KQL Search

Query Details

HomeAI ToolsDevice Query

Graph Strike C2 Beacon Detection

Query

//This query detects possible GraphStrike C2 implants
//Looks for processes connecting to both login.microsoft.com and graph.microsoft.com within 2hrs
let SuspiciousProcesses = (DeviceNetworkEvents
| where Timestamp > ago(2h)
| where RemoteUrl contains "graph.microsoft.com" or RemoteUrl contains "login.microsoft.com"
| summarize make_set(RemoteUrl) by InitiatingProcessId, InitiatingProcessFileName, DeviceName, DeviceId, bin(Timestamp, 2h)
| where set_RemoteUrl contains "graph.microsoft.com" and set_RemoteUrl contains "login.microsoft.com");
DeviceNetworkEvents
| where Timestamp > ago(2h)
| where RemoteUrl contains "graph.microsoft.com" or RemoteUrl contains "login.microsoft.com"
| join kind=innerunique SuspiciousProcesses on InitiatingProcessId, DeviceId, InitiatingProcessFileName
| invoke FileProfile(InitiatingProcessSHA256, 1000)
| where not(InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "Microsoft.AAD.BrokerPlugin.exe") and SignatureState == "SignedValid" and GlobalPrevalence > 500)

Explanation

This query is designed to identify potentially malicious software, specifically GraphStrike Command and Control (C2) implants, on devices by analyzing network activity. Here's a simplified breakdown:

  1. Data Collection: It examines network events from the past two hours to find processes that have connected to either "graph.microsoft.com" or "login.microsoft.com".

  2. Suspicious Process Identification: It identifies processes that have connected to both of these URLs within the same two-hour window. These processes are flagged as suspicious.

  3. Process Filtering: The query then filters these suspicious processes to exclude common, legitimate applications like web browsers (Chrome, Edge, Firefox) and a Microsoft plugin, provided they are signed and widely used (indicating they are likely legitimate).

  4. File Profiling: For the remaining suspicious processes, it retrieves additional file profile information to aid in further investigation.

In essence, this query helps detect unusual and potentially harmful network activity by focusing on processes that interact with specific Microsoft services in a way that might indicate malicious behavior.

Details

Jani Vleurinck profile picture

Jani Vleurinck

Released: November 10, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteUrlTimestampInitiatingProcessFileNameDeviceNameDeviceIdFileProfileSignatureStateGlobalPrevalence

Operators

let|where>ago()containsorsummarizemake_set()bybin()andjoinkind=inneruniqueoninvokenotin~SignatureState==GlobalPrevalence>

Actions