Detect Suspicious ncrypt.dll usage by CLI tool or unknown process
Detect Suspicious Ncrypt Usage By Cli Tool Or Unknown Process
Query
let cli_tools = dynamic(["powershell", "python"]);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
// Flag CLI tools
InitiatingProcessFileName has_any (cli_tools) or
// Flag unknown processes
GlobalPrevalence < 250
)
| sort by TimeGenerated descAbout this query
Explanation
This query is designed to detect suspicious usage of the ncrypt.dll file, which is a Windows library related to cryptographic operations. The query focuses on identifying potentially malicious activities by examining processes that use this DLL file. Here's a simplified breakdown:
-
Purpose: The query aims to spot unusual or suspicious processes that are using
ncrypt.dll, which could indicate an attempt to exploit Windows Credential Manager or forge web credentials. -
Tools and Processes: It specifically looks for command-line tools like PowerShell or Python, as well as any unknown processes that are not commonly seen (those with a global prevalence of less than 250).
-
Data Source: The query uses data from DeviceEvents, focusing on events related to application control (AppControl) that involve
ncrypt.dll. -
Detection Method:
- It flags processes that are initiated by known command-line tools.
- It also flags processes that are not widely recognized or used, suggesting they might be suspicious.
-
Output: The results are sorted by the time they were generated, showing the most recent events first.
Overall, this query helps security analysts detect potential security threats by identifying unusual usage patterns of a critical Windows DLL file.
