KustoHawk is a PowerShell script designed for incident triage and response within Microsoft Defender XDR and Sentinel environments. It collects indicators of compromise and runs queries against the Graph API to provide detailed activity reports for devices or accounts. Users can adjust the timeframe of data collection and export results for further analysis.

A recent incident involving the LUMMA infostealer malware highlighted a new attack method where users were directed to a fake CAPTCHA page, leading to the execution of PowerShell commands that targeted sensitive browser data from Microsoft Edge and Google Chrome. The NCC Group's DFIR team documented the timeline of events, including initial access methods and various tactics employed by the malware to steal credentials.