From e8db5f23f9ee68374109fd978711ed26161908aa Mon Sep 17 00:00:00 2001
From: "detections-ai[bot]"
 <222691694+detections-ai[bot]@users.noreply.github.com>
Date: Mon, 20 Oct 2025 05:43:43 +0000
Subject: [PATCH] Update file at
 /KQL/unmasking-monsterv2-behavioral-detection-from-the-clickfix-campaign.kql

---
 ...ehavioral-detection-from-the-clickfix-campaign.kql | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 KQL/unmasking-monsterv2-behavioral-detection-from-the-clickfix-campaign.kql

diff --git a/KQL/unmasking-monsterv2-behavioral-detection-from-the-clickfix-campaign.kql b/KQL/unmasking-monsterv2-behavioral-detection-from-the-clickfix-campaign.kql
new file mode 100644
index 0000000..ed67d2f
--- /dev/null
+++ b/KQL/unmasking-monsterv2-behavioral-detection-from-the-clickfix-campaign.kql
@@ -0,0 +1,11 @@
+let Lookback = 1h;
+let PreC2Behaviour =
+DeviceNetworkEvents
+| where Timestamp > ago(Lookback)
+| where RemoteUrl has "api.ipify.org"
+| distinct DeviceName;
+DeviceNetworkEvents
+| where Timestamp > ago(Lookback)
+| where not(ipv4_is_private(RemoteIP)) and RemoteIP != "127.0.0.1"
+| where RemotePort == 7712
+| where DeviceName has_any(PreC2Behaviour)
\ No newline at end of file