Skip to content

Instantly share code, notes, and snippets.

@Korving-F

Korving-F/RMML_Binaries_KQL_Detection.md

Created August 21, 2024 16:47
Show Gist options
  • Save Korving-F/012385fd2aa304b5bbd400ebd0077fe3 to your computer and use it in GitHub Desktop.
Save Korving-F/012385fd2aa304b5bbd400ebd0077fe3 to your computer and use it in GitHub Desktop.
Download ZIP
RMML Binaries KQL Detection
Raw
RMML_Binaries_KQL_Detection.md

Introduction

This KQL query grabs defined RMM binaries within the RMML project and matches them against MDE telemetry.

See also the original blog post here.

Note

This still requires you to adjust the query to match your own defined machinegroups or hostname naming conventions.

Main Query with Functions

// Define the regex constructor function which transforms an array of patterns into regex.
let regexConstructor = (arr:dynamic) { replace_string( replace_string(replace_string( strcat('((?i)', strcat_array( arr,'|') ,')'), @'\',@'\\'), @'/',@'\/'), @'*', @'.*') };
// ----------------------------------------------------------------
// Download the JSON string and convert to a usable object.
let RMMs = externaldata(RMMs:string)[h@'https://github.com/LivingInSyn/RMML/releases/download/v1.4.0/rmms.json'] with(format='raw');
let ParsedRMMs = RMMs
                | extend   RMMs = todynamic(extract_json('$',RMMs))
                | mv-apply Tool = bag_keys(RMMs) on ( extend T = RMMs["Tool"] )
                | extend   JSON = RMMs[tostring(Tool)]
                | project-away RMMs,T;
// ----------------------------------------------------------------
// Define a function to create platform-specific regex patterns.
let BinArrayToRegexp = (desiredPlatform:string){
   ParsedRMMs
   | summarize WindowsBins = make_set( JSON.Executables.Windows ),
               MacOSBins   = make_set( JSON.Executables.MacOS   ),
               LinuxBins   = make_set( JSON.Executables.Linux   )
   | extend Regexp = iff(desiredPlatform == 'Windows', regexConstructor(WindowsBins),'')
   | extend Regexp = iff(desiredPlatform == 'MacOS',   regexConstructor(MacOSBins),Regexp)
   | extend Regexp = iff(desiredPlatform == 'Linux',   regexConstructor(LinuxBins),Regexp)
   | distinct Regexp
};
// ----------------------------------------------------------------
// Define a function to create platform-specific lookup lists. 
let BinArrayToLookupList = (desiredPlatform:string){
   ParsedRMMs
   | summarize WindowsBins = make_set( JSON.Executables.Windows ),
               MacOSBins   = make_set( JSON.Executables.MacOS   ),
               LinuxBins   = make_set( JSON.Executables.Linux   )
   | extend BinArr = iff(desiredPlatform == 'Windows', WindowsBins, '')
   | extend BinArr = iff(desiredPlatform == 'MacOS',   MacOSBins,   BinArr)
   | extend BinArr = iff(desiredPlatform == 'Linux',   LinuxBins,   BinArr)
   | project-keep BinArr
};
// ----------------------------------------------------------------
// Start matching these binaries within your process telemetry.
DeviceProcessEvents
| where MachineGroup == "Macs"    and (FolderPath matches regex toscalar(BinArrayToRegexp("MacOS"))   or FolderPath has_any(BinArrayToLookupList("MacOS")))   or
        MachineGroup == "Windows" and (FolderPath matches regex toscalar(BinArrayToRegexp("Windows")) or FolderPath has_any(BinArrayToLookupList("Windows"))) or
        MachineGroup == "Linux"   and (FolderPath matches regex toscalar(BinArrayToRegexp("Linux"))   or FolderPath has_any(BinArrayToLookupList("Linux")))
| summarize Devices     = make_set(DeviceName),
            NrOfDevices = dcount(DeviceName) by FolderPath
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment