KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Hot Spot Connections Shared Via I Phone

Query

**Identify HotSpot connections shared via IPhone**

Detecting networks shared by phones with key words in their Names such as "FREE", "AIRPORT" "OPEN", can be potential cases of Evil Twin Attack where malicious actors can intercept network traffic, steal login credentials, capture sensitive data, or launch further attacks like Man-in-the-Middle (MitM) attacks.
This KQL Query helps to identify when a connection is shared by an IPhone device and for that we can use a default Gateway assigned when a connection is shared from these Apple phones which is "172.20.10.1". 




```
DeviceNetworkInfo
| where DefaultGateways has "172.20.10.1"
| extend Network_Name = tostring(parse_json(ConnectedNetworks)[0]["Name"])
| where isnotempty(Network_Name)
| extend IP_info = (todynamic(parse_json(IPAddresses)))
| mv-expand IP_info
| extend Ip_Received = tostring(parse_json(IP_info).IPAddress)
| extend IP_Type = tostring(parse_json(IP_info).AddressType)
| extend geo_ip = tostring(geo_info_from_ip_address(Ip_Received).country)
| where (Network_Name contains "Free" or Network_Name  contains "Open"  or Network_Name  contains "Airport" or Network_Name  contains "hotel")
| summarize by  Network_Name, DefaultGateways,Ip_Received, IP_Type, geo_ip, DnsAddresses,DeviceName, NetworkAdapterName, NetworkAdapterStatus, NetworkAdapterType, NetworkAdapterVendor
```

Explanation

This KQL query is designed to identify potentially suspicious network connections shared via iPhones, which could be indicative of an Evil Twin Attack. Here's a simplified breakdown of what the query does:

  1. Filter for iPhone Hotspots: It starts by looking for network connections where the default gateway is "172.20.10.1", which is commonly used by iPhones when sharing their internet connection.

  2. Extract Network Name: It extracts the name of the connected network from the device's network information.

  3. Filter for Suspicious Names: The query checks if the network name contains keywords like "Free", "Open", "Airport", or "Hotel". These names are often used by malicious actors to trick users into connecting to fake networks.

  4. Expand IP Information: It processes the IP addresses associated with the connection, extracting details like the IP address itself, its type, and the geographical location based on the IP.

  5. Summarize Results: Finally, it summarizes the findings by listing details such as the network name, IP address, geographical location, DNS addresses, device name, and network adapter information.

Overall, this query helps in detecting potentially malicious network connections shared via iPhones, which could be used for intercepting data or launching further attacks.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 26, 2025

Tables

DeviceNetworkInfo

Keywords

DeviceNetworkInfoNetworkNameIPInfoIPAddressIPTypeGeoIPDnsAddressesDeviceNameNetworkAdapterNameNetworkAdapterStatusNetworkAdapterTypeNetworkAdapterVendor

Operators

DeviceNetworkInfowherehasextendtostringparse_jsonisnotemptytodynamicmv-expandgeo_info_from_ip_addresscontainssummarizeby

Actions