Applied KQL
Helping others get things done using Kusto Query Language (KQL).
Encoded or obfuscated use of the Start-Sleep cmdlet can be an indicator of malicious activity.
[Read more…] about KQL query: Identify PowerShell using sleep timers to evade detection
Live off the land techniques leveraging PowerShell may involve downloading an additional payload from the Internet for further attack.
[Read more…] about KQL query: Windows PowerShell execution events that may involve a download
Identify Windows PowerShell events creating outbound connections that could indicate the establishment of a reverse shell.
[Read more…] about KQL query: Windows PowerShell invoking a reverse shell
Identify inbox rule creation that is consistent with business email compromise (BEC).
BEC-related inbox rules can be used to conceal or entirely delete bounced emails, including non-delivery reports or out-of-office messages. These emails might be received by the target after a threat actor initiates an email campaign. The concern is that such bounce notifications could raise suspicion that the user account is compromised. Inbox rules typically include specific keywords found in the subject of the email the threat actor intends to send. Additionally, these rules may incorporate terms like ‘hacked’ or ‘phishing.’ The latter serves to hide emails sent by IT department, which might otherwise alert the target to malicious activities.
[Read more…] about KQL query: BEC-related inbox rule creation
Identify suspect mailbox actions and correlate with IP addresses in risky sign-in events.
[Read more…] about KQL query: Suspicious inbox rules by possibly compromised user