Windows defender and calc abuse for dll sideloading

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Windows defender and calc abuse for dll sideloading

L3 Networker

Hello dear community, 

 

Has anyone build a xql query for this case:

 

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-str...

Should this help?

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hunting-renamed-lolbins-process-exec...

 

And how do we Set this two queries up?

 

BR 

 

Rob

 

 

 

1 REPLY 1

L4 Transporter

Hi Cyber1985,

 

If you have a Pro per Endpoint license then the Analytics Engine will identify this sort of thing for you, here are some relevant Analytics alerts that can fire:

Each of these alerts will generate incidents if they fire within your tenant.  If you want to create your own XQL search you can go to Incident Response -> Query Builder -> XQL Search, here you can paste the query from the second article you linked and then you have the option to Run, Run in Background, Save or Schedule.  If you want this to generate alerts if data is returned, you can save it as a correlation rule and it will then be run periodically and can create incidents (depending on the severity you set, medium and high severity generate alerts).

 

If you are a Prevent customer, then you do not have EDR data collection as a feature and will be unable to detect this sort of behavior.  

  • 1655 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!