more of a default (to not say lazy) behavior than anything else.
Always fun to see if these archives still exists in an IR
Day 93 - PowerShell IEX or Invoke-Expression
Today's query is sponsored by ClickFix and that one purple EDR who looks even more shady than ClickFix because of what you can catch it doing with this.
Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder
Thanks to today's #ClickFix / #Lumma (#LummaStealer) infection combo for giving me an idea!
Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration). - SecurityAura/DE-TH-Aura
SecurityAura