cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Help with Advance hunting query - Phishing

askvpb
Brass Contributor

‎Apr 04 2022 01:46 AM

‎Apr 04 2022 01:46 AM

Help with Advance hunting query - Phishing

I'm currently working on a sphere fishing security incident; I need help with writing an advance hunting query to lookup for emails coming from specific phishing email ID/domain with malicious URL. Malicious URL takes use of the fake login page pretending to be a SharePoint login site. 

 

In my case, some users have clicked the phishing link and sent to fake login page which users have attempted to login.   

 

I need help to write KQL query to find users who received phishing email & already clicked phishing URL link on the email and entered credentials. Search those users' signing login from non-familiar location after they click phising url. 

 

EmailEvents

|where SenderMailFromAddress == 'Email address removed'
|project RecipientEmailAddress,UrlCount
 
So far, I don't know how to take recipent email address from the below query and run against the AAD signin logs? Any help is appreciated. 


Labels:
5,528 Views
0 Likes
3 Replies
Reply
3 Replies
Jonhed

‎Apr 04 2022 07:23 PM - edited ‎Apr 04 2022 07:29 PM

‎Apr 04 2022 07:23 PM - edited ‎Apr 04 2022 07:29 PM

Re: Help with Advance hunting query - Phishing

@askvpb 

Something like this could show you the sign in events of users that received an email from said address.

I am not sure if you can see if they clicked it or not though, through these logs.

 

 

let SuspiciousEmails = toscalar(EmailEvents
| where SenderMailFromAddress == ""
| summarize make_list(RecipientEmailAddress));
let Identities = IdentityInfo
| mv-apply RecipientEmailAddress=SuspiciousEmails to typeof(string) on
(where SipProxyAddress contains RecipientEmailAddress)
| distinct AccountObjectId,RecipientEmailAddress;
AADSignInEventsBeta
| join Identities on AccountObjectId

 

 

0 Likes
Reply
askvpb

‎Apr 04 2022 09:32 PM - edited ‎Apr 04 2022 09:34 PM

‎Apr 04 2022 09:32 PM - edited ‎Apr 04 2022 09:34 PM

Re: Help with Advance hunting query - Phishing

Thank you so much @Jonhed

 

I managed to put together some KQL queries. As I'm learning this query language just need more practice to join multiple tables sources.  Please review and help to refine the query. 

 

// This query finds network communication to specific Phishing URL (confirms users has clicked the links on company issued devices)
let partialRemoteUrlToDetect = "XYZ"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents
| where Timestamp > ago(3d)
and RemoteUrl has partialRemoteUrlToDetect 
| project Timestamp, DeviceName, InitiatingProcessAccountUpn

// Above will give list of usersnames, devicename who have clicked. Take those values and run it agains the AD signin Logs, which are comming from different country. 

AADSignInEventsBeta
|where ErrorCode != 50142
|where AlternateSignInName in ('Usernames1, Usernames2, Usernames3')
|project DeviceName, OSPlatform, AccountDisplayName


// Get antivirus scan events, including completed and cancelled scans
DeviceEvents
| where ActionType startswith "AntivirusScan" and Timestamp > ago(1d)
| extend ScanDesc = parse_json(AdditionalFields)
|project Timestamp, DeviceName, ActionType, Domain = ScanDesc.Domain, ScanId= ScanDesc.ScanId, User = ScanDesc.User, ScanParametersIndex = ScanDesc.ScanParametersIndex, ScanTypeIndex = ScanDesc.ScanTypeIndex
//| where AccountName in ('Usernames1, Usernames2, Usernames3')

// Gives a list of sharing activities in cloud apps if there were any external users sharing.

CloudAppEvents
|where AccountDisplayName in ('Usernames1, Usernames2, Usernames3')
| where ActivityType == "Share"
0 Likes
Reply
best response confirmed by askvpb (Brass Contributor)
Jonhed

‎Apr 04 2022 10:12 PM

‎Apr 04 2022 10:12 PM

Solution

Re: Help with Advance hunting query - Phishing

This might give you some ideas of how to track URLs clicked, in addition to the queries you just posted.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-tip-of-the-month-down...
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by askvpb (Brass Contributor)
Jonhed

‎Apr 04 2022 10:12 PM

‎Apr 04 2022 10:12 PM

Solution

Re: Help with Advance hunting query - Phishing

This might give you some ideas of how to track URLs clicked, in addition to the queries you just posted.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-tip-of-the-month-down...

View solution in original post

1 Like
Reply