KQL Search

Query Details

HomeAI ToolsDevice Query

High Precision KQL To Detect Muddy Water Bug Sleep Backdoor

Query

// High Precision KQL to detect MuddyWater BugSleep Backdoor
// https://www.linkedin.com/posts/activity-7219263422280945664-JfyY/

let DeviceAccessIOCDomain =
DeviceFileEvents
| where TimeGenerated > (90d)
| where ActionType == "FileCreated"
| where FileOriginUrl contains "egnyte.com" and FileName contains "zip"
| distinct DeviceName;
let DevicewithScheduledTask =
DeviceEvents
| where ActionType == "ScheduledTaskCreated"
| where DeviceName has_any(DeviceAccessIOCDomain)
| distinct DeviceName;
DeviceNetworkEvents
| where RemoteIP == "146.19.143.14" or RemoteIP == "91.235.234.202" or RemoteIP == "85.239.61.97"
| where DeviceName has_any(DevicewithScheduledTask)

// CheckPoint: New Bugsleep backdoor deployed in recent MuddyWater Campaigns
// Link: https://lnkd.in/grK6knuU

Explanation

This KQL (Kusto Query Language) query is designed to detect the presence of the MuddyWater BugSleep backdoor on devices within a network. Here's a simplified breakdown of what the query does:

  1. Identify Devices with Suspicious File Creation:

    • It looks at file events from the past 90 days.
    • It filters for events where a file was created.
    • It further narrows down to files originating from "egnyte.com" and having a ".zip" extension.
    • It collects the names of devices where such files were created.

  2. Identify Devices with Scheduled Tasks:

    • It checks for events where a scheduled task was created.
    • It filters these events to include only those devices identified in the first step.
    • It collects the names of these devices.

  3. Identify Network Events from Specific IPs:

    • It looks at network events.
    • It filters for events involving specific remote IP addresses known to be associated with the MuddyWater campaign.
    • It further narrows down to events from devices identified in the second step.

In summary, the query identifies devices that have downloaded suspicious files, created scheduled tasks, and communicated with known malicious IP addresses, which could indicate the presence of the BugSleep backdoor associated with the MuddyWater campaign.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

DeviceFileEventsDeviceEventsDeviceNetworkEvents

Keywords

DeviceFileEventsDeviceEventsDeviceNetworkEventsDeviceNameTimeGeneratedActionTypeFileOriginUrlFileNameRemoteIP

Operators

let|>( )==containsanddistincthas_anyor

Actions