About KanwarSingh01

Reason for Query: LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe and then executed.   Short Explanation: Before we being, we first base lined all the processes running in an environment and created a dataset using the below query: config case_sensitive = false | preset = xdr_process | filter agent_os_type = ENUM.AGENT_OS_WINDOWS | fields action_process_image_name as Process, action_process_image_sha256 as Proces_Sha256, action_process_image_path as Process_Path, action_process_signature_status as Process_Sig_Status, action_process_signature_vendor as Process_Sig_Vendor | comp count(Process) as Counter by Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor | fields Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor | target type = lookup append = false Process_Lookup   Then we use lookup table "Process_Lookup" as our base data which we created above. Now, we will write query which will do the magic for us in hunting renamed LOLBINs across the data lake.   Please see below the query: config case_sensitive = false | preset = xdr_process | filter action_process_image_name != null | join (dataset = process_lookup ) as PL PL.Proces_Sha256 = action_process_image_sha256 | alter name_spoof = if(action_process_image_sha256 = Proces_Sha256 and action_process_image_name != Process,"Spoofed","Safe") | alter Base_Process = Process | filter name_spoof = "Spoofed" | filter Base_Process in ("AppInstaller.exe","Aspnet_Compiler.exe","At.exe","Atbroker.exe","Bash.exe","Bitsadmin.exe","CertOC.exe","CertReq.exe","Certutil.exe","Cmd.exe","Cmdkey.exe","cmdl32.exe","Cmstp.exe","ConfigSecurityPolicy.exe","Conhost.exe","Control.exe","Csc.exe","Cscript.exe","DataSvcUtil.exe","Desktopimgdownldr.exe","Dfsvc.exe","Diantz.exe","Diskshadow.exe","Dllhost.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Explorer.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Finger.exe","fltMC.exe","Forfiles.exe","Ftp.exe","GfxDownloadWrapper.exe","Gpscript.exe","Hh.exe","IMEWDBLD.exe","Ie4uinit.exe","Ieexec.exe","Ilasm.exe","Infdefaultinstall.exe","Installutil.exe","Jsc.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","MpCmdRun.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Netsh.exe","Odbcconf.exe","OfflineScannerShell.exe","OneDriveStandaloneUpdater.exe","Pcalua.exe","Pcwrun.exe","Pktmon.exe","Pnputil.exe","Presentationhost.exe","Print.exe","PrintBrm.exe","Psr.exe","Rasautou.exe","rdrleakdiag.exe","Reg.exe","Regasm.exe","Regedit.exe","Regini.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SettingSyncHost.exe","Stordiag.exe","SyncAppvPublishingServer.exe","Ttdinject.exe","Tttracer.exe","vbc.exe","Verclsid.exe","Wab.exe","Wlrmdr.exe","Wmic.exe","WorkFolders.exe","Wscript.exe","Wsreset.exe","wuauclt.exe","Xwizard.exe","AccCheckConsole.exe","adplus.exe","AgentExecutor.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","coregen.exe","csi.exe","DefaultPack.EXE","Devtoolslauncher.exe","dnx.exe","Dotnet.exe","Dump64.exe","Dxcap.exe","Excel.exe","Fsi.exe","FsiAnyCpu.exe","Mftrace.exe","Msdeploy.exe","msxsl.exe","ntdsutil.exe","Powerpnt.exe","Procdump(64).exe","rcsi.exe","Remote.exe","Sqldumper.exe","Sqlps.exe","SQLToolsPS.exe","Squirrel.exe","te.exe","Tracker.exe","Update.exe","VSIISExeLauncher.exe","VisualUiaVerifyNative.exe","vsjitdebugger.exe","Wfc.exe","Winword.exe","Wsl.exe","psexec.exe","procdump.exe","processhacker.exe") | filter action_process_image_path not in ("*\Microsoft\Teams\Update.exe","*Microsoft\Teams\stage\Squirrel.exe","*\Microsoft\Teams\current\Squirrel.exe") | fields action_process_image_name as Renamed_Process_Name, action_process_image_path as Process_Path, action_process_image_sha256 as Process_SHA_256, Base_Process, Process_Sig_Vendor | comp count(Renamed_Process_Name) as Counter by Base_Process, Renamed_Process_Name, Process_Path, Process_SHA_256 | sort desc Counter The query will produce some noise, I would recommend to filter out noise based on your environment.   A quick run of the query gives the below output:   Please let me know, if it is useful and feel free to let us know of any suggestions. Thank you. ... View more

Just posting, if this is useful for someone who might be hunting for Kerberos Relay Up (Privilege Escalation on Windows System) Activity. The purpose of this hunt is to look for suspicious logon on windows system using Kerberos Auth Package where the source of logon is localhost IP and user account is Administrator SID. dataset = xdr_data | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id = 4624 | alter auth_package = arrayindex(regextract(action_evtlog_message,"Authentication Package:\s(\w+)"),0), network = arrayindex(regextract(action_evtlog_message,"Source Network Address:\s(.*)\r\n"),0), logon_type = arrayindex(regextract(action_evtlog_message,"Logon Type:\s+(\d+)\r\n"),0), sid = arrayindex(regextract(action_evtlog_message,"Security ID:\s+(.*?-500)\r\n"),0) | filter auth_package = "Kerberos" and logon_type = "3" and sid ~= ".*500" and network in ("127.0.0.1","::1") | fields _time as Time, agent_hostname as Host, agent_ip_addresses as IP, auth_package,sid,logon_type,network as Event_Log_Source_Network, actor_process_image_name as Process Please feel free to suggest if anything can be improved. Thank you. ... View more