Living Off The Tunnels IOCS

let LivingOffTheTunnelsIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Living%20Off%20The%20Tunnels%20%20IOCs.csv"] with (format="csv", ignoreFirstRecord=True); let DomainList = LivingOffTheTunnelsIOCs | project IndicatorValue; DeviceNetworkEvents | where TimeGenerated > ago(90d) | where RemoteUrl in~(DomainList ) | extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl) | summarize count() by RemoteUrl, VT_domain // After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Remove any results that are legitimate usage.

Explanation

This KQL query is designed to identify network events involving potentially malicious domains. Here's a simple breakdown of what it does:

Load External Data: It imports a list of suspicious domain indicators from a CSV file hosted on GitHub. This list is referred to as LivingOffTheTunnelsIOCs.
Extract Domain List: It extracts the domain values from the imported data into a list called DomainList.
Filter Network Events: It searches through DeviceNetworkEvents to find any network activity from the past 90 days where the RemoteUrl (the domain contacted by a device) matches any domain in the DomainList.
Create VirusTotal Links: For each matching event, it creates a link to the VirusTotal website for further investigation of the domain.
Summarize Results: It counts the number of occurrences for each domain and provides a summary, including the VirusTotal link.
Next Steps: The comment suggests downloading the CSV file from GitHub and considering uploading it to Microsoft Defender for Endpoint (MDE) to block these domains. It also advises removing any domains that are identified as legitimate usage to avoid false positives.

KQL Search

Living Off The Tunnels IOCS

Query

Explanation

Details

Actions