Unleash the Hunter in You

Published Mar 19 2018 07:02 AM 6,749 Views
Microsoft

With the new Advanced Hunting capability on Windows Defender Advanced Threat Protection, you have even more powerful tools for successfully tracking and identifying advanced persistent threats. To help get you started, here are some examples that will give you a feel of Advanced Hunting and how it can help with your day-to-day hunting tasks. These examples cover new vulnerabilities as well as classic techniques used  by attackers in the wild.

 

0-day Flash exploit attacks

  • Vulnerability overview: Zero-day remote code execution (RCE) exploit for the Adobe Flash Player vulnerability CVE-2018-4878 actively being used in the wild. Check out this blog post for more details.
  • Query goal: Finds characteristics related to attacks. This query checks for specific processes and URLs used in the attack.
  • Query:

NetworkCommunicationEvents

| where EventTime > ago(14d)

| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentName =~ "excel.exe"

| where RemoteUrl endswith ".kr"

| project EventTime, ComputerName, RemoteIP, RemoteUrl

| top 100 by EventTime

 

Attacks exploiting the Electron framework vulnerability

  • Vulnerability overview: Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps. The vulnerability affects Electron apps that use custom protocol handlers. Read this article for more details.
  • Query goal: The query checks process command lines to find machines where there have been attempts to exploit the Protocol Handler Vulnerability, which affects apps that are based on the Electron platform, such as Skype, Teams, and Slack, and are registered as default protocol handlers.
  • Query:

ProcessCreationEvents 

| where EventTime > ago(14d)

| where FileName in ("code.exe", "skype.exe", "slack.exe", "teams.exe")

| where InitiatingProcessFileName in ("iexplore.exe", "runtimebroker.exe", "chrome.exe")

| where ProcessCommandLine has "--gpu-launcher"

| summarize FirstEvent=min(EventTime), LastEvent=max(EventTime) by ComputerName, ProcessCommandLine, FileName, InitiatingProcessFileName

 

Enumeration of users/groups for lateral movement

  • Background: Enumeration of users and groups is an attacker activity commonly preceding privilege escalation and lateral movement attempts. These resources are typically enumerated to identify possible targets for compromise within the breached network.
  • Query goal: The query finds attempts to list users or groups using Net commands.
  • Query:

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName == 'net.exe' and AccountName != "" and ProcessCommandLine !contains '\\'  and ProcessCommandLine !contains '/add'

| where (ProcessCommandLine contains ' user ' or ProcessCommandLine contains ' group ') and (ProcessCommandLine endswith ' /do' or ProcessCommandLine endswith ' /domain')

| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, ProcessCommandLine)

| filter Target  != ''

| project AccountName, Target, ProcessCommandLine, ComputerName, EventTime

| sort by AccountName, Target

 

Sticky key attacks

  • Background: The sticky key accessibility program (sethc.exe) is often used to launch attacks because it can be launched without signing in to Windows. Attackers often replace this accessibility program with more powerful applications like cmd.exe to perform more complex tasks. For more information about sticky key attacks, read this article by the MITRE ATT&CK™ team.
  • Query goal: This query looks for attempts to launch cmd.exe in place of accessibility programs.
  • Query:

let PrevalentCmdExeHash =

ProcessCreationEvents

| where EventTime > ago(14d)

| where FileName =~ 'cmd.exe'   

| summarize count(ComputerName) by SHA1

| where count_ComputerName > 1000;

PrevalentCmdExeHash

| join kind=inner

(

    ProcessCreationEvents

    | project EventTime, ComputerName, ProcessCommandLine, FileName, SHA1

    | where EventTime > ago(7d)

    | where FileName in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe")

)

on SHA1

 

 

If you enjoyed using these examples, check out the default saved queries available on the Advanced Hunting page. Let us know what you think through the feedback system on the menu (click the smiley icon) or join the community in building powerful queries using the Advanced Hunting GitHub repository.

 

Thank you!

 

Windows Defender ATP Team

16 Comments
Version history
Last update:
‎Sep 16 2020 09:50 AM
Updated by: