KQL Search

Query Details

HomeAI ToolsDevice Query

Ottercookie Detection

Query

// https://any.run/cybersecurity-blog/ottercookie-malware-analysis/

let QueryLookup = 1h;
let CompressData =
DeviceFileEvents
| where Timestamp > ago(QueryLookup)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName has "tar"
| distinct DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(QueryLookup)
| where ActionType == "HttpConnectionInspected"
| where parse_json(AdditionalFields)["direction"] == 'Out'
| where parse_json(AdditionalFields)["status_code"] == '200'
| extend GeoCtry = tostring(geo_info_from_ip_address(RemoteIP).country)
| where GeoCtry == "United States"
| where RemotePort == "1224"
| where DeviceName has_any(CompressData)

Explanation

This KQL (Kusto Query Language) query is designed to detect potential malicious activity on devices by analyzing file creation and network events. Here's a simplified explanation:

  1. Time Frame: The query looks at events from the past hour (1h).

  2. File Creation Check:

    • It examines DeviceFileEvents to find instances where a file was created (ActionType == "FileCreated").
    • It specifically looks for files created by processes with "tar" in their name, which might indicate file compression or archiving activity.
    • It collects a list of distinct device names where such file creation events occurred.

  3. Network Activity Check:

    • It examines DeviceNetworkEvents to find HTTP connections that were inspected (ActionType == "HttpConnectionInspected").
    • It filters for outgoing connections ("direction" == 'Out') with a successful status code ("status_code" == '200').
    • It further filters these events to those where the connection was made to the United States (GeoCtry == "United States") and used port 1224 (RemotePort == "1224").
    • Finally, it checks if these network events are associated with any of the devices identified in the file creation check (DeviceName has_any(CompressData)).

In summary, this query is looking for devices that have created files using a "tar" process and have also made specific outgoing HTTP connections to the United States on port 1224, which could indicate suspicious behavior related to data exfiltration or malware activity.

Details

Steven Lim profile picture

Steven Lim

Released: June 4, 2025

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DeviceFileEventsDeviceNetworkEventsGeoInfoRemoteIPAddress

Operators

letago()|where==hasdistinctparse_json()extendtostring()geo_info_from_ip_address()has_any()

Actions