Threat hunting with some funny results!

You never know what you will find when you go hunting! So here’s a quick tale of an explore I did using Advanced Hunting!

I went hunting here in Advanced Hunting:

// let's hunt for some bad clicks (maybe)
// pew pew hunting with mRr3b00t and Microsoft MDE
UrlClickEvents 
| where Url contains ".xyz"
or Url contains ".ru"
or Url contains ".cn"
or Url contains ".ml"
or Url contains ".tk"
or Url contains ".cf"
or Url contains ".lol"
or Url contains ".pw"
or Url contains ".net" // this might be heavy on False Positives
| where IsClickedThrough == 0 // try with 0 for threat hunting

I found a result which looked like it might be spoofing safelinks… However if you follow this thread you will see that actually it was a false positive: (but still great fun and useful!)

#Real #Time #Threat #Hunting #LetsGo #Hackers #BlueTeam
UrlClickEvents
| where Url contains ".xyz"
or Url contains ".ru"
or Url contains ".cn"
or Url contains ".ml"
or Url contains ".tk"
or Url contains ".cf"
or Url contains ".lol"
or Url contains ".pw"
or Url contains ".net" pic.twitter.com/Tm7lKjIXhh
— mRr3b00t (@UK_Daniel_Card) January 18, 2023

So I’ve updated the KQL

// let's hunt for some bad clicks (maybe)
// pew pew hunting with mRr3b00t and Microsoft MDE
UrlClickEvents 
| where Url contains ".xyz"
or Url contains ".ru"
or Url contains ".cn"
or Url contains ".ml"
or Url contains ".tk"
or Url contains ".cf"
or Url contains ".lol"
or Url contains ".pw"
or Url contains ".net" // this might be heavy on False Positives
or Url contains "azure.net" //callout for scammy wankers the real safelinks addrs = https://eur01.safelinks.protection.outlook.com/?url= (or like that)
or Url contains ".top" // @Gi7w0rm ty
or Url contains ".click" //@Gi7w0rm ty
or Url contains ".cfd" //@Gi7w0rm ty
| where Url !contains ".safelink.emails.azure.net" // this is legit - oooops :P luv u msftsecintel crew! 
| where IsClickedThrough == 1 // try with 0 for threat hunting

In the end, the lack of evil found is a GOOD thing! Also we had fun! (well I did at least!)

I’ve also now updated the PowerShell (most of it anyway) so that there is an example of how to do abuse reports via API to MSFT SEC INTEL:

mr-r3b00t/msft_abuse_report (github.com)

What got me thinking that it was malicious was recently I was doing some simulated evil and used the azure.net address space for some purple team activity! So don’t discount threat actors domain fronting and abusing azure net namespaces!

But for tonight, I’m going to call it a day! We shall return to the cybers tomorrow! Thanks to MSFT SEC Intel crew, you rock!

Simulating Human Operated Discovery

Ransomware + Mega = Mega Cyber Pain

Related articles