Paste And Anonymous File Transfer Sites Device Network Events
Query
let PasteLikeSitesIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/FileTransfer%20PasteLike%20Sites.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = PasteLikeSitesIOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, VT_domain
// After Hunting visit https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs, download the CSV and consider uploading to MDE to block all domains. Delete any rows from the CSV that are legitimate usage. Some hits have been left in audit to prevent business impact.Explanation
This query is designed to identify network events involving potentially malicious domains, specifically those resembling pastebin-like sites. Here's a simple breakdown of what the query does:
-
Data Import: It imports a list of suspicious domain indicators from an external CSV file hosted on GitHub. This file contains domains that are considered to be paste-like sites, which are often used for sharing text and can be abused for malicious purposes.
-
Domain Extraction: It extracts the domain names from the imported data for further analysis.
-
Event Filtering: It examines network events from the last 90 days to find any instances where the remote URL matches one of the suspicious domains from the list.
-
VirusTotal Link Creation: For each matching event, it creates a link to VirusTotal, a service that provides information about the reputation of domains, allowing further investigation into the domain's potential maliciousness.
-
Summary: It summarizes the findings by counting the occurrences of each suspicious domain and provides a link to VirusTotal for each.
-
Post-Analysis Action: The comment suggests downloading the CSV file, reviewing it to remove any legitimate domains, and then uploading it to Microsoft Defender for Endpoint (MDE) to block the remaining suspicious domains. This step is intended to prevent business impact by ensuring only truly malicious domains are blocked.
Overall, the query helps in identifying and managing potential threats from suspicious domains by leveraging external threat intelligence and integrating it with internal network event data.
Details

Jay Kerai
Released: December 6, 2024
Tables
Keywords
Operators