Part 2 Defender XDR KQL Detection For Fake Crowd Strike Domain URL
Query
// Part 2: DefenderXDR KQL detection for fake CrowdStrike domain URL
// https://www.linkedin.com/posts/activity-7220748665924042752-pRST/
// Hourly custom detection: Detect & Purge
EmailUrlInfo
| where Timestamp > ago(1h)
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where LatestDeliveryAction == "Delivered"
| where UrlDomain contains "crowdstrike"
| where UrlDomain !endswith "crowdstrike.com"
| where SenderFromDomain !endswith "crowdstrike.com" and
SenderFromDomain !endswith "litmos.com" and
SenderFromDomain !endswith "zoom.us"
// MITRE ATT&CK Mapping
// Based on the analysis, the query can be mapped to the following MITRE ATT&CK techniques:
// Phishing (T1566):
// The query is designed to detect phishing attempts by identifying suspicious URLs in inbound emails.
// Spearphishing Link (T1566.002):
// Specifically targets emails with links that may lead to malicious sites, excluding known legitimate domains.
// Indicator Removal on Host (T1070):
// By filtering out legitimate domains, the query aims to identify attempts to bypass detection mechanisms.
// Command and Control (T1071):
// The presence of suspicious URLs could indicate attempts to establish command and control channels.Explanation
This query is designed to detect potentially malicious emails that are trying to impersonate the legitimate domain "crowdstrike.com" by using fake or similar-looking domains. It focuses on inbound emails received in the last hour that have been delivered to the recipient. The query checks if the email contains a URL with "crowdstrike" in the domain name but does not end with "crowdstrike.com". Additionally, it ensures that the sender's domain is not from known legitimate domains like "crowdstrike.com", "litmos.com", or "zoom.us".
The query is mapped to several MITRE ATT&CK techniques, indicating its purpose:
- Phishing (T1566): It aims to detect phishing attempts by identifying suspicious URLs in emails.
- Spearphishing Link (T1566.002): It specifically targets emails with potentially malicious links, excluding known legitimate domains.
- Indicator Removal on Host (T1070): By filtering out legitimate domains, it seeks to identify attempts to bypass detection mechanisms.
- Command and Control (T1071): The presence of suspicious URLs might suggest attempts to establish command and control channels.
Details

Steven Lim
Released: August 25, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoEventsTimestampNetworkMessageIdDirectionLatestDeliveryActionDomainSenderFromPhishingSpearphishingLinkIndicatorRemovalOnHostCommandAndControl
Operators
agojoincontains!endswith