Query Details

KQL To Detect If Polyfill Malicious Payload Was Loaded

Query

// KQL to detect if Polyfill malicious payload was loaded
// https://www.linkedin.com/posts/activity-7211650346522173440-988L/

// Polyfill supply chain attack hits 100K+ sites.The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain.

// KQL to detect if Polyfill malicious payload was loaded.

DeviceNetworkEvents 
| where ActionType == @"HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost contains "googie-anaiytics.com" or HttpHost contains "kuurza.com"

// MITRE ATT&CK Mapping

// Based on the analysis, the KQL query can be associated with the following MITRE ATT&CK techniques:

// T1071.001 - Application Layer Protocol: Web Protocols:
// The query inspects HTTP connections, which falls under the use of web protocols for communication1.
// T1071 - Application Layer Protocol:
// More broadly, the query is looking at network traffic using application layer protocols1.
// T1566.002 - Phishing: Spearphishing Link:
// The suspicious domains (“googie-anaiytics.com” and “kuurza.com”) suggest potential phishing attempts1.
// T1071.003 - Application Layer Protocol: Mail Protocols:
// If the suspicious domains are used in email communications, this technique might also be relevant1.

Explanation

This KQL query is designed to detect potential malicious activity related to a supply chain attack involving the Polyfill library. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify if a malicious payload associated with the Polyfill library was loaded on a device. This is relevant because Polyfill is widely used to support older web browsers, and a compromised version could affect many websites.

  2. Data Source: It examines network events on devices, specifically looking at HTTP connections.

  3. Key Actions:

    • It filters network events to find those where the action type is "HttpConnectionInspected".
    • It extracts additional connection information, particularly focusing on the HTTP host involved in the connection.
    • It checks if the HTTP host contains suspicious domains, specifically "googie-anaiytics.com" or "kuurza.com". These domains are flagged as potentially malicious.
  4. Security Context:

    • The query is linked to several MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
      • T1071.001 & T1071: These relate to the use of web protocols for communication, as the query inspects HTTP connections.
      • T1566.002: This suggests the potential for phishing attempts, given the suspicious nature of the domains.
      • T1071.003: If these domains are used in email communications, it could also relate to mail protocols.

In summary, this query helps security analysts detect suspicious network activity that might indicate a supply chain attack involving the Polyfill library, focusing on specific domains known for malicious activity.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsHttpConnectionAdditionalFieldsHost

Operators

DeviceNetworkEventswhereActionTypeextendtodynamicAdditionalFieldscontainsor

Actions

GitHub