KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Word Press Plugins From HTTP Requests

Query

**Detect WordPress plugins from HTTP requests**

One of the ongoing threats that I feel we face daily is the use of multiple plugins and add-ons across various sites from devices so I focus on identifying common platforms where users might connect and utilize different features. I started with WordPress plugins to gather information and monitor user activity, particularly to stay informed about any connections to specific WordPress sites that employ unknown plugins.

Additionally, if you have installed a WordPress site on any of your devices and it is integrated with Microsoft Defender for Endpoint, this query can be adapted to detect the plugins in use by the users connectives —both from within and externally. It can also help identify potential attacks and vulnerabilities, such as outdated plugin versions.

```
DeviceNetworkEvents
| where RemoteUrl contains "/wp-content/plugins/"
| extend PluginName = extract(@"/wp-content/plugins/([^/]+)/", 1, RemoteUrl)
| extend Version = extract(@"\?ver=([\d\.]+)$", 1, RemoteUrl)
| extend PluginSiteName = strcat("https://wordpress.org/plugins/", PluginName)
| project PluginSiteName,PluginName,Version, DeviceName, Timestamp,RemoteIPCountry= tostring(geo_info_from_ip_address(RemoteIP).country), ActionType, RemoteUrl

```

Explanation

This query is designed to detect WordPress plugins being used on websites by analyzing HTTP requests. Here's a simplified breakdown of what it does:

  1. Data Source: It looks at network events from devices, specifically focusing on URLs accessed by these devices.

  2. Target URLs: It filters for URLs that contain the path "/wp-content/plugins/", which is a common directory for WordPress plugins.

  3. Extract Plugin Information:

    • Plugin Name: It extracts the name of the plugin from the URL.
    • Version: It attempts to extract the version number of the plugin from the URL, if available.

  4. Plugin Site Reference: It constructs a URL to the WordPress plugin directory for each detected plugin, which can be used to find more information about the plugin.

  5. Output: The query outputs a list of detected plugins along with:

    • The constructed URL to the plugin's page on WordPress.org.
    • The plugin name and version.
    • The device name from which the request was made.
    • The timestamp of the request.
    • The country associated with the remote IP address.
    • The type of action performed.
    • The original URL accessed.

This query helps in monitoring and identifying WordPress plugins used across different sites, which can be crucial for detecting potential security vulnerabilities, such as outdated plugins, and understanding user activity related to WordPress sites.

Details

Sergio Albea profile picture

Sergio Albea

Released: October 31, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsPluginNameVersionPluginSiteNameDeviceNameTimestampRemoteIPCountryActionTypeRemoteUrl

Operators

DeviceNetworkEventswherecontainsextendextractstrcatprojecttostringgeo_info_from_ip_address

Actions