Reason for Query:
LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe and then executed.
Short Explanation:
Before we being, we first base lined all the processes running in an environment and created a dataset using the below query:
config case_sensitive = false
| preset = xdr_process
| filter agent_os_type = ENUM.AGENT_OS_WINDOWS
| fields action_process_image_name as Process, action_process_image_sha256 as Proces_Sha256, action_process_image_path as Process_Path, action_process_signature_status as Process_Sig_Status, action_process_signature_vendor as Process_Sig_Vendor
| comp count(Process) as Counter by Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor
| fields Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor
| target type = lookup append = false Process_Lookup
Then we use lookup table "Process_Lookup" as our base data which we created above. Now, we will write query which will do the magic for us in hunting renamed LOLBINs across the data lake.
Please see below the query:
config case_sensitive = false
| preset = xdr_process
| filter action_process_image_name != null
| join (dataset = process_lookup ) as PL PL.Proces_Sha256 = action_process_image_sha256
| alter name_spoof = if(action_process_image_sha256 = Proces_Sha256 and action_process_image_name != Process,"Spoofed","Safe")
| alter Base_Process = Process
| filter name_spoof = "Spoofed"
| filter Base_Process in ("AppInstaller.exe","Aspnet_Compiler.exe","At.exe","Atbroker.exe","Bash.exe","Bitsadmin.exe","CertOC.exe","CertReq.exe","Certutil.exe","Cmd.exe","Cmdkey.exe","cmdl32.exe","Cmstp.exe","ConfigSecurityPolicy.exe","Conhost.exe","Control.exe","Csc.exe","Cscript.exe","DataSvcUtil.exe","Desktopimgdownldr.exe","Dfsvc.exe","Diantz.exe","Diskshadow.exe","Dllhost.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Explorer.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Finger.exe","fltMC.exe","Forfiles.exe","Ftp.exe","GfxDownloadWrapper.exe","Gpscript.exe","Hh.exe","IMEWDBLD.exe","Ie4uinit.exe","Ieexec.exe","Ilasm.exe","Infdefaultinstall.exe","Installutil.exe","Jsc.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","MpCmdRun.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Netsh.exe","Odbcconf.exe","OfflineScannerShell.exe","OneDriveStandaloneUpdater.exe","Pcalua.exe","Pcwrun.exe","Pktmon.exe","Pnputil.exe","Presentationhost.exe","Print.exe","PrintBrm.exe","Psr.exe","Rasautou.exe","rdrleakdiag.exe","Reg.exe","Regasm.exe","Regedit.exe","Regini.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SettingSyncHost.exe","Stordiag.exe","SyncAppvPublishingServer.exe","Ttdinject.exe","Tttracer.exe","vbc.exe","Verclsid.exe","Wab.exe","Wlrmdr.exe","Wmic.exe","WorkFolders.exe","Wscript.exe","Wsreset.exe","wuauclt.exe","Xwizard.exe","AccCheckConsole.exe","adplus.exe","AgentExecutor.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","coregen.exe","csi.exe","DefaultPack.EXE","Devtoolslauncher.exe","dnx.exe","Dotnet.exe","Dump64.exe","Dxcap.exe","Excel.exe","Fsi.exe","FsiAnyCpu.exe","Mftrace.exe","Msdeploy.exe","msxsl.exe","ntdsutil.exe","Powerpnt.exe","Procdump(64).exe","rcsi.exe","Remote.exe","Sqldumper.exe","Sqlps.exe","SQLToolsPS.exe","Squirrel.exe","te.exe","Tracker.exe","Update.exe","VSIISExeLauncher.exe","VisualUiaVerifyNative.exe","vsjitdebugger.exe","Wfc.exe","Winword.exe","Wsl.exe","psexec.exe","procdump.exe","processhacker.exe")
| filter action_process_image_path not in ("*\Microsoft\Teams\Update.exe","*Microsoft\Teams\stage\Squirrel.exe","*\Microsoft\Teams\current\Squirrel.exe")
| fields action_process_image_name as Renamed_Process_Name, action_process_image_path as Process_Path, action_process_image_sha256 as Process_SHA_256, Base_Process, Process_Sig_Vendor
| comp count(Renamed_Process_Name) as Counter by Base_Process, Renamed_Process_Name, Process_Path, Process_SHA_256
| sort desc CounterThe query will produce some noise, I would recommend to filter out noise based on your environment.
A quick run of the query gives the below output:
Please let me know, if it is useful and feel free to let us know of any suggestions.
Thank you.
