KQL Search

Query Details

HomeAI ToolsDevice Query

Hackers Exploit Cloudflare Tunnels To Infect Windows Systems With Python Malware

Query

// Hackers Exploit Cloudflare Tunnels to Infect Windows Systems With Python Malware
// https://security.microsoft.com/intel-explorer/articles/1a2db1aa?view=description

let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/trycloudflare.csv'];
let OSINTSHA256 =
WeeklyOSINT
| where Type == "hash_sha256"
| project Value;
let OSINTSHA1 =
WeeklyOSINT
| where Type == "hash_sha1"
| project Value;
let OSINTMD5 =
WeeklyOSINT
| where Type == "hash_md5"
| project Value;
let OSINTDOMAIN =
WeeklyOSINT
| where Type == "domain"
| project Value;
let OSINTURL =
WeeklyOSINT
| where Type == "url"
| project Value;
let OSINTIP =
WeeklyOSINT
| where Type == "ip"
| project Value;
let ScanEmailAttachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SHA256 has_any(OSINTSHA256);
let ScanEmailURLs =
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain has_any(OSINTDOMAIN) or Url has_any(OSINTURL);
let ScanEndpointFiles =
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where MD5 has_any(OSINTMD5) or SHA1 has_any(OSINTSHA1) or SHA256 has_any(OSINTSHA256);
let ScanEndpointNetwork1 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionSuccess"
| where RemoteIP has_any (OSINTIP) or RemoteUrl has_any (OSINTDOMAIN);
let ScanEndpointNetwork2 =
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost has_any(OSINTDOMAIN);
union ScanEmailAttachments, ScanEmailURLs, ScanEndpointFiles, ScanEndpointNetwork1, ScanEndpointNetwork2

Explanation

This KQL (Kusto Query Language) script is designed to detect potential security threats by scanning various data sources for indicators of compromise (IOCs) related to a specific threat involving Cloudflare Tunnels and Python malware on Windows systems. Here's a simplified breakdown of what the query does:

  1. Data Source Definition: It imports a list of known threat indicators (like file hashes, domains, URLs, and IP addresses) from an external CSV file hosted on GitHub.

  2. Indicator Extraction: The script separates these indicators into different categories:

    • SHA256 hashes
    • SHA1 hashes
    • MD5 hashes
    • Domains
    • URLs
    • IP addresses

  3. Email Attachment Scanning: It checks email attachments from the last 30 days to see if any of their SHA256 hashes match the known threat indicators.

  4. Email URL Scanning: It examines URLs in emails from the last 30 days to see if any domains or URLs match the known threat indicators.

  5. Endpoint File Scanning: It looks at files created on endpoints in the last 30 days to see if any of their hashes (MD5, SHA1, SHA256) match the known threat indicators.

  6. Endpoint Network Scanning:

    • It checks successful network connections from the last 30 days to see if any remote IPs or URLs match the known threat indicators.
    • It also inspects HTTP connections to see if the host matches any known malicious domains.

  7. Result Compilation: Finally, it combines the results from all these scans into a single dataset to identify potential security incidents related to the specified threat.

In summary, this query is a comprehensive security check that looks for signs of a specific malware threat across email, file, and network activities within an organization.

Details

Steven Lim profile picture

Steven Lim

Released: June 27, 2025

Tables

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Keywords

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents

Operators

letexternaldatah'whereprojecthas_anyagoextendtodynamicunion

Actions