KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Suspicious Ncrypt Usage By Cli Tool Or Unknown Process With Nonce

Query

# *Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1555.004 | Credentials from Password Stores: Windows Credential Manager | https://attack.mitre.org/techniques/T1555/004/ |
| T1606 | Forge Web Credentials | https://attack.mitre.org/techniques/T1606/ |

#### Description
This detection rule uses a WDAC audit policy to ingest missing DeviceImageLoad events in MDE, and check for suspicious processes using the ncrypt.dll and requesting an Entra ID Nonce. More information on the attack scenario this is detection is applicable for can be found in the references.

#### Risk
By using this detections, we can try to detect an attacker using the hellopoc.ps1 script in RoadTools to generate an assertion. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/detecting-non-privileged-windows-hello-abuse/
- https://github.com/dirkjanm/ROADtools/blob/master/winhello_assertion/hellopoc.ps1

## Defender XDR
```KQL
let cli_tools = dynamic(["powershell", "python"]);
// Get all possible nonce requests
let nonce_requests = (
    DeviceNetworkEvents
    | where Timestamp > ago(1h)
    | where ActionType startswith "ConnectionSuccess"
    | where RemoteUrl =~ "login.microsoftonline.com"
    | project-rename NonceTimestamp = Timestamp
);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
// Check if the same initiating process is doing a nonce request
| join kind=inner nonce_requests on InitiatingProcessId, DeviceId
// Only flag when nonce was request 10min before of after ncrypt usage
| where Timestamp between (todatetime(NonceTimestamp - 10m) .. todatetime(NonceTimestamp + 10m))
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
    // Flag CLI tools
    InitiatingProcessFileName has_any (cli_tools) or 
    // Flag unknown processes
    GlobalPrevalence < 250
)
```

## Sentinel
```KQL
let cli_tools = dynamic(["powershell", "python"]);
// Get all possible nonce requests
let nonce_requests = (
    DeviceNetworkEvents
    | where TimeGenerated > ago(1h)
    | where ActionType startswith "ConnectionSuccess"
    | where RemoteUrl =~ "login.microsoftonline.com"
    | project-rename NonceTimestamp = TimeGenerated
);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where TimeGenerated > ago(1h)
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
// Check if the same initiating process is doing a nonce request
| join kind=inner nonce_requests on InitiatingProcessId, DeviceId
// Only flag when nonce was request 10min before of after ncrypt usage
| where TimeGenerated between (todatetime(NonceTimestamp - 10m) .. todatetime(NonceTimestamp + 10m))
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
    // Flag CLI tools
    InitiatingProcessFileName has_any (cli_tools) or 
    // Flag unknown processes
    GlobalPrevalence < 250
)
```

Explanation

This query is designed to detect suspicious activities related to the use of the ncrypt.dll file, which is associated with cryptographic operations on Windows systems. Specifically, it looks for processes that use ncrypt.dll and also make requests to Microsoft's login service, which could indicate an attempt to generate unauthorized authentication tokens.

Here's a simplified breakdown of the query:

  1. Identify Nonce Requests: The query first identifies network events where a device successfully connects to "login.microsoftonline.com" within the last hour. These events are potential requests for a nonce, a unique number used once in authentication processes.

  2. Detect Suspicious ncrypt.dll Usage: It then looks for events where ncrypt.dll is used, flagged by the Windows Defender Application Control (WDAC) audit policy, within the same time frame.

  3. Correlate Events: The query correlates these two sets of events by matching the process ID and device ID to see if the same process is involved in both activities.

  4. Time Constraint: It further filters these correlated events to ensure that the nonce request occurred within 10 minutes before or after the ncrypt.dll usage, indicating a close temporal relationship.

  5. Flag Suspicious Processes: Finally, it flags processes that are either command-line tools like PowerShell or Python, or processes that are not commonly seen (low global prevalence), as these could be indicative of malicious activity.

Overall, this query aims to identify potential misuse of cryptographic functions and authentication processes, which could be part of an attack to forge credentials or extract sensitive information.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: April 26, 2025

Tables

DeviceNetworkEventsDeviceEvents

Keywords

DevicesEntraIDProcessCredentialManagerWebCredentialsDeviceNetworkEventsDeviceEventsFileProfile

Operators

letdynamicagostartswith=~project-renamewherejoin kind=inneronbetweentodatetimeinvokehas_any<

Actions