KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting VEIL Drive C2

Query

// Hunting VEILDrive C2
// https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2
// The analysis of ROMServer.exe using SHA256 FileProfile() revealed that the binary was first detected on September 30 and last observed on October 17, affecting 7 MDE organizations globally. According to DefendeXDR data, 22 out of 72 security vendors (approximately 30%) have identified this binary. If you are using Sentinel, the following Hunting KQL query can help determine if your organization’s endpoints are impacted by VEILDrive.

DeviceNetworkEvents
| where TimeGenerated > ago(90d)  // 30 Sep First Seen and Oct 17 Last Seen
| where ActionType == @"HttpConnectionInspected"
| extend Host = parse_json(AdditionalFields)["host"]
| extend Direction = parse_json(AdditionalFields)["direction"]
| where Direction == "Out" and Host has "safeshift390-my.sharepoint.com"

// MITRE ATT&CK technique T1071.001: Application Layer Protocol: Web Protocols

Explanation

This query is designed to help identify if your organization's endpoints have been impacted by the VEILDrive malware, specifically by checking for suspicious network activity related to the malware's command and control (C2) communication.

Here's a breakdown of what the query does:

  1. Data Source: It examines network events from devices (DeviceNetworkEvents).

  2. Time Frame: It looks at events from the past 90 days, which covers the period from September 30 to October 17, when the malware was first and last observed.

  3. Action Type: It filters the events to only include those where HTTP connections were inspected (ActionType == "HttpConnectionInspected").

  4. Extracting Information: It extracts the host and direction information from the AdditionalFields column using JSON parsing.

  5. Filtering Criteria: It further filters the events to include only outbound connections (Direction == "Out") to a specific host that contains "safeshift390-my.sharepoint.com", which is associated with the malware's C2 activity.

  6. Context: The query is related to the MITRE ATT&CK technique T1071.001, which involves using web protocols for communication.

In simple terms, this query helps you check if any devices in your organization have made suspicious outbound connections to a known malicious host, potentially indicating a VEILDrive malware infection.

Details

Steven Lim profile picture

Steven Lim

Released: November 6, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

DeviceNetworkEvents|where>ago//==@extend=parse_json[]hasand

Actions