Query Details
High Risk Assets With Command Line Credentials
Query
// High-Risk assets with command line credentials // DefenderXDR’s critical asset management uses behavior-based logic to automatically identify assets of interest. However, there may be instances where not all relevant assets are detected. In this post, I will share a KQL query to identify servers and workstations that frequently run command line commands with username/password parameters. These systems often store administrative credentials due to command line execution. If compromised, the blast radius could be significant, as stored credentials could be exposed, accelerating lateral movement attacks. SecOps should run this KQL query to identify device names and create a new classification in DefenderXDR’s critical management, tagging these devices as high criticality. This ensures that when an incident or alert is triggered, correlations can be made quickly, leading to faster triaging and containment. // High-Risk assets with command line credentials let MonitoredCommands = dynamic(['net', 'wmic', 'schtasks', 'psexec', 'cmdkey', 'winrs', 'pscp', 'winscp']); DeviceEvents | where Timestamp > ago(30d) | where InitiatingProcessCommandLine has_any(MonitoredCommands) | where InitiatingProcessCommandLine matches regex '(?:(?:(?:-p)|(?:-password)|(?:-passwd)|(?:--password)|(?:--passwd)|(?:/P)|(?:/PASSWD)|(?:/PASSWORD))(?:\\s+|\\:)(?<password>(?:"((?:\\\\.|[^"\\\\])*)")|(?:[^\\s"]+)))' or InitiatingProcessCommandLine matches regex '(?:(?:(?:-u)|(?:-user)|(?:-username)|(?:--user)|(?:--username)|(?:/u)|(?:/USER)|(?:/USERNAME))(?:\\s+|\\:)(?<username>(?:"((?:\\\\.|[^"\\\\])*)")|(?:[^\\s"]+)))' | distinct DeviceName; // MITRE ATT&CK technique mapping for your KQL code: // Command and Scripting Interpreter (T1059): The query monitors commands like net, wmic, schtasks, psexec, cmdkey, winrs, pscp, and winscp, which are commonly used for scripting and command execution. // Credential Dumping (T1003): The regex patterns in your query are designed to detect the use of passwords and usernames in command lines, which is indicative of credential dumping activities. // Remote Services (T1021): Commands like psexec, winrs, pscp, and winscp are used for remote service execution and file transfer, aligning with lateral movement techniques. // Scheduled Task/Job (T1053): The use of schtasks indicates the creation or modification of scheduled tasks, which is a common persistence technique. // Windows Management Instrumentation (T1047): The wmic command is used for remote management and execution, which falls under this technique.
Explanation
This KQL query is designed to identify high-risk servers and workstations that frequently run command line commands with embedded usernames or passwords. Here's a simplified summary:
-
Purpose: The query aims to find devices that execute specific command line commands with credentials, which could indicate potential security risks if these devices are compromised.
-
Monitored Commands: It looks for commands like
net,wmic,schtasks,psexec,cmdkey,winrs,pscp, andwinscp. -
Time Frame: The query examines events from the past 30 days.
-
Credential Detection: It uses regular expressions to detect command lines that include username or password parameters.
-
Output: The query lists the names of devices that match these criteria.
-
Actionable Insight: Security operations teams should tag these devices as high criticality in DefenderXDR’s critical asset management. This helps in quickly correlating incidents and alerts, leading to faster response and containment.
-
MITRE ATT&CK Techniques: The query maps to several techniques, including:
- Command and Scripting Interpreter (T1059)
- Credential Dumping (T1003)
- Remote Services (T1021)
- Scheduled Task/Job (T1053)
- Windows Management Instrumentation (T1047)
By running this query, security teams can better identify and protect high-risk assets that could be leveraged in lateral movement attacks if compromised.
Details
Steven Lim
Released: September 22, 2024
Tables
Keywords
Operators