Query Details

C2 Simon Tatham tools reaching the internet

Simon Thatam C2putty

Query

let certificates = 
DeviceFileCertificateInfo
| where Signer has_any ('simon')
| distinct SHA1
;
DeviceNetworkEvents
| where InitiatingProcessSHA1  in~ (certificates) and RemoteIPType == "Public"

Explanation

This query is designed to detect when tools signed by Simon Tatham, such as putty.exe, are accessing the internet. Here's a simple breakdown:

  1. Identify Certificates: It first looks at the DeviceFileCertificateInfo to find all unique certificates (SHA1) that have 'simon' in the signer name.
  2. Monitor Network Events: Then, it checks the DeviceNetworkEvents to see if any process with these certificates is connecting to a public IP address.
  3. Trigger Alert: If such an event is detected, it triggers an alert.

In summary, the query is monitoring for internet activity by tools signed by Simon Tatham and alerts if such activity is found.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 25, 2023

Tables

DeviceFileCertificateInfoDeviceNetworkEvents

Keywords

DevicesNetworkEvents

Operators

lethas_anydistinctin~and==

Actions

GitHub