09-18-2022 12:17 PM
Hello dear community,
is there a capability in cortex xdr pro, which can detect or stop the dumping and stealing from tokens?
https://mrd0x.com/stealing-tokens-from-office-applications/?no-cache=1
How would you go on this? XQL BIOC query with detection on dump creation? Or BIOC XQL for strings64.exe call?
BR
Rob
09-18-2022 07:10 PM
Hi @RFeyertag I would probably create BIOC rules with multiple logic:
Before doing above baseline first:
config case_sensitive = false
| dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW,ENUM.FILE_WRITE)
| filter actor_process_image_name != null
| filter actor_process_image_name not in ("werfault.exe","System") and action_file_name = "*.dmp"
| fields _time as Time_Stamp, agent_hostname as Host, agent_ip_addresses as IP_Addr, action_file_name as Dump_Filename, actor_process_image_name as Process
Thanks
Kanwar
09-21-2022 07:02 PM
Hi @RFeyertag there's a BIOC available in github that you can take a look at to see if it meets your needs.
09-24-2022 01:59 PM
Hey @bbarmanroy,
thank you very much! It worked like very good! Here is my final query:
dataset = xdr_data |
filter event_type = FILE and (
actor_process_image_name not contains "Teams" and
actor_process_image_name not contains "teams" and actor_process_image_path not contains "C:\Windows\System32\svchost.exe"
)
and (
action_file_path contains "\Microsoft\Teams\Cookies" or
action_file_path contains "Microsoft\Teams\Local Storage\leveldb" or
action_file_path contains "/Library/Application Support/Microsoft/Teams/Cookies" or
action_file_path contains "/Library/Application Support/Microsoft/Teams/Local Storage/leveldb" or
action_file_path contains "/.config/Microsoft/Microsoft Teams/Cookies" or
action_file_path contains "/.config/Microsoft/Microsoft Teams/Local Storage/leveldb"
)
Do you think excluding svchost.exe is a good idea?
BR
Rob
09-25-2022 08:00 PM
Hi @RFeyertag the query looks good.
I'd probably want to clean up a bit if that makes for a quicker read as BIOC rules are case-insensitive by default (takes care of the process name) as well as put the paths in an array:
dataset = xdr_data
| filter event_type = ENUM.FILE
| filter action_file_path in ("%AppData%\Microsoft\Teams\Cookies", "%AppData%\Microsoft\Teams\Local Storage\leveldb", "~/Library/Application Support/Microsoft/Teams/Cookies", "~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb","~/.config/Microsoft/Microsoft Teams/Cookies", "~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb") and action_process_image_name !~= "teams"
I am not full up-to-date with the threat, but I understand that this requires local privileges on the endpoint (so an attacker would already have access to Teams at that point post-authentication?). As such, putting in svchost in the query is probably not necessary. Do discuss this with your wider information security teams (including threat intel) to discover variants and use that to modify the BIOC as needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
