Query Details
MDE KQL To Detect TA571 Socialengineering Abuse
Query
// MDE KQL to detect TA571 socialengineering abuse // https://www.linkedin.com/posts/activity-7208705552833478656-8xUz/ DeviceEvents | where ActionType == "GetClipboardData" | where InitiatingProcessFileName == "powershell.exe"
Explanation
This KQL (Kusto Query Language) query is designed to detect potential social engineering abuse by a threat actor known as TA571. Here's a simple summary of what the query does:
- Data Source: It looks at
DeviceEvents, which is a log of various events happening on devices. - Filter by Action: It filters these events to find instances where the action type is
GetClipboardData, meaning it checks for events where data is being accessed from the clipboard. - Filter by Process: It further narrows down these events to those initiated by a process named
powershell.exe.
In essence, this query is looking for instances where PowerShell is accessing clipboard data, which could be an indicator of malicious activity related to social engineering attacks.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceEvents
Keywords
DeviceEventsInitiatingProcessFileNameActionType
Operators
==|where