Forum Discussion
Appdomain hijack - kql query for detection
Hi Cyberworm
So tbh, I'm not familiar with this attack but after a quick read I have a couple ideas that might at least help you get started.
I gave these two articles a read here and here.
These queries are untested so don't take any results as True Positives without fully investigating and confirming the data is good.
# Very simple first query attempting to identify the environment variables being set
DeviceProcessEvents
| where ProcessCommandLine has_any ("APPDOMAIN_MANAGER_ASM", "APPDOMAIN_MANAGER_TYPE", "COMPLUS_VERSION")
Or another, this one trying to identify whether an executable form System32 has been copied to a writeable directory :
# writing this out almost like pseudocode. Could use a lot of work but it's a start..
# grabbing a list of sha265's from sys32 folder and checking if they're found anywhere else
# high probabbility of some false positives without more work/exclusions
let sysFiles =
DeviceFileEvents
| where FolderPath =~ @"C:\Windows\System32\" and FileName endswith @".exe"
| distinct SHA256;
DeviceFileEvents
| where FolderPath != @"C:\Windows\System32\" and SHA256 in (sysFiles)
| where ActionType == "FileCreated"
you can take this one a step further and check to see if any matching files then had a file in the same directory created starting with the same name and ending with “.config”
Hopefully this helps get the ball rolling. Might read some more later and see what else, preferably something more specific, that we can target.
Best,
Dylan
Thanks... Let me try these queries.
I had one idea actually. This is to check device file creation events where we need to check the events in a short time span and if there are two files with same name before .exe
For example, if there are two file creation events in 5 minutes where filenames starts with same name where one filename ends with .exe and other endswith .exe.config