KQL Search

Query Details

HomeAI ToolsDevice Query

Chinese APT VS Code Exploitation Detection

Query

//This query detects Chinese APT exploitation of VS Code
//Monitors connections to suspicious IPs, domains, and processes
union * | where ((RemoteIP =~ "216.83.40.84" or RemoteIP =~ "185.132.125.72") or 
RemoteUrl =~ "code.exe" or RemoteUrl =~ "global.rel.tunnels.api.visualstudio.com" or 
(InitiatingProcessSHA256 =~ "aa2c0de121ae738ce44727456d97434faff21fc69219e964e1e2d2f1ca16b1c5" or
 InitiatingProcessSHA256 =~ "8fdac78183ff18de0c07b10e8d787326691d7fb1f63b3383471312b74918c39f" or InitiatingProcessSHA256 =~ "39ceb73bcfd1f674a9b72a03476a9de997867353172c2bf6dde981c5b3ad512a" or InitiatingProcessSHA256 =~ "506fc87c8c96fef1d2df24b0ba44c8116a9001ca5a7d7e9c01dc3940a664acb0" or InitiatingProcessSHA256 =~ "0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184" or InitiatingProcessSHA256 =~ "456e4dae82a12bcda0506a750eac93bf79cc056b8aad09ec74878c90fd67bd8f" or InitiatingProcessSHA256 =~ "bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6" or InitiatingProcessSHA256 =~ "ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31" or InitiatingProcessSHA256 =~ "440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1"))

let suspiciousServices = datatable(ServiceName:string)
[
    "WindowsMailServices",
    "test12",
    "WindowsEdgeUpdateServices",
    "Javaservice"
];

let suspiciousProcesses = datatable(ProcessName:string)
[
    "code.exe",
    "sshd.exe",
    "imecmnt.exe"
];

let suspiciousCommands = datatable(CommandLine:string)
[
    "curl",
    "rar.exe",
    "Vssadmin"
];

Explanation

This query is designed to detect potential exploitation activities by Chinese Advanced Persistent Threats (APTs) targeting Visual Studio Code (VS Code). It does this by monitoring for connections to specific suspicious IP addresses, domains, and processes. Here's a simplified breakdown of what the query is doing:

  1. IP and Domain Monitoring: The query checks for connections to two specific IP addresses (216.83.40.84 and 185.132.125.72) and a domain related to Visual Studio Code (global.rel.tunnels.api.visualstudio.com).

  2. Process Monitoring: It looks for activities involving the code.exe process, which is the executable for VS Code.

  3. File Hash Monitoring: The query checks if any initiating process matches a list of known suspicious SHA-256 hash values. These hashes represent specific files that are considered suspicious.

  4. Suspicious Services: It defines a list of suspicious services (WindowsMailServices, test12, WindowsEdgeUpdateServices, Javaservice) that might be related to the exploitation activity.

  5. Suspicious Processes: It includes a list of processes (code.exe, sshd.exe, imecmnt.exe) that are considered suspicious and worth monitoring.

  6. Suspicious Commands: It also defines a list of command-line activities (curl, rar.exe, Vssadmin) that are potentially malicious and should be flagged if detected.

Overall, this query is a comprehensive check for various indicators of compromise that might suggest an APT is exploiting VS Code in a network.

Details

@KevinDrgz profile picture

@KevinDrgz

Released: November 10, 2024

Tables

*

Keywords

RemoteIPRemoteUrlInitiatingProcessSHA256ServiceNameProcessNameCommandLine

Operators

union*|where=~orletdatatable

Actions