Query Details

Part 2 Defender XDR KQL Detection For Fake Crowd Strike Domain URL

Query

// Part 2: DefenderXDR KQL detection for fake CrowdStrike domain URL
// https://www.linkedin.com/posts/activity-7220748665924042752-pRST/

// Hourly custom detection: Detect & Purge

EmailUrlInfo
| where Timestamp > ago(1h)
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where LatestDeliveryAction == "Delivered"
| where UrlDomain contains "crowdstrike"
| where UrlDomain !endswith "crowdstrike.com"
| where SenderFromDomain !endswith "crowdstrike.com" and
SenderFromDomain !endswith "litmos.com" and
SenderFromDomain !endswith "zoom.us"


// MITRE ATT&CK Mapping

// Based on the analysis, the query can be mapped to the following MITRE ATT&CK techniques:

// Phishing (T1566):
// The query is designed to detect phishing attempts by identifying suspicious URLs in inbound emails.
// Spearphishing Link (T1566.002):
// Specifically targets emails with links that may lead to malicious sites, excluding known legitimate domains.
// Indicator Removal on Host (T1070):
// By filtering out legitimate domains, the query aims to identify attempts to bypass detection mechanisms.
// Command and Control (T1071):
// The presence of suspicious URLs could indicate attempts to establish command and control channels.

Explanation

This query is designed to detect potentially malicious emails that are trying to impersonate the legitimate domain "crowdstrike.com" by using fake or similar-looking domains. It focuses on inbound emails received in the last hour that have been delivered to the recipient. The query checks if the email contains a URL with "crowdstrike" in the domain name but does not end with "crowdstrike.com". Additionally, it ensures that the sender's domain is not from known legitimate domains like "crowdstrike.com", "litmos.com", or "zoom.us".

The query is mapped to several MITRE ATT&CK techniques, indicating its purpose:

  1. Phishing (T1566): It aims to detect phishing attempts by identifying suspicious URLs in emails.
  2. Spearphishing Link (T1566.002): It specifically targets emails with potentially malicious links, excluding known legitimate domains.
  3. Indicator Removal on Host (T1070): By filtering out legitimate domains, it seeks to identify attempts to bypass detection mechanisms.
  4. Command and Control (T1071): The presence of suspicious URLs might suggest attempts to establish command and control channels.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoEventsTimestampNetworkMessageIdDirectionLatestDeliveryActionDomainSenderFromPhishingSpearphishingLinkIndicatorRemovalOnHostCommandAndControl

Operators

agojoincontains!endswith

MITRE Techniques

Actions

GitHub