This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

XQL - Hunting Renamed LOLBINs Process Execution

KanwarSingh01
L3 Networker

‎05-20-2022 03:40 AM

Reason for Query:

LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe and then executed.

 

Short Explanation:

Before we being, we first base lined all the processes running in an environment and created a dataset using the below query:

config case_sensitive = false 
| preset = xdr_process
| filter agent_os_type = ENUM.AGENT_OS_WINDOWS
| fields action_process_image_name as Process, action_process_image_sha256 as Proces_Sha256, action_process_image_path as Process_Path, action_process_signature_status as Process_Sig_Status, action_process_signature_vendor as Process_Sig_Vendor
| comp count(Process) as Counter by Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor
| fields Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor
| target type = lookup append = false Process_Lookup

 

Then we use lookup table "Process_Lookup" as our base data which we created above. Now, we will write query which will do the magic for us in hunting renamed LOLBINs across the data lake.

 

Please see below the query:

config case_sensitive = false 
| preset = xdr_process  
| filter action_process_image_name != null
| join (dataset = process_lookup ) as PL PL.Proces_Sha256 = action_process_image_sha256 
| alter name_spoof = if(action_process_image_sha256 = Proces_Sha256 and action_process_image_name != Process,"Spoofed","Safe")
| alter Base_Process = Process
| filter name_spoof = "Spoofed"
| filter Base_Process in ("AppInstaller.exe","Aspnet_Compiler.exe","At.exe","Atbroker.exe","Bash.exe","Bitsadmin.exe","CertOC.exe","CertReq.exe","Certutil.exe","Cmd.exe","Cmdkey.exe","cmdl32.exe","Cmstp.exe","ConfigSecurityPolicy.exe","Conhost.exe","Control.exe","Csc.exe","Cscript.exe","DataSvcUtil.exe","Desktopimgdownldr.exe","Dfsvc.exe","Diantz.exe","Diskshadow.exe","Dllhost.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Explorer.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Finger.exe","fltMC.exe","Forfiles.exe","Ftp.exe","GfxDownloadWrapper.exe","Gpscript.exe","Hh.exe","IMEWDBLD.exe","Ie4uinit.exe","Ieexec.exe","Ilasm.exe","Infdefaultinstall.exe","Installutil.exe","Jsc.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","MpCmdRun.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Netsh.exe","Odbcconf.exe","OfflineScannerShell.exe","OneDriveStandaloneUpdater.exe","Pcalua.exe","Pcwrun.exe","Pktmon.exe","Pnputil.exe","Presentationhost.exe","Print.exe","PrintBrm.exe","Psr.exe","Rasautou.exe","rdrleakdiag.exe","Reg.exe","Regasm.exe","Regedit.exe","Regini.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SettingSyncHost.exe","Stordiag.exe","SyncAppvPublishingServer.exe","Ttdinject.exe","Tttracer.exe","vbc.exe","Verclsid.exe","Wab.exe","Wlrmdr.exe","Wmic.exe","WorkFolders.exe","Wscript.exe","Wsreset.exe","wuauclt.exe","Xwizard.exe","AccCheckConsole.exe","adplus.exe","AgentExecutor.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","coregen.exe","csi.exe","DefaultPack.EXE","Devtoolslauncher.exe","dnx.exe","Dotnet.exe","Dump64.exe","Dxcap.exe","Excel.exe","Fsi.exe","FsiAnyCpu.exe","Mftrace.exe","Msdeploy.exe","msxsl.exe","ntdsutil.exe","Powerpnt.exe","Procdump(64).exe","rcsi.exe","Remote.exe","Sqldumper.exe","Sqlps.exe","SQLToolsPS.exe","Squirrel.exe","te.exe","Tracker.exe","Update.exe","VSIISExeLauncher.exe","VisualUiaVerifyNative.exe","vsjitdebugger.exe","Wfc.exe","Winword.exe","Wsl.exe","psexec.exe","procdump.exe","processhacker.exe")
| filter action_process_image_path not in ("*\Microsoft\Teams\Update.exe","*Microsoft\Teams\stage\Squirrel.exe","*\Microsoft\Teams\current\Squirrel.exe")
| fields action_process_image_name as Renamed_Process_Name, action_process_image_path as Process_Path, action_process_image_sha256 as Process_SHA_256, Base_Process, Process_Sig_Vendor 
| comp count(Renamed_Process_Name) as Counter by Base_Process, Renamed_Process_Name, Process_Path, Process_SHA_256 
| sort desc Counter

The query will produce some noise, I would recommend to filter out noise based on your environment.

 

A quick run of the query gives the below output:

KanwarSingh01_0-1653042890911.png

 

Please let me know, if it is useful and feel free to let us know of any suggestions.

Thank you.

Kind Regards
KS
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks