KQL To Detect If Polyfill Malicious Payload Was Loaded
Query
// KQL to detect if Polyfill malicious payload was loaded
// https://www.linkedin.com/posts/activity-7211650346522173440-988L/
// Polyfill supply chain attack hits 100K+ sites.The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain.
// KQL to detect if Polyfill malicious payload was loaded.
DeviceNetworkEvents
| where ActionType == @"HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost contains "googie-anaiytics.com" or HttpHost contains "kuurza.com"
// MITRE ATT&CK Mapping
// Based on the analysis, the KQL query can be associated with the following MITRE ATT&CK techniques:
// T1071.001 - Application Layer Protocol: Web Protocols:
// The query inspects HTTP connections, which falls under the use of web protocols for communication1.
// T1071 - Application Layer Protocol:
// More broadly, the query is looking at network traffic using application layer protocols1.
// T1566.002 - Phishing: Spearphishing Link:
// The suspicious domains (“googie-anaiytics.com” and “kuurza.com”) suggest potential phishing attempts1.
// T1071.003 - Application Layer Protocol: Mail Protocols:
// If the suspicious domains are used in email communications, this technique might also be relevant1.Explanation
This KQL query is designed to detect potential malicious activity related to a supply chain attack involving the Polyfill library. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify if a malicious payload associated with the Polyfill library was loaded on a device. This is relevant because Polyfill is widely used to support older web browsers, and a compromised version could affect many websites.
-
Data Source: It examines network events on devices, specifically looking at HTTP connections.
-
Key Actions:
- It filters network events to find those where the action type is "HttpConnectionInspected".
- It extracts additional connection information, particularly focusing on the HTTP host involved in the connection.
- It checks if the HTTP host contains suspicious domains, specifically "googie-anaiytics.com" or "kuurza.com". These domains are flagged as potentially malicious.
-
Security Context:
- The query is linked to several MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
- T1071.001 & T1071: These relate to the use of web protocols for communication, as the query inspects HTTP connections.
- T1566.002: This suggests the potential for phishing attempts, given the suspicious nature of the domains.
- T1071.003: If these domains are used in email communications, it could also relate to mail protocols.
- The query is linked to several MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
In summary, this query helps security analysts detect suspicious network activity that might indicate a supply chain attack involving the Polyfill library, focusing on specific domains known for malicious activity.
