Query Details
APT28 Kill Chain LNK To UNC To SMB For Credential Exfiltration
Query
# *Advanced Multi-Stage Linux Enumeration & Post-Exploitation Detector*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1566.001 | Phishing: Spearphishing Attachment | https://attack.mitre.org/techniques/T1566/001 |
| T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | https://attack.mitre.org/techniques/T1557/001/ |
#### Description
This rule detects a multi-stage attack chain attributed to APT28, starting with initial access via a malicious LNK file, followed by execution of a CPL/DLL/EXE from a UNC path, and culminating in NTLM credential exfiltration over SMB to a non-private IP address. This chain is associated with exploitation of CVE-2026-32202.
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
- https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
## Defender XDR
```KQL
// APT28 Kill Chain for CVE-2026-32202
// https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
// LNK → CPL/UNC → SMB → NTLM Exfil
let timeframe = 7d;
let InitialAccess_LNK = DeviceProcessEvents
| where TimeGenerated > ago(timeframe)
| where InitiatingProcessCommandLine has ".lnk"
| project DeviceId, LNK_TriggerTime = TimeGenerated, LNK_CommandLine = InitiatingProcessCommandLine;
let Execution_UNC = DeviceProcessEvents
| where TimeGenerated > ago(timeframe)
| where ProcessCommandLine matches regex @"\\\\[a-zA-Z0-9\-\.]{4,}\\"
| where ProcessCommandLine has_any (".cpl", ".dll", ".exe")
| project DeviceId, UNC_LoadTime = TimeGenerated, UNC_CommandLine = ProcessCommandLine;
let Exfiltration_SMB = DeviceNetworkEvents
| where TimeGenerated > ago(timeframe)
| where RemotePort == 445
| where not(ipv4_is_private(RemoteIP))
| project DeviceId, SMB_ConnectTime = TimeGenerated, RemoteIP;
InitialAccess_LNK
| join kind=inner Execution_UNC on DeviceId
| where UNC_LoadTime between (LNK_TriggerTime .. (LNK_TriggerTime + 2m))
| join kind=inner Exfiltration_SMB on DeviceId
| where SMB_ConnectTime between (UNC_LoadTime .. (UNC_LoadTime + 2m))
| project
DeviceId,
LNK_Time = LNK_TriggerTime,
UNC_Time = UNC_LoadTime,
SMB_Time = SMB_ConnectTime,
LNK_CommandLine,
UNC_CommandLine,
RemoteIP
| extend
AlertTitle = "APT28 Kill Chain: LNK→UNC→SMB (CVE-2026-32202)",
Severity = "Critical",
MITRE = "T1566.001 → T1187 → T1557.001"
```
Explanation
This query is designed to detect a specific type of cyber attack associated with the APT28 group, which involves multiple stages of exploitation on Linux systems. Here's a simplified breakdown of what the query does:
-
Timeframe: The query looks at events from the past 7 days.
-
Initial Access Detection: It identifies when a malicious shortcut file (with a
.lnkextension) is executed. This is the initial step in the attack. -
Execution Detection: It then checks for the execution of certain types of files (
.cpl,.dll,.exe) from a network path (UNC path), which indicates the next stage of the attack. -
Exfiltration Detection: The query looks for network activity on port 445 (commonly used for SMB, a network file sharing protocol) to a non-private IP address, suggesting that credentials are being exfiltrated.
-
Correlation: The query correlates these events by matching them on the same device and ensuring they occur in a specific sequence and timeframe (within 2 minutes of each other).
-
Output: If all conditions are met, it generates an alert with details about the attack, including the times of each stage, the commands executed, and the remote IP address involved.
The query is focused on detecting a known attack pattern exploiting a vulnerability (CVE-2026-32202) and is marked as critical due to the severity of the threat. It uses MITRE ATT&CK techniques to categorize the attack stages.
Details
Benjamin Zulliger
Released: April 28, 2026
Tables
Keywords
Operators