Forum Discussion
Cyberworm
May 04, 2024Copper Contributor
Appdomain hijack - kql query for detection
Hello guys
Anyone of you familiar with appdomain hijacking detection query????
#kql
- DylanInfosecIron Contributor
Hi Cyberworm
So tbh, I'm not familiar with this attack but after a quick read I have a couple ideas that might at least help you get started.
I gave these two articles a read here and here.
These queries are untested so don't take any results as True Positives without fully investigating and confirming the data is good.
# Very simple first query attempting to identify the environment variables being set DeviceProcessEvents | where ProcessCommandLine has_any ("APPDOMAIN_MANAGER_ASM", "APPDOMAIN_MANAGER_TYPE", "COMPLUS_VERSION")
Or another, this one trying to identify whether an executable form System32 has been copied to a writeable directory :
# writing this out almost like pseudocode. Could use a lot of work but it's a start.. # grabbing a list of sha265's from sys32 folder and checking if they're found anywhere else # high probabbility of some false positives without more work/exclusions let sysFiles = DeviceFileEvents | where FolderPath =~ @"C:\Windows\System32\" and FileName endswith @".exe" | distinct SHA256; DeviceFileEvents | where FolderPath != @"C:\Windows\System32\" and SHA256 in (sysFiles) | where ActionType == "FileCreated"
you can take this one a step further and check to see if any matching files then had a file in the same directory created starting with the same name and ending with “.config”Hopefully this helps get the ball rolling. Might read some more later and see what else, preferably something more specific, that we can target.
Best,
Dylan
- CyberwormCopper ContributorDeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains "exe.config"
just completed splitting the filename and extension .now the idea is to see if the file name matches and one file extension is .exe and other fileextension is .exe.config- DylanInfosecIron Contributor
Hey Cyberworm
love the idea.
Again this is kinda rough but with some work it should play nicely.
DeviceFileEvents | where ActionType == "FileCreated" | extend DotIndex = indexof(FileName, ".") | extend FileNameOnly = tostring(substring(FileName, 0, DotIndex)) | extend FileExtension = tostring(substring(FileName, DotIndex + 1)) | where FileExtension contains @".config" or FileExtension =~ @".exe" | summarize count() by FileNameOnly | where _count > 1
Will be able to play around and test this out tomorrow but if you get there first let me know how it goes.Thanks,
Dylan
- CyberwormCopper Contributor
- CyberwormCopper ContributorHello DylanInfosec
Thanks... Let me try these queries.
I had one idea actually. This is to check device file creation events where we need to check the events in a short time span and if there are two files with same name before .exe
For example, if there are two file creation events in 5 minutes where filenames starts with same name where one filename ends with .exe and other endswith .exe.config