Query Details
Detecting Windows Downdate Abuse
Query
// Detecting Windows Downdate Abuse // https://www.blackhat.com/us-24/briefings/schedule/#windows-downdate-downgrade-attacks-using-windows-updates-38963 // https://www.bleepingcomputer.com/news/microsoft/windows-downdate-tool-lets-you-unpatch-windows-systems/ // Detect the cloning of Windows Downdate python with Python PSUtil & Git presence let EndpointwithPythonPSUtilGit = DeviceTvmSoftwareInventory | where SoftwareName contains "psutil" and SoftwareName contains "python" | where SoftwareName contains "git" and SoftwareVendor == "github" | project DeviceName; DeviceFileEvents | where ActionType=="FileCreated" | where FolderPath contains "downdate" | where DeviceName has_any(EndpointwithPythonPSUtilGit) // Detected Windows Downdate Binary DeviceFileEvents | where ActionType=="FileCreated" | where SHA256 == "a34e71ededf334d3d6a480e3738c91fccbb4d2c1fbeec7192db9793a2541e8ca" // The Windows Downdate tool primarily maps to the following MITRE ATT&CK techniques: // T1078 - Valid Accounts: By downgrading components, attackers can exploit older vulnerabilities to gain unauthorized access using valid accounts1. // T1543 - Create or Modify System Process: Downgrading critical OS components can involve creating or modifying system processes to reintroduce vulnerabilities1. // T1562 - Impair Defenses: Downgrading security components like Credential Guard can impair defenses, making it easier for attackers to bypass security measures1. // T1218 - Signed Binary Proxy Execution: Using legitimate tools and binaries to execute malicious actions, which can be facilitated by downgrading to vulnerable versions1.
Explanation
This KQL (Kusto Query Language) query is designed to detect potential abuse of the Windows Downdate tool, which is used to downgrade Windows components to exploit older vulnerabilities. Here's a simplified summary of what the query does:
-
Identify Devices with Specific Software:
- The first part of the query identifies devices that have Python with the
psutillibrary and thegitsoftware from GitHub installed. These devices are stored in a variable calledEndpointwithPythonPSUtilGit.
- The first part of the query identifies devices that have Python with the
-
Detect File Creation Related to Downdate:
- The second part of the query looks for file creation events in folders containing the term "downdate" on the devices identified in the first step.
-
Detect Specific Downdate Binary:
- The third part of the query searches for the creation of a specific file with a known SHA256 hash associated with the Windows Downdate tool.
-
Mapping to MITRE ATT&CK Techniques:
- The query notes that the Windows Downdate tool can be associated with several MITRE ATT&CK techniques, including:
- T1078 - Valid Accounts: Exploiting older vulnerabilities to gain unauthorized access.
- T1543 - Create or Modify System Process: Creating or modifying system processes to reintroduce vulnerabilities.
- T1562 - Impair Defenses: Downgrading security components to bypass defenses.
- T1218 - Signed Binary Proxy Execution: Using legitimate tools and binaries to execute malicious actions by downgrading to vulnerable versions.
- The query notes that the Windows Downdate tool can be associated with several MITRE ATT&CK techniques, including:
In essence, this query helps in identifying potential misuse of the Windows Downdate tool by checking for specific software installations and file creation events that indicate downgrading activities.
Details
Steven Lim
Released: September 14, 2024
Tables
DeviceTvmSoftwareInventoryDeviceFileEvents
Keywords
Devices
Operators
let|wherecontainsand==projecthas_any