cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Appdomain hijack - kql query for detection

Cyberworm
Copper Contributor

‎May 04 2024 02:30 AM

‎May 04 2024 02:30 AM

Appdomain hijack - kql query for detection

Hello guys

 

Anyone of you familiar with appdomain hijacking detection query????

#kql

561 Views
0 Likes
8 Replies
Reply
8 Replies
DylanInfosec

‎May 04 2024 07:35 PM - edited ‎May 04 2024 09:16 PM

‎May 04 2024 07:35 PM - edited ‎May 04 2024 09:16 PM

Re: Appdomain hijack - kql query for detection

Hi @Cyberworm 

So tbh, I'm not familiar with this attack but after a quick read I have a couple ideas that might at least help you get started.

 

I gave these two articles a read here and here.

 

These queries are untested so don't take any results as True Positives without fully investigating and confirming the data is good.

 

 

# Very simple first query attempting to identify the environment variables being set
DeviceProcessEvents
| where ProcessCommandLine has_any ("APPDOMAIN_MANAGER_ASM", "APPDOMAIN_MANAGER_TYPE", "COMPLUS_VERSION")

 

 

 

Or another, this one trying to identify whether an executable form System32 has been copied to a writeable directory :

 

 

# writing this out almost like pseudocode. Could use a lot of work but it's a start..
# grabbing a list of sha265's from sys32 folder and checking if they're found anywhere else
# high probabbility of some false positives without more work/exclusions
let sysFiles = 
DeviceFileEvents
| where FolderPath =~ @"C:\Windows\System32\" and FileName endswith @".exe"
| distinct SHA256;
DeviceFileEvents
| where FolderPath != @"C:\Windows\System32\" and SHA256 in (sysFiles)
| where ActionType == "FileCreated"

 


you can take this one a step further and check to see if any matching files then had a file in the same directory created starting with the same name and ending with “.config”

 

Hopefully this helps get the ball rolling. Might read some more later and see what else, preferably something more specific, that we can target.

 

Best,

Dylan

0 Likes
Reply
Cyberworm

‎May 05 2024 01:12 AM

‎May 05 2024 01:12 AM

Re: Appdomain hijack - kql query for detection

Hello @DylanInfosec

Thanks... Let me try these queries.

I had one idea actually. This is to check device file creation events where we need to check the events in a short time span and if there are two files with same name before .exe

For example, if there are two file creation events in 5 minutes where filenames starts with same name where one filename ends with .exe and other endswith .exe.config
0 Likes
Reply
Cyberworm

‎May 05 2024 01:25 AM

‎May 05 2024 01:25 AM

Re: Appdomain hijack - kql query for detection

@DylanInfosec 

 

I tried above two queries shared by you and i have 0 results atleast for past 30 days.

1 Like
Reply
Cyberworm

‎May 05 2024 02:25 AM

‎May 05 2024 02:25 AM

Re: Appdomain hijack - kql query for detection

DeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains "exe.config"

just completed splitting the filename and extension .now the idea is to see if the file name matches and one file extension is .exe and other fileextension is .exe.config
1 Like
Reply
Cyberworm

‎May 05 2024 02:38 AM

‎May 05 2024 02:38 AM

Re: Appdomain hijack - kql query for detection

another thing is to filter these events only within same folder
1 Like
Reply
DylanInfosec

‎May 05 2024 04:04 PM

‎May 05 2024 04:04 PM

Re: Appdomain hijack - kql query for detection

Hey @Cyberworm 

love the idea.

 

Again this is kinda rough but with some work it should play nicely. 

DeviceFileEvents
| where ActionType == "FileCreated"
| extend DotIndex = indexof(FileName, ".")
| extend FileNameOnly = tostring(substring(FileName, 0, DotIndex))
| extend FileExtension = tostring(substring(FileName, DotIndex + 1))
| where FileExtension contains @".config" or FileExtension =~ @".exe"
| summarize count() by FileNameOnly
| where _count > 1


Will be able to play around and test this out tomorrow but if you get there first let me know how it goes.

 

Thanks,

Dylan

1 Like
Reply
Cyberworm

‎May 05 2024 09:57 PM

‎May 05 2024 09:57 PM

Re: Appdomain hijack - kql query for detection

Getting lot of false positives... may be my logic is wrong here.
0 Likes
Reply
Cyberworm

‎May 06 2024 03:59 AM

‎May 06 2024 03:59 AM

Re: Appdomain hijack - kql query for detection

I am getting lost now....lol . this detection getting complex for me . I think its good if joining the file creation events happened in one min or 2 min , then comparing the filename prefixes and extension in first table and second table . see if first and second matches for filenames withoutextension.
0 Likes
Reply