KQL Search

Query Details

TI Feed Abuse Chmd5malware

Query

# Abuse.ch Malware Submissions (MD5)

#### Source: Abuse.ch
#### Feed information: https://bazaar.abuse.ch/faq/#tos
#### Feed link: https://bazaar.abuse.ch/export/txt/md5/recent/

### Defender For Endpoint
```
let MalwareSampleMD5 = externaldata(MD5: string)[@"https://bazaar.abuse.ch/export/txt/md5/recent"] with (format="txt", ignoreFirstRecord=True);
let MD5Regex = '[a-f0-9]{32}';
let MaliciousMD5 = materialize (
          MalwareSampleMD5
          | where MD5 matches regex MD5Regex
          | distinct MD5
          );
DeviceFileEvents
| where MD5 has_any (MaliciousMD5)
```


### Sentinel
```
let MalwareSampleMD5 = externaldata(MD5: string)[@"https://bazaar.abuse.ch/export/txt/md5/recent"] with (format="txt", ignoreFirstRecord=True);
let MD5Regex = '[a-f0-9]{32}';
let MaliciousMD5 = materialize (
          MalwareSampleMD5
          | where MD5 matches regex MD5Regex
          | distinct MD5
          );
DeviceFileEvents
| where MD5 has_any (MaliciousMD5)
```

Explanation

The query retrieves a list of MD5 hashes of recently submitted malware samples from the Abuse.ch website. It then filters the DeviceFileEvents data to find any events that have an MD5 hash that matches one of the malicious MD5 hashes from the Abuse.ch list.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceFileEvents

Keywords

Keywords:Abuse.ch,MalwareSubmissions,MD5,Source,Feedinformation,Feedlink,DefenderForEndpoint,Sentinel,let,externaldata,string,format,ignoreFirstRecord,MD5Regex,MaliciousMD5,materialize,where,matches,regex,distinct,DeviceFileEvents,has_any

Operators

externaldatawithformatignoreFirstRecordletwherematches regexdistincthas_any

KQL Search

TI Feed Abuse Chmd5malware

Query

Explanation

Details

Actions