Forum Discussion

Cyberworm's avatar
Cyberworm
Copper Contributor
May 04, 2024

Appdomain hijack - kql query for detection

Hello guys   Anyone of you familiar with appdomain hijacking detection query???? #kql
cloud security
endpoint security
DylanInfosec's avatar
DylanInfosec
Iron Contributor
May 05, 2024

Hi Cyberworm 

So tbh, I'm not familiar with this attack but after a quick read I have a couple ideas that might at least help you get started.

 

I gave these two articles a read here and here.

 

These queries are untested so don't take any results as True Positives without fully investigating and confirming the data is good.

 

 

# Very simple first query attempting to identify the environment variables being set
DeviceProcessEvents
| where ProcessCommandLine has_any ("APPDOMAIN_MANAGER_ASM", "APPDOMAIN_MANAGER_TYPE", "COMPLUS_VERSION")

 

 

 

Or another, this one trying to identify whether an executable form System32 has been copied to a writeable directory :

 

 

# writing this out almost like pseudocode. Could use a lot of work but it's a start..
# grabbing a list of sha265's from sys32 folder and checking if they're found anywhere else
# high probabbility of some false positives without more work/exclusions
let sysFiles = 
DeviceFileEvents
| where FolderPath =~ @"C:\Windows\System32\" and FileName endswith @".exe"
| distinct SHA256;
DeviceFileEvents
| where FolderPath != @"C:\Windows\System32\" and SHA256 in (sysFiles)
| where ActionType == "FileCreated"

 


you can take this one a step further and check to see if any matching files then had a file in the same directory created starting with the same name and ending with “.config”

 

Hopefully this helps get the ball rolling. Might read some more later and see what else, preferably something more specific, that we can target.

 

Best,

Dylan

Cyberworm's avatar
Cyberworm
Copper Contributor
May 05, 2024
DeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains "exe.config"

just completed splitting the filename and extension .now the idea is to see if the file name matches and one file extension is .exe and other fileextension is .exe.config
  • DylanInfosec's avatar
    DylanInfosec
    Iron Contributor
    May 05, 2024

    Hey Cyberworm 

    love the idea.

     

    Again this is kinda rough but with some work it should play nicely. 

    DeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains @".config" or FileExtension =~ @".exe"
| summarize count() by FileNameOnly
| where _count > 1


    Will be able to play around and test this out tomorrow but if you get there first let me know how it goes.

     

    Thanks,

    Dylan

    • Cyberworm's avatar
      Cyberworm
      Copper Contributor
      May 06, 2024
      I am getting lost now....lol . this detection getting complex for me . I think its good if joining the file creation events happened in one min or 2 min , then comparing the filename prefixes and extension in first table and second table . see if first and second matches for filenames withoutextension.
    • Cyberworm's avatar
      Cyberworm
      Copper Contributor
      May 06, 2024
      Getting lot of false positives... may be my logic is wrong here.
  • Cyberworm's avatar
    Cyberworm
    Copper Contributor
    May 05, 2024
    another thing is to filter these events only within same folder

Resources