EXPLORE
Sign In
← Back to Explore
kqlHunting

Crowdstrike Impersonation during Global Outage

Admins will never forget this one

Detection Query

//Admins will never forget this one
let CrowdstrikeIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/main/Bulk-IOC-CSVs/Crowdstrike%20MDE%20IOC%20-%20Impersonation%20of%20crowdstrike%20over%20global%20outages.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = CrowdstrikeIOCs
| project IndicatorValue;
let emailurl = EmailUrlInfo
| where UrlDomain in~(DomainList)
| join EmailEvents on NetworkMessageId;
let emailevent = EmailEvents
| where SenderFromDomain in~(DomainList);
DeviceNetworkEvents
| where RemoteUrl in~(DomainList )
| union emailurl, emailevent
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)

Data Sources

DeviceNetworkEventsEmailEventsEmailUrlInfo

Platforms

windowsoffice-365

Tags

defenderioc
Raw Content
//Admins will never forget this one
let CrowdstrikeIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/main/Bulk-IOC-CSVs/Crowdstrike%20MDE%20IOC%20-%20Impersonation%20of%20crowdstrike%20over%20global%20outages.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = CrowdstrikeIOCs
| project IndicatorValue;
let emailurl = EmailUrlInfo
| where UrlDomain in~(DomainList)
| join EmailEvents on NetworkMessageId;
let emailevent = EmailEvents
| where SenderFromDomain in~(DomainList);
DeviceNetworkEvents
| where RemoteUrl in~(DomainList )
| union emailurl, emailevent
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)