Query Details

Part 1 Custom Defender XDR KQL Detection For Fake Crowd Strike Email Domain

Query

// Part 1: Custom DefenderXDR KQL detection for fake CrowdStrike email domain
// https://www.linkedin.com/posts/activity-7220616094514917377-a-lR/

// Configure as Detect & Purge:

EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection == "Inbound"
| where LatestDeliveryAction == "Delivered"
| where SenderFromDomain contains "crowdstrike"
| where SenderFromDomain !endswith "crowdstrike.com" and
SenderFromDomain !endswith "litmos.com" and
SenderFromDomain !endswith "zoom.us"

// MITRE ATT&CK Mapping

// Based on the filtering criteria, the following MITRE ATT&CK techniques are relevant:

// Phishing (T1566):
// T1566.001: Spearphishing Attachment
// T1566.002: Spearphishing Link
// T1566.003: Spearphishing via Service
// The query is looking for inbound emails that might be part of a phishing campaign, especially those masquerading as legitimate emails from known domains but with slight variations.
// Impersonation (T1071):
// T1071.003: Application Layer Protocol
// The query checks for emails from domains that contain “crowdstrike” but are not from the legitimate “crowdstrike.com” domain, indicating potential impersonation attempts.
// Command and Control (T1071):
// T1071.001: Web Protocols
// The query might help identify emails that could be part of a command and control communication setup, especially if the emails are from suspicious domains.

Explanation

This query is designed to detect potentially malicious emails that are trying to impersonate legitimate emails from CrowdStrike. It focuses on identifying inbound emails received in the last hour that were delivered successfully and have a sender domain containing "crowdstrike" but not ending with the legitimate domains "crowdstrike.com", "litmos.com", or "zoom.us". This helps in identifying phishing attempts where attackers use similar-looking domains to trick recipients.

The query is mapped to MITRE ATT&CK techniques related to phishing and impersonation, highlighting the potential risks of these emails being used for spearphishing attacks or command and control communications.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

EmailEvents

Keywords

EmailEventsTimestampEmailDirectionLatestDeliveryActionSenderFromDomainPhishingImpersonationCommandControlCommunication

Operators

EmailEventswhereTimestampagoEmailDirection=="Inbound"LatestDeliveryAction"Delivered"SenderFromDomaincontains!endswith"crowdstrike.com""litmos.com""zoom.us"

Actions

GitHub