We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release DATP/Sysmon hunting queries to detect offensive techniques.
As FalconForce, we are active in the “purple arena” — we want to practice as much defensive security as offensive security. Moreover, we want to share back to the community. Combining these two, we came up with the idea to develop hunting queries based on our offensive & defensive experience and share our “latest and greatest” hunting/alerting queries for everyone to use. We will start off with queries for Microsoft Defender ATP (DATP) & Sysmon, but might expand to other tools in the future.
Our current plan is to release 1 or 2 hunting queries every other week. The queries will be released on GitHub, accompanied by a short blog post on Medium detailing background, working off the query, the accuracy we expect, any possible variations or improvements, any catches and really anything else we deem relevant.
We will publish the queries on GitHub. Each query will be aimed at detecting some specific technique as precisely as possible and linked to MITRE ATT&CK. We anticipate that some queries will have more than 1 variant, aimed at detecting the same attack in different ways with varying trade-offs. Similarly, we will document trade-offs for various options in a single query to give you the flexibility to gear towards more false positives or more false negatives.
To give you an idea, we’re going to release hunts for attacks such as:
- DLL injection
- Process injection
- COM hijacking
- Aborted MFA requests
- Abuse of LOLBins
- Misbehaving Office applications
- Process hollowing
- Unmanaged binaries running managed code
- Anomalies in LDAP traffic
- Command execution using WMI
- SMB NULL session attempts
Having said that, don’t expect to copy-paste the queries in your environment and be done with it. We will provide a foundation query which can detect a certain technique. However, you will still need to fine-tune/extend the query to your organisations’ specifics to make it work in your environment and integrate into your monitoring solution.
The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.
T1546.015 — COM Hijacking — Vault7 trick
You can find the query here on GitHub. The IoC we use here to find the hijack is the ShellFolder attribute value of “0xf090013d”. This value is a bit weird, and if you Google it, you’ll only find references to this hijacking technique.
After some digging, we found out that this value is a bitmask for the SFGAO type. This magic value translates back to the following SFGAO flags being set:
What we haven’t figured out yet, is if and why this combination of flags is important. All sources we could find on this topic used the same magic value, without explaining why this magic value is used. If you have time to research which of the flags here is relevant to make this work — i.e. gain persistence and execution — please reach out!
As for this query, if it gives you results, it’s very likely to be malicious as we found this value only related to this persistence method. If the query doesn’t give you any results, it most definitely doesn’t exclude persistence using COM.
T1059.001 — PowerShell — System.Management.Automation
This query is aimed at detecting use of PowerShell without using the “normal” powershell.exe executable. You can find the query here.
As most of you know, powershell.exe is a wrapper around System.Management.Automation.dll. There are a lot of offensive tools out there to bypass restrictions aimed specifically at the powershell.exe executable. These tools essentially load the aforementioned DLL and interact with it directly. This rule only works if the System.Management.Automation.dll is loaded with the LoadLibrary API or references within a .NET project. More background info can be found here.
Although this technique is already fairly old and not necessarily “state of the art”, it’s still used quite often in the wild. Not necessarily by the top adversaries, but it might help you catch the slightly less advanced attackers.
We love to hear back from you on the results. Also, any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community. We’ll make sure to cover your PRs in the blog following your PR.
The GitHub repo can be found HERE.