High Precision KQL To Detect Muddy Water Bug Sleep Backdoor
Query
// High Precision KQL to detect MuddyWater BugSleep Backdoor
// https://www.linkedin.com/posts/activity-7219263422280945664-JfyY/
let DeviceAccessIOCDomain =
DeviceFileEvents
| where TimeGenerated > (90d)
| where ActionType == "FileCreated"
| where FileOriginUrl contains "egnyte.com" and FileName contains "zip"
| distinct DeviceName;
let DevicewithScheduledTask =
DeviceEvents
| where ActionType == "ScheduledTaskCreated"
| where DeviceName has_any(DeviceAccessIOCDomain)
| distinct DeviceName;
DeviceNetworkEvents
| where RemoteIP == "146.19.143.14" or RemoteIP == "91.235.234.202" or RemoteIP == "85.239.61.97"
| where DeviceName has_any(DevicewithScheduledTask)
// CheckPoint: New Bugsleep backdoor deployed in recent MuddyWater Campaigns
// Link: https://lnkd.in/grK6knuU
// MITRE ATT&CK Mapping
// File Creation with Specific Origin and Name:
// Technique: T1071.001 - Application Layer Protocol: Web Protocols
// Description: The query looks for files created from a specific URL (egnyte.com) and with a specific file type (zip). This can be associated with data exfiltration or staging.
// Scheduled Task Creation:
// Technique: T1053.005 - Scheduled Task/Job: Scheduled Task
// Description: The query identifies devices where a scheduled task has been created. This is a common persistence mechanism used by adversaries.
// Network Communication with Specific IPs:
// Technique: T1071.001 - Application Layer Protocol: Web Protocols
// Description: The query filters network events for communication with specific IP addresses. This can be indicative of command and control (C2) communication.Explanation
This KQL query is designed to detect a specific type of cyber threat known as the MuddyWater BugSleep backdoor. Here's a simplified breakdown of what the query does:
-
File Creation Detection:
- It looks for devices where a file was created in the last 90 days.
- The file must have originated from a URL containing "egnyte.com" and have a ".zip" extension.
- This step helps identify potential data exfiltration or staging activities.
-
Scheduled Task Detection:
- It checks for devices where a scheduled task has been created.
- Only devices identified in the previous step (where the suspicious file was created) are considered.
- Creating scheduled tasks is a common method used by attackers to maintain persistence on a compromised system.
-
Network Communication Monitoring:
- It examines network events for communication with specific IP addresses (146.19.143.14, 91.235.234.202, 85.239.61.97).
- Only devices identified in the previous step (with the suspicious scheduled task) are considered.
- Communication with these IPs may indicate command and control (C2) activity, which is a sign of an active backdoor.
Overall, the query is designed to identify devices that have potentially been compromised by the MuddyWater BugSleep backdoor by looking for specific file creation, task scheduling, and network communication patterns.
