Query Details

Detect Suspicious ncrypt.dll usage by CLI tool or unknown process

Detect Suspicious Ncrypt Usage By Cli Tool Or Unknown Process

Query

let cli_tools = dynamic(["powershell", "python"]);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
    // Flag CLI tools
    InitiatingProcessFileName has_any (cli_tools) or 
    // Flag unknown processes
    GlobalPrevalence < 250
)
| sort by TimeGenerated desc

About this query

Explanation

This query is designed to detect suspicious usage of the ncrypt.dll file, which is a Windows library related to cryptographic operations. The query focuses on identifying potentially malicious activities by examining processes that use this DLL file. Here's a simplified breakdown:

  1. Purpose: The query aims to spot unusual or suspicious processes that are using ncrypt.dll, which could indicate an attempt to exploit Windows Credential Manager or forge web credentials.

  2. Tools and Processes: It specifically looks for command-line tools like PowerShell or Python, as well as any unknown processes that are not commonly seen (those with a global prevalence of less than 250).

  3. Data Source: The query uses data from DeviceEvents, focusing on events related to application control (AppControl) that involve ncrypt.dll.

  4. Detection Method:

    • It flags processes that are initiated by known command-line tools.
    • It also flags processes that are not widely recognized or used, suggesting they might be suspicious.
  5. Output: The results are sorted by the time they were generated, showing the most recent events first.

Overall, this query helps security analysts detect potential security threats by identifying unusual usage patterns of a critical Windows DLL file.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: April 26, 2025

Tables

DeviceEvents

Keywords

Devices

Operators

letdynamicstartswith=~invokehas_anyor<sort bydesc

MITRE Techniques

Actions

GitHub