KQL Search

Query Details

HomeAI ToolsDevice Query

Threat Hunting Mshta With Sentinel TI

Query

// Threat Hunting Mshta with Sentinel TI

let QueryPeriod = 1d;
let T1218IOC =
ThreatIntelIndicators
| where TimeGenerated > ago(365d)
| where now() between (ValidFrom .. ValidUntil)
| where isnotempty(Data.labels)
| mv-expand Data.labels
| where Data_labels has "mitre"
| extend MitreID = parse_json(tostring(Data_labels)).Alias 
| where MitreID == "T1218.005";
let NetworkTraffic =
DeviceNetworkEvents
| where TimeGenerated > ago(QueryPeriod)
| where ActionType == "ConnectionSuccess"
| join T1218IOC on ($left.RemoteIP == $right.ObservableValue);
let EmailURL =
EmailUrlInfo
| where TimeGenerated > ago(QueryPeriod)
| join T1218IOC on $left.Url == $right.ObservableValue;
DeviceFileEvents
| where TimeGenerated > ago(QueryPeriod)
| join T1218IOC on $left.SHA256 == $right.ObservableValue
| union NetworkAccessTraffic, EmailURL

Explanation

This query is designed for threat hunting using Microsoft Sentinel, specifically looking for suspicious activities related to the use of "mshta" (Microsoft HTML Application) as described by the MITRE ATT&CK technique T1218.005. Here's a simplified breakdown of what the query does:

  1. Define Query Period: It sets a time frame of 1 day for the query to look back.

  2. Identify Threat Intelligence Indicators:

    • It retrieves threat intelligence indicators from the past year.
    • Filters these indicators to ensure they are currently valid.
    • Looks for indicators labeled with "mitre" and extracts those specifically associated with the MITRE technique ID T1218.005.

  3. Network Traffic Analysis:

    • It examines network events from the past day where a connection was successfully made.
    • Joins these events with the threat intelligence indicators to find any matches based on the remote IP address.

  4. Email URL Analysis:

    • It checks email URL information from the past day.
    • Joins this data with the threat intelligence indicators to find any matches based on URLs.

  5. File Events Analysis:

    • It looks at file events from the past day.
    • Joins this data with the threat intelligence indicators to find any matches based on file hashes (SHA256).

  6. Combine Results:

    • It combines the results from network traffic, email URL, and file events analyses to provide a comprehensive view of potential suspicious activities related to the use of "mshta" as per the specified MITRE technique.

In essence, this query is used to detect and analyze potential security threats involving the misuse of mshta by correlating various data sources with known threat intelligence indicators.

Details

Steven Lim profile picture

Steven Lim

Released: May 3, 2025

Tables

ThreatIntelIndicatorsDeviceNetworkEventsEmailUrlInfoDeviceFileEvents

Keywords

ThreatIntelIndicatorsDeviceNetworkEventsEmailUrlInfoDeviceFileEvents

Operators

let|>ago()between()..isnotempty()mv-expandhasextendparse_json()tostring()==joinon==union

Actions