Forum Discussion

Cyberworm's avatar
Cyberworm
Copper Contributor
May 04, 2024

Appdomain hijack - kql query for detection

Hello guys

 

Anyone of you familiar with appdomain hijacking detection query????

#kql

  • DylanInfosec's avatar
    DylanInfosec
    Iron Contributor

    Hi Cyberworm 

    So tbh, I'm not familiar with this attack but after a quick read I have a couple ideas that might at least help you get started.

     

    I gave these two articles a read here and here.

     

    These queries are untested so don't take any results as True Positives without fully investigating and confirming the data is good.

     

     

    # Very simple first query attempting to identify the environment variables being set
    DeviceProcessEvents
    | where ProcessCommandLine has_any ("APPDOMAIN_MANAGER_ASM", "APPDOMAIN_MANAGER_TYPE", "COMPLUS_VERSION")

     

     

     

    Or another, this one trying to identify whether an executable form System32 has been copied to a writeable directory :

     

     

    # writing this out almost like pseudocode. Could use a lot of work but it's a start..
    # grabbing a list of sha265's from sys32 folder and checking if they're found anywhere else
    # high probabbility of some false positives without more work/exclusions
    let sysFiles = 
    DeviceFileEvents
    | where FolderPath =~ @"C:\Windows\System32\" and FileName endswith @".exe"
    | distinct SHA256;
    DeviceFileEvents
    | where FolderPath != @"C:\Windows\System32\" and SHA256 in (sysFiles)
    | where ActionType == "FileCreated"

     


    you can take this one a step further and check to see if any matching files then had a file in the same directory created starting with the same name and ending with “.config”

     

    Hopefully this helps get the ball rolling. Might read some more later and see what else, preferably something more specific, that we can target.

     

    Best,

    Dylan

    • Cyberworm's avatar
      Cyberworm
      Copper Contributor
      DeviceFileEvents
      | where ActionType == "FileCreated"
      | extend DotIndex = indexof(FileName, ".")
      | extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
      | extend FileExtension = tostring(substring(FileName, DotIndex + 1))
      | where FileExtension contains "exe.config"

      just completed splitting the filename and extension .now the idea is to see if the file name matches and one file extension is .exe and other fileextension is .exe.config
      • DylanInfosec's avatar
        DylanInfosec
        Iron Contributor

        Hey Cyberworm 

        love the idea.

         

        Again this is kinda rough but with some work it should play nicely. 

        DeviceFileEvents
        | where ActionType == "FileCreated"
        | extend DotIndex = indexof(FileName, ".")
        | extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
        | extend FileExtension = tostring(substring(FileName, DotIndex + 1))
        | where FileExtension contains @".config" or FileExtension =~ @".exe"
        | summarize count() by FileNameOnly
        | where _count > 1


        Will be able to play around and test this out tomorrow but if you get there first let me know how it goes.

         

        Thanks,

        Dylan

    • Cyberworm's avatar
      Cyberworm
      Copper Contributor

      DylanInfosec 

       

      I tried above two queries shared by you and i have 0 results atleast for past 30 days.

    • Cyberworm's avatar
      Cyberworm
      Copper Contributor
      Hello DylanInfosec

      Thanks... Let me try these queries.

      I had one idea actually. This is to check device file creation events where we need to check the events in a short time span and if there are two files with same name before .exe

      For example, if there are two file creation events in 5 minutes where filenames starts with same name where one filename ends with .exe and other endswith .exe.config

Resources