XQL - Hunting Renamed LOLBINs Process Execution

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XQL - Hunting Renamed LOLBINs Process Execution

L3 Networker

Reason for Query:

LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe and then executed.

 

Short Explanation:

Before we being, we first base lined all the processes running in an environment and created a dataset using the below query:

config case_sensitive = false 
| preset = xdr_process
| filter agent_os_type = ENUM.AGENT_OS_WINDOWS
| fields action_process_image_name as Process, action_process_image_sha256 as Proces_Sha256, action_process_image_path as Process_Path, action_process_signature_status as Process_Sig_Status, action_process_signature_vendor as Process_Sig_Vendor
| comp count(Process) as Counter by Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor
| fields Process,Proces_Sha256,Process_Path,Process_Sig_Status,Process_Sig_Vendor
| target type = lookup append = false Process_Lookup

 

Then we use lookup table "Process_Lookup" as our base data which we created above. Now, we will write query which will do the magic for us in hunting renamed LOLBINs across the data lake.

 

Please see below the query:

config case_sensitive = false 
| preset = xdr_process  
| filter action_process_image_name != null
| join (dataset = process_lookup ) as PL PL.Proces_Sha256 = action_process_image_sha256 
| alter name_spoof = if(action_process_image_sha256 = Proces_Sha256 and action_process_image_name != Process,"Spoofed","Safe")
| alter Base_Process = Process
| filter name_spoof = "Spoofed"
| filter Base_Process in ("AppInstaller.exe","Aspnet_Compiler.exe","At.exe","Atbroker.exe","Bash.exe","Bitsadmin.exe","CertOC.exe","CertReq.exe","Certutil.exe","Cmd.exe","Cmdkey.exe","cmdl32.exe","Cmstp.exe","ConfigSecurityPolicy.exe","Conhost.exe","Control.exe","Csc.exe","Cscript.exe","DataSvcUtil.exe","Desktopimgdownldr.exe","Dfsvc.exe","Diantz.exe","Diskshadow.exe","Dllhost.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Explorer.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Finger.exe","fltMC.exe","Forfiles.exe","Ftp.exe","GfxDownloadWrapper.exe","Gpscript.exe","Hh.exe","IMEWDBLD.exe","Ie4uinit.exe","Ieexec.exe","Ilasm.exe","Infdefaultinstall.exe","Installutil.exe","Jsc.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","MpCmdRun.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Netsh.exe","Odbcconf.exe","OfflineScannerShell.exe","OneDriveStandaloneUpdater.exe","Pcalua.exe","Pcwrun.exe","Pktmon.exe","Pnputil.exe","Presentationhost.exe","Print.exe","PrintBrm.exe","Psr.exe","Rasautou.exe","rdrleakdiag.exe","Reg.exe","Regasm.exe","Regedit.exe","Regini.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SettingSyncHost.exe","Stordiag.exe","SyncAppvPublishingServer.exe","Ttdinject.exe","Tttracer.exe","vbc.exe","Verclsid.exe","Wab.exe","Wlrmdr.exe","Wmic.exe","WorkFolders.exe","Wscript.exe","Wsreset.exe","wuauclt.exe","Xwizard.exe","AccCheckConsole.exe","adplus.exe","AgentExecutor.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","coregen.exe","csi.exe","DefaultPack.EXE","Devtoolslauncher.exe","dnx.exe","Dotnet.exe","Dump64.exe","Dxcap.exe","Excel.exe","Fsi.exe","FsiAnyCpu.exe","Mftrace.exe","Msdeploy.exe","msxsl.exe","ntdsutil.exe","Powerpnt.exe","Procdump(64).exe","rcsi.exe","Remote.exe","Sqldumper.exe","Sqlps.exe","SQLToolsPS.exe","Squirrel.exe","te.exe","Tracker.exe","Update.exe","VSIISExeLauncher.exe","VisualUiaVerifyNative.exe","vsjitdebugger.exe","Wfc.exe","Winword.exe","Wsl.exe","psexec.exe","procdump.exe","processhacker.exe")
| filter action_process_image_path not in ("*\Microsoft\Teams\Update.exe","*Microsoft\Teams\stage\Squirrel.exe","*\Microsoft\Teams\current\Squirrel.exe")
| fields action_process_image_name as Renamed_Process_Name, action_process_image_path as Process_Path, action_process_image_sha256 as Process_SHA_256, Base_Process, Process_Sig_Vendor 
| comp count(Renamed_Process_Name) as Counter by Base_Process, Renamed_Process_Name, Process_Path, Process_SHA_256 
| sort desc Counter

The query will produce some noise, I would recommend to filter out noise based on your environment.

 

A quick run of the query gives the below output:

KanwarSingh01_0-1653042890911.png

 

Please let me know, if it is useful and feel free to let us know of any suggestions.

Thank you.

Kind Regards
KS
3 REPLIES 3

L5 Sessionator

Thank you for your contribution! 

L3 Networker

@rtsedaka Welcome.

Kind Regards
KS

L3 Networker

Hey KS!

 

Nice query. Can you please explain it to us, how this should run automaticly? What are the steps to take it live? 

And how do I test it in detail? 

 

BR

 

Rob

  • 3100 Views
  • 3 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!