AI-Generated MDE Queries from APT28 Clipboard Attacks

[post-views]
June 04, 2025 · 2 min read
AI-Generated MDE Queries from APT28 Clipboard Attacks

How It Works

This feature of Uncoder AI transforms structured threat intel into Microsoft Defender for Endpoint-compatible KQL detection rules. In this case, it ingests IOCs from CERT-UA#11689, focusing on a known APT28 tradecraft: clipboard-based PowerShell payloads fetching staging scripts from malicious domains.

IOC Extraction from Reported Behavior

The left panel shows observables extracted from the report, including:

  • PowerShell droppers (Browser.ps1, rdp.exe, zapit.exe)

Legitimate-looking C2 domains like mail.zhblz.com and obfuscated ones like docs.google.com.spreadsheets.d.l1p6eeakedbmwteh

Explore Uncoder AI

KQL Generation for Microsoft Defender

Uncoder AI auto-generates the following detection query:

union * 

| where RemoteUrl == "docs.google.com.spreadsheets.d.l1p6eeakedbmwteh36vana6hu-glaekssht-boujdk.zhblz.com"

or RemoteUrl == "mail.zhblz.com"

or RemoteUrl == "doc.gmail.com.gyehdhhrggdi1323sdnhnsiwvh2uhdqjwdhhfjcjeuejcj.zhblz.com"

 

This structure is designed to match RemoteUrl field values in Microsoft Defender logs, detecting attempts to contact attacker-controlled infrastructure.

Why It’s Innovative

This capability showcases several AI-driven enhancements:

  • Automatic IOC Formatting: Long, nested subdomains are placed in syntactically correct KQL.
  • Field Mapping Intelligence: Ensures use of RemoteUrl, which aligns with Microsoft Defender’s event schema.
  • Zero Manual Effort: Converts threat reports directly into executable queries without human intervention.

Instead of copying and cleaning IOCs from PDFs or PDFs or STIX files, analysts get a valid detection logic instantly.

Operational Value

This feature provides direct value for SOC teams and detection engineers:

  • Immediate IOC Enforcement: Analysts can plug and run the query in MDE to find infected machines or attempted connections.
  • High Confidence Detection: Focuses only on known attacker infrastructure, reducing noise.
  • Saves Analyst Hours: Bypasses the usual IOC-to-query manual formatting process.

Security teams can also incorporate this logic into custom hunting dashboards or alerting pipelines.

Explore Uncoder AI

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts