KQL Search

Query Details

HomeAI ToolsDevice Query

Binaries Using Any Desk Compromised Certificate

Query

//This query hunts for binaries not related to AnyDesk, signed with a potentially compromised signing certificate
let Timeframe = 7d; 
let SuspiciousAnydeskFileCertificate = DeviceFileCertificateInfo
    | where Timestamp > ago(Timeframe)
    | where CertificateSerialNumber =~ "abc" 
    | where Issuer == "xyz"
    | project Timestamp, DeviceName, SHA1;
SuspiciousAnydeskFileCertificate
    | join (DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | where ProcessVersionInfoCompanyName !contains @"AnyDesk"
    | project SHA1, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
    )on SHA1
    | sort by Timestamp desc

Explanation

This query is designed to identify potentially suspicious binaries that are not related to AnyDesk but are signed with a specific certificate that might be compromised. Here's a breakdown of what the query does:

  1. Define a Timeframe: The query looks at data from the past 7 days.

  2. Identify Suspicious Certificates: It first searches for file certificates with a specific serial number ("abc") and issuer ("xyz") within the defined timeframe. This step is aimed at identifying certificates that might be compromised.

  3. Filter Out AnyDesk Processes: It then looks for process events where the company name is not AnyDesk. This helps in filtering out legitimate AnyDesk processes.

  4. Join and Correlate Data: The query joins the suspicious certificate data with the process events based on the SHA1 hash. This correlation helps in identifying processes that are using the potentially compromised certificate but are not related to AnyDesk.

  5. Sort Results: Finally, the results are sorted by the timestamp in descending order, showing the most recent events first.

In summary, the query is hunting for non-AnyDesk binaries that are signed with a potentially compromised certificate, helping to identify suspicious activities on devices.

Details

Mayank Choudhury profile picture

Mayank Choudhury

Released: November 10, 2024

Tables

DeviceFileCertificateInfoDeviceProcessEvents

Keywords

TimeframeSuspiciousAnydeskFileCertificateDeviceFileCertificateInfoTimestampCertificateSerialNumberIssuerDeviceNameSHA1DeviceProcessEventsActionTypeFileNameFolderPathProcessVersionInfoCompanyNameProcessVersionInfoProductNameProcessCommandLineAccountNameInitiatingProcessAccountNameInitiatingProcessFileNameInitiatingProcessCommandLine

Operators

letwhereago=~==projectjoin!containssort by

Actions