DEV-0882 specific activities. This query identifies DEV-0882 specific tradecraft.
// DEV-0882 pushd let start = now(-30d); let end = now(); DeviceProcessEvents | where Timestamp between (start..end) | where InitiatingProcessFileName =~ "cmd.exe" | where InitiatingProcessCommandLine has_cs @'"cmd.exe" /s /k pushd "C:\' | where InitiatingProcessCommandLine matches regex @'"C:\\Users\\([\w]+)\\Music\"' or InitiatingProcessCommandLine endswith 'ProgramData"' | where ProcessCommandLine =~ "PsExec.exe -s -i cmd.exe" or ( ProcessCommandLine startswith "runas /netonly /user:" and ProcessCommandLine endswith "cmd" ) or ProcessCommandLine matches regex @'rundll32([\s]+)([a-z0-9]{1,9})\.dll, rundll' or ProcessCommandLine startswith 'Wevtutil.exe'
If indication of PLAY has been detected from the above query the following queries can be used to identify additional signs of an intrusion.
T1087 Account Discovery |
DeviceProcessEvents | where (ProcessCommandLine in~ (@'net group "domain admins" /domain', @'net localgroup administrators'))
T1082 System Information Discovery |
DeviceProcessEvents | where ((ProcessCommandLine in~ (@'ipconfig /all', @'systeminfo')) and InitiatingProcessFolderPath endswith @'regsvr32.exe' and InitiatingProcessCommandLine contains @'.dll')
T1016: System Network Configuration Discovery and T1482: Domain Trust Discovery | Recon activity with NLTEST
DeviceProcessEvents | where (((FolderPath endswith @'\nltest.exe') or (ProcessVersionInfoOriginalFileName =~ @'nltestrk.exe') or (InitiatingProcessVersionInfoOriginalFileName =~ @'nltestrk.exe')) and (((ProcessCommandLine contains @'/server' and ProcessCommandLine contains @'/query')) or ((ProcessCommandLine contains @'/dclist:' or ProcessCommandLine contains @'/parentdomain' or ProcessCommandLine contains @'/domain_trusts' or ProcessCommandLine contains @'/trusted_domains' or ProcessCommandLine contains @'/user'))))
T1567.002: Exfiltration to Cloud Storage | Rclone Execution via Command Line or PowerShell
DeviceProcessEvents | where (((ProcessCommandLine contains @'--config ' and ProcessCommandLine contains @'--no-check-certificate ' and ProcessCommandLine contains @' copy ')) or (((ProcessCommandLine contains @'pass' or ProcessCommandLine contains @'user' or ProcessCommandLine contains @'copy' or ProcessCommandLine contains @'sync' or ProcessCommandLine contains @'config' or ProcessCommandLine contains @'lsd' or ProcessCommandLine contains @'remote' or ProcessCommandLine contains @'ls' or ProcessCommandLine contains @'mega' or ProcessCommandLine contains @'pcloud' or ProcessCommandLine contains @'ftp' or ProcessCommandLine contains @'ignore-existing' or ProcessCommandLine contains @'auto-confirm' or ProcessCommandLine contains @'transfers' or ProcessCommandLine contains @'multi-thread-streams' or ProcessCommandLine contains @'no-check-certificate ') and ((((ProcessVersionInfoFileDescription =~ @'Rsync for cloud storage') or (InitiatingProcessVersionInfoFileDescription =~ @'Rsync for cloud storage'))) or ((FolderPath endswith @'\rclone.exe' and (InitiatingProcessFolderPath endswith @'\PowerShell.exe' or InitiatingProcessFolderPath endswith @'\pwsh.exe' or InitiatingProcessFolderPath endswith @'\cmd.exe')))))))
T1059.001: PowerShell | Suspicious PowerShell Encoded Command Patterns
DeviceProcessEvents | where (((FolderPath endswith @'\powershell.exe' or FolderPath endswith @'\pwsh.exe') and (ProcessCommandLine contains @' -e ' or ProcessCommandLine contains @' -en ' or ProcessCommandLine contains @' -enc ' or ProcessCommandLine contains @' -enco') and (ProcessCommandLine contains @' JAB' or ProcessCommandLine contains @' SUVYI' or ProcessCommandLine contains @' SQBFAFgA' or ProcessCommandLine contains @' aWV4I' or ProcessCommandLine contains @' IAB' or ProcessCommandLine contains @' PAA' or ProcessCommandLine contains @' aQBlAHgA')) and not((InitiatingProcessFolderPath contains @'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' or InitiatingProcessFolderPath contains @'\gc_worker.exe')))
LSASS Memory Dump
Windows | where ((((FileName endswith @'\lsass.exe') or (FolderPath endswith @'\lsass.exe')) and (GrantedAccess contains @'0x1038' or GrantedAccess contains @'0x1438' or GrantedAccess contains @'0x143a') and (CallTrace contains @'dbghelp.dll' or CallTrace contains @'dbgcore.dll' or CallTrace contains @'ntdll.dll')) and not(((CallTrace contains @'|C:\Windows\Temp\asgard2-agent\' and CallTrace contains @'\thor\thor64.exe+' and CallTrace contains @'|UNKNOWN(' and GrantedAccess =~ @'0x103800')) or ((((InitiatingProcessFolderPath =~ @'C:\Windows\Sysmon64.exe') or (InitiatingProcessFileName =~ @'C:\Windows\Sysmon64.exe'))))))
T1047: Windows Management Instrumentation | Detects WMIC executing suspicious or recon commands
DeviceProcessEvents | where (((((FolderPath endswith @'\wmic.exe') or (ProcessVersionInfoOriginalFileName =~ @'wmic.exe') or (InitiatingProcessVersionInfoOriginalFileName =~ @'wmic.exe')) and (ProcessCommandLine contains @'process' and ProcessCommandLine contains @'call' and ProcessCommandLine contains @'create '))) or ((((FolderPath endswith @'\wmic.exe') or (ProcessVersionInfoOriginalFileName =~ @'wmic.exe') or (InitiatingProcessVersionInfoOriginalFileName =~ @'wmic.exe')) and (ProcessCommandLine contains @' path ' and (ProcessCommandLine contains @'AntiVirus' or ProcessCommandLine contains @'Firewall') and ProcessCommandLine contains @'Product' and ProcessCommandLine contains @' get ' and ProcessCommandLine contains @'wmic csproduct get name'))))