Suspicisous Sign In After Network Connection To Lab539 Clickfix List
Query
// Based on Steven Lim's Query https://detections.ai/rules/0199e342-187f-7054-a33a-37bc61caf313
// thx Steven for this Teamwork
let ExcludedApps = pack_array("CIT_JamfConnect@Prod", "TestAppTEST2");
let Lab539ClickFix=externaldata(Timestamp:datetime, Hostname:string, IP:string, Country:string, Org:string, Nameservers:string, Time:datetime, DomainCreation:datetime, DomainExpire:datetime, Name:string, Registrar:string, DomainUpdate:datetime, EventID:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/lab539-clickfix-data.csv'];
// Netzwerkverbindungen zu Lab539ClickFix IPs mit Device-Informationen
let Lab539ClickFixNetworkConnections = Lab539ClickFix
| where Timestamp >ago(2d)
| join kind=inner ( DeviceNetworkEvents
| where RemoteIPType == "Public" ) on $left.Hostname == $right.RemoteUrl
| extend NetworkConnectionTime = TimeGenerated
| project NetworkConnectionTime, DeviceName, DeviceId, RemoteIP, InitiatingProcessAccountUpn
| summarize MinConnectionTime = min(NetworkConnectionTime) by DeviceName, InitiatingProcessAccountUpn;
// Risky Sign-ins vom heutigen Tag
let RiskySignIns = AADSignInEventsBeta
| where TimeGenerated > ago(1d)
| where isnotempty(RiskLevelDuringSignIn)
| where Application !in (ExcludedApps)
| where RiskLevelDuringSignIn >= 30
| where IsGuestUser == 0
| where IsCompliant == 0
| where IsManaged == 0
| where RiskLevelAggregated > 1
| project SignInTimestamp = Timestamp, AccountUpn, AccountObjectId, Application, IPAddress, RiskLevelDuringSignIn, RiskLevelAggregated, RiskState, City, Country, ReportId;
// Historische IPs pro Account - nur Count statt ganze Liste
let HistoricalIPCounts = AADSignInEventsBeta
| where ErrorCode == 0
| where Timestamp >= ago(30d) and Timestamp < ago(1d)
| summarize by AccountUpn, IPAddress
| summarize HistoricalIPCount = count() by AccountUpn, IPAddress;
// Join: Risky Sign-ins mit historischen IP-Counts
let RiskySignInsWithHistory = RiskySignIns
| join kind=leftouter HistoricalIPCounts on AccountUpn, IPAddress
| extend IPSeenBefore = iff(isnotempty(HistoricalIPCount), true, false)
| where IPSeenBefore == false; // Filter schon hier anwenden
// Join: Risky Sign-ins mit Lab539 Network Connections
Lab539ClickFixNetworkConnections
| join kind=inner RiskySignInsWithHistory on
$left.InitiatingProcessAccountUpn == $right.AccountUpn
| where SignInTimestamp > MinConnectionTime
| extend TimeDifference_Minutes = datetime_diff('minute', SignInTimestamp, MinConnectionTime)
| project MinConnectionTime, Timestamp=SignInTimestamp, TimeDifference_Minutes, DeviceName, AccountUpn, AccountObjectId, SignInIP = IPAddress, Application, RiskLevelDuringSignIn, RiskLevelAggregated, RiskState, City, Country, ReportId
| order by Timestamp descAbout this query
Explanation
This query is designed to detect suspicious sign-in activities that might indicate a security threat, specifically related to a known threat or campaign called "Lab539 Clickfix." Here's a simplified breakdown of what the query does:
-
Excluded Applications: It starts by defining a list of applications that should be excluded from the analysis.
-
Lab539 Clickfix Data: It imports external data related to "Lab539 Clickfix," which includes information about IP addresses and other details associated with this threat.
-
Network Connections: It identifies network connections to IP addresses associated with "Lab539 Clickfix" from the last two days, focusing on public IPs and capturing details like device name and user account.
-
Risky Sign-ins: It looks for risky sign-in events from Azure Active Directory (AAD) within the last day. These are sign-ins with a risk level of 30 or higher, from non-guest, non-compliant, and non-managed devices, and excludes certain applications.
-
Historical IP Check: It checks if the IP address used in the sign-in has been seen for that user in the last 30 days. If not, it marks the IP as new for that user.
-
Correlation: It correlates the risky sign-ins with the network connections to "Lab539 Clickfix" IPs. It ensures that the sign-in occurs after the network connection, indicating a potential security incident.
-
Output: The query outputs details of these correlated events, including the time difference between the network connection and the sign-in, device information, user account details, and risk levels.
Overall, this query aims to identify potential security incidents by detecting unusual sign-in activities that follow network connections to known threat-related IPs, which could suggest phishing or credential compromise attempts.
Details

Benjamin Zulliger
Released: October 16, 2025
Tables
Keywords
Operators