Query Details
Detect Suspicious Ncrypt Usage By Cli Tool Or Unknown Process
Query
# *Detect Suspicious ncrypt.dll usage by CLI tool or unknown process*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1555.004 | Credentials from Password Stores: Windows Credential Manager | https://attack.mitre.org/techniques/T1555/004/ |
| T1606 | Forge Web Credentials | https://attack.mitre.org/techniques/T1606/ |
#### Description
This detection rule uses a WDAC audit policy to ingest missing DeviceImageLoad events in MDE, and check for suspicious processes using the ncrypt.dll. More information on the attack scenario this is detection is applicable for can be found in the references.
#### Risk
By using this detections, we can try to detect an attacker using the hellopoc.ps1 script in RoadTools to generate an assertion.
#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/
#### References
- https://hybridbrothers.com/detecting-non-privileged-windows-hello-abuse/
- https://github.com/dirkjanm/ROADtools/blob/master/winhello_assertion/hellopoc.ps1
## Defender XDR
```KQL
let cli_tools = dynamic(["powershell", "python"]);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
// Flag CLI tools
InitiatingProcessFileName has_any (cli_tools) or
// Flag unknown processes
GlobalPrevalence < 250
)
| sort by TimeGenerated desc
```
## Sentinel
```KQL
let cli_tools = dynamic(["powershell", "python"]);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
// Flag CLI tools
InitiatingProcessFileName has_any (cli_tools) or
// Flag unknown processes
GlobalPrevalence < 250
)
| sort by TimeGenerated desc
```Explanation
This query is designed to detect suspicious usage of the ncrypt.dll file, which is a Windows library related to cryptographic operations. The query focuses on identifying potentially malicious activities by examining processes that use this DLL file. Here's a simplified breakdown:
-
Purpose: The query aims to spot unusual or suspicious processes that are using
ncrypt.dll, which could indicate an attempt to exploit Windows Credential Manager or forge web credentials. -
Tools and Processes: It specifically looks for command-line tools like PowerShell or Python, as well as any unknown processes that are not commonly seen (those with a global prevalence of less than 250).
-
Data Source: The query uses data from DeviceEvents, focusing on events related to application control (AppControl) that involve
ncrypt.dll. -
Detection Method:
- It flags processes that are initiated by known command-line tools.
- It also flags processes that are not widely recognized or used, suggesting they might be suspicious.
-
Output: The results are sorted by the time they were generated, showing the most recent events first.
Overall, this query helps security analysts detect potential security threats by identifying unusual usage patterns of a critical Windows DLL file.
Details
Robbe Van den Daele
Released: April 26, 2025
Tables
Keywords
Operators