Query Details
KQL To Detect If Polyfill Malicious Payload Was Loaded
Query
// KQL to detect if Polyfill malicious payload was loaded // https://www.linkedin.com/posts/activity-7211650346522173440-988L/ // Polyfill supply chain attack hits 100K+ sites.The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. // KQL to detect if Polyfill malicious payload was loaded. DeviceNetworkEvents | where ActionType == @"HttpConnectionInspected" | extend ConnectInfo = todynamic(AdditionalFields) | extend HttpHost = ConnectInfo.host | where HttpHost contains "googie-anaiytics.com" or HttpHost contains "kuurza.com"
Explanation
This KQL (Kusto Query Language) query is designed to detect if a malicious payload associated with the Polyfill supply chain attack was loaded on a device. Here's a simple summary of what the query does:
- Data Source: It looks at network events from devices (
DeviceNetworkEvents). - Filter by Action Type: It filters these events to only include those where the action type is
HttpConnectionInspected. - Extract Additional Fields: It extracts additional connection information from the
AdditionalFieldscolumn and stores it in a new column calledConnectInfo. - Extract Host Information: From this connection information, it extracts the HTTP host and stores it in a new column called
HttpHost. - Check for Malicious Hosts: It then checks if the
HttpHostcontains either "googie-anaiytics.com" or "kuurza.com", which are indicators of the malicious payload.
In essence, this query is looking for network connections to specific suspicious domains that are known to be associated with the Polyfill supply chain attack.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
==|extendtodynamiccontainsor