KQL Search

Query Details

HomeAI ToolsDevice Query

Simon Thatam C2putty

Query

name: C2 Simon Tatham tools reaching the internet
index_type: events
description: Detects the usage of tools signed by Simon Tatham such as putty.exe that reaches the internet.
references: n/a
tags: c2
search_query:  
let certificates = 
DeviceFileCertificateInfo
| where Signer has_any ('simon')
| distinct SHA1
;
DeviceNetworkEvents
| where InitiatingProcessSHA1  in~ (certificates) and RemoteIPType == "Public"

on_hit: alert

Explanation

This query is designed to detect when tools signed by Simon Tatham, such as putty.exe, are accessing the internet. Here's a simple breakdown:

  1. Identify Certificates: It first looks at the DeviceFileCertificateInfo to find all unique certificates (SHA1) that have 'simon' in the signer name.
  2. Monitor Network Events: Then, it checks the DeviceNetworkEvents to see if any process with these certificates is connecting to a public IP address.
  3. Trigger Alert: If such an event is detected, it triggers an alert.

In summary, the query is monitoring for internet activity by tools signed by Simon Tatham and alerts if such activity is found.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 25, 2023

Tables

DeviceFileCertificateInfoDeviceNetworkEvents

Keywords

DevicesNetworkEvents

Operators

lethas_anydistinctin~and==

Actions