Skip to content

Threat-Hunting KQL query which identifies machines that utilize powershell, cmd or wmic to connect to any URL that includes “cdn.discordapp.com” ,where the action was initiated by a script execution ( .vbs , .bat etc)

Notifications You must be signed in to change notification settings

McL0vinn/MicrosoftDefender-DiscordCNC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 

Repository files navigation

MicrosoftDefender_DiscordCNC

Below is a Threat-Hunting KQL query I wrote which identifies machines that utilize powershell, cmd or wmic to connect to any URL that includes “cdn.discordapp.com” ,where the action was initiated by a script execution ( .vbs , .bat etc) The inspiration for that query was a Phishing Incident, where the User downloaded a .vbs script from a phishing email and Upon execution the User's machine was instructed to download via powershell a .txt file from a “cdndiscordapp.com” URL which included powershell commands and then save it as .ps1 locally.

The intention of this activity was to evade detection since Discord is a legit application thats being used for teams collaboration (more than ever right now during the COVID-19 pandemic) as well as downloading a .ps1 script straight away would have triggered a bunch of alerts compared to downloading a .txt

You can run the below query in Microsoft Defender for Endpoint, Microsoft Security Center or Azure Sentinel

About

Threat-Hunting KQL query which identifies machines that utilize powershell, cmd or wmic to connect to any URL that includes “cdn.discordapp.com” ,where the action was initiated by a script execution ( .vbs , .bat etc)

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published