Query Details
Hunting Dragon Force With ANYRUN Threat Intelligence
Query
// Hunting DragonForce with ANY.RUN Threat Intelligence let WeeklyOSINT=externaldata(Type:string, Value:string, Source:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/DragonForce_AnyRun.csv']; let OSINTSHA256 = WeeklyOSINT | where Type == "hash_sha256" | project Value; let ScanEmailAttachments = EmailAttachmentInfo | where Timestamp > ago(30d) | where SHA256 has_any(OSINTSHA256); let ScanEndpointFiles = DeviceFileEvents | where Timestamp > ago(30d) | where ActionType == "FileCreated" | where SHA256 has_any(OSINTSHA256); union ScanEmailAttachments, ScanEndpointFiles
Explanation
This query is designed to detect potential threats from a group called DragonForce using threat intelligence data from ANY.RUN. Here's a simplified breakdown:
-
Data Import: It starts by importing threat intelligence data from an external CSV file hosted on GitHub. This file contains information about various indicators of compromise (IOCs), such as file hashes.
-
Filter for SHA256 Hashes: From the imported data, it specifically extracts SHA256 hash values, which are unique identifiers for files.
-
Scan Email Attachments: It checks email attachments from the last 30 days to see if any of them have a SHA256 hash that matches the ones from the threat intelligence data.
-
Scan Endpoint Files: Similarly, it examines files created on devices in the last 30 days to see if their SHA256 hashes match any from the threat intelligence data.
-
Combine Results: Finally, it combines the results from both email attachments and endpoint file scans to provide a comprehensive view of potential threats related to DragonForce.
In essence, this query helps identify suspicious files associated with DragonForce by comparing recent email attachments and files on devices against known threat indicators.
Details
Steven Lim
Released: May 29, 2025
Tables
Keywords
Operators