Introducing: Falcon Friday

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release DATP/Sysmon hunting queries to detect offensive techniques.

As FalconForce, we are active in the “purple arena” — we want to practice as much defensive security as offensive security. Moreover, we want to share back to the community. Combining these two, we came up with the idea to develop hunting queries based on our offensive & defensive experience and share our “latest and greatest” hunting/alerting queries for everyone to use. We will start off with queries for Microsoft Defender ATP (DATP) & Sysmon, but might expand to other tools in the future.

Our plan

Our current plan is to release 1 or 2 hunting queries every other week. The queries will be released on GitHub, accompanied by a short blog post on Medium detailing background, working off the query, the accuracy we expect, any possible variations or improvements, any catches and really anything else we deem relevant.

Initially, we’ll be working based on the excellent library of @spotheplanet’s https://www.ired.team/ and release the queries specifically for DATP.

We will publish the queries on GitHub. Each query will be aimed at detecting some specific technique as precisely as possible and linked to MITRE ATT&CK. We anticipate that some queries will have more than 1 variant, aimed at detecting the same attack in different ways with varying trade-offs. Similarly, we will document trade-offs for various options in a single query to give you the flexibility to gear towards more false positives or more false negatives.

To give you an idea, we’re going to release hunts for attacks such as:

DLL injection
Process injection
COM hijacking
.NET-to-JScript
Aborted MFA requests
Abuse of LOLBins
Misbehaving Office applications
Process hollowing
Unmanaged binaries running managed code
Anomalies in LDAP traffic
Command execution using WMI
SMB NULL session attempts

Having said that, don’t expect to copy-paste the queries in your environment and be done with it. We will provide a foundation query which can detect a certain technique. However, you will still need to fine-tune/extend the query to your organisations’ specifics to make it work in your environment and integrate into your monitoring solution.

The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.

T1546.015 — COM Hijacking — Vault7 trick

This query is aimed at detecting persistence using a specific way of COM hijacking, first published in the Vault7 leaks. A variant is described here.

You can find the query here on GitHub. The IoC we use here to find the hijack is the ShellFolder attribute value of “0xf090013d”. This value is a bit weird, and if you Google it, you’ll only find references to this hijacking technique.

After some digging, we found out that this value is a bitmask for the SFGAO type. This magic value translates back to the following SFGAO flags being set:

SFGAO_CANCOPY
SFGAO_CANLINK
SFGAO_STORAGE
SFGAO_CANRENAME
SFGAO_CANDELETE
SFGAO_DROPTARGET
SFGAO_NONENUMERATED
SFGAO_STORAGEANCESTOR
SFGAO_FILESYSANCESTOR
SFGAO_FOLDER
SFGAO_FILESYSTEM
SFGAO_HASSUBFOLDER

What we haven’t figured out yet, is if and why this combination of flags is important. All sources we could find on this topic used the same magic value, without explaining why this magic value is used. If you have time to research which of the flags here is relevant to make this work — i.e. gain persistence and execution — please reach out!

As for this query, if it gives you results, it’s very likely to be malicious as we found this value only related to this persistence method. If the query doesn’t give you any results, it most definitely doesn’t exclude persistence using COM.

MITRE ATT&CK: T1546.015

T1059.001 — PowerShell — System.Management.Automation

This query is aimed at detecting use of PowerShell without using the “normal” powershell.exe executable. You can find the query here.

As most of you know, powershell.exe is a wrapper around System.Management.Automation.dll. There are a lot of offensive tools out there to bypass restrictions aimed specifically at the powershell.exe executable. These tools essentially load the aforementioned DLL and interact with it directly. This rule only works if the System.Management.Automation.dll is loaded with the LoadLibrary API or references within a .NET project. More background info can be found here.

The trick used by powerpick and UnmanagedPowershell will not be detected because they load the binary as a blob from memory and not as a file from disk. We’re working on a separate hunt for those.

Although this technique is already fairly old and not necessarily “state of the art”, it’s still used quite often in the wild. Not necessarily by the top adversaries, but it might help you catch the slightly less advanced attackers.

MITRE ATT&CK: T1059.001

Final words

We love to hear back from you on the results. Also, any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community. We’ll make sure to cover your PRs in the blog following your PR.

The GitHub repo can be found HERE.