KQL Search

Query Details

HomeAI ToolsDevice Query

H

Query

// H𝗼𝘄 𝗺𝗮𝗻𝘆 𝗖𝗿𝗼𝘄𝗱𝗦𝘁𝗿𝗶𝗸𝗲 𝗰𝗹𝗶𝗲𝗻𝘁𝘀 𝗿𝘂𝗻𝗻𝗶𝗻𝗴 𝗼𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗔𝘇𝘂𝗿𝗲 𝗴𝗹𝗼𝗯𝗮𝗹𝗹𝘆
// Linkedin Post: https://www.linkedin.com/posts/0x534c_fileprofile-function-in-advanced-hunting-activity-7232990010898010112-G2Lg/
// While brainstorming on how to KQL detect Bring Your Own Vulnerable Driver (BYOVD) exploits in recent Zero Day CVE-2024-38193 by APT North Korean Lazarus, I was exploring the recent addition of FileProfile() enrichment function that adds the following data to files found by the query.

// Advance Hunting - FileProfile()
// https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-fileprofile-function

DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where FileName endswith ".sys"
| where FolderPath contains "CrowdStrike"
| invoke FileProfile(SHA1,10000)
| project FileName, FolderPath, GlobalPrevalence, GlobalFirstSeen, GlobalLastSeen
| sort by GlobalPrevalence desc 

// Note:  GlobalPrevalence - Number of instances of the entity observed by Microsoft globally

// MITRE ATT&CK Mapping

// Based on the actions and filters in your KQL query, the following MITRE ATT&CK techniques are relevant:

// T1070.004 - Indicator Removal on Host: File Deletion:
// Detecting file creation or modification events, especially for .sys files, can help identify attempts to delete or modify system files to evade detection.
// T1562.001 - Impair Defenses: Disable or Modify Tools:
// Monitoring files in the CrowdStrike folder can help detect attempts to disable or tamper with security tools.
// T1105 - Ingress Tool Transfer:
// The creation of new .sys files in specific directories could indicate the transfer of malicious tools or payloads.
// T1027 - Obfuscated Files or Information:
// .sys files are often used to hide malicious payloads. Monitoring their creation and modification can help detect obfuscation techniques.

Explanation

This KQL query is designed to identify CrowdStrike clients running on Microsoft Azure by focusing on specific file events. Here's a simplified breakdown:

  1. Data Source: The query looks at DeviceFileEvents, which logs file-related activities on devices.
  2. Filter Events: It filters for events where files are either created or modified (ActionType == "FileCreated" or ActionType == "FileModified").
  3. File Type: It specifically targets files with the .sys extension, which are typically system files.
  4. Folder Path: It further narrows down to files located in directories containing "CrowdStrike".
  5. Enrichment: The FileProfile() function is used to enrich the data with additional information like global prevalence (how common the file is globally), and the first and last time the file was seen globally.
  6. Projection: The query selects specific columns to display: FileName, FolderPath, GlobalPrevalence, GlobalFirstSeen, and GlobalLastSeen.
  7. Sorting: The results are sorted by GlobalPrevalence in descending order to prioritize the most commonly observed files.

Purpose: The query helps in detecting potential security issues by monitoring the creation and modification of system files related to CrowdStrike, which could indicate attempts to tamper with security tools or introduce malicious payloads.

MITRE ATT&CK Techniques:

  • T1070.004: Detects attempts to delete or modify system files to evade detection.
  • T1562.001: Identifies attempts to disable or tamper with security tools.
  • T1105: Indicates the transfer of malicious tools or payloads.
  • T1027: Helps detect obfuscation techniques by monitoring the creation and modification of .sys files.

In summary, this query is used to monitor and detect suspicious activities related to CrowdStrike clients on Azure, focusing on system file events and leveraging global prevalence data to identify potential threats.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceFileEvents

Keywords

DevicesFilesSecurityVulnerabilitiesAdvancedHuntingMITREATTACK

Operators

==orendswithcontainsinvokeprojectsort by

Actions