MDE KQL To Detect UAC Bypass Of Fickle Stealer
Query
// MDE KQL to detect UAC bypass of Fickle Stealer
// https://www.linkedin.com/posts/activity-7209814018230738945-6413/
// The article discusses “Fickle Stealer,” a new malware that uses the Rust programming language to steal sensitive information from Windows users. It is distributed through various methods, including VBA and PowerShell scripts, making it a versatile and dangerous threat.
// KQL to detect UAC bypass of Fickle Stealer
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where FileName == "WmiMgmt.msc"
| where FolderPath contains "\Windows\System32\en-US"
// MITRE ATT&CK Mapping
// Based on the query, the detection can be associated with the following MITRE ATT&CK techniques:
// T1070.004: Indicator Removal on Host - File Deletion: The creation of a specific file in the System32 directory could be an attempt to replace or hide malicious files, which is a common tactic for evading detection1.
// T1059.001: Command and Scripting Interpreter - PowerShell: The WmiMgmt.msc file is related to Windows Management Instrumentation (WMI), which can be used for executing scripts and commands2.
// T1569.002: System Services - Service Execution: The creation of files in the System32 directory can be related to the execution of system services, which is a technique used to maintain persistence3.Explanation
This KQL query is designed to detect a potential UAC (User Account Control) bypass by the "Fickle Stealer" malware. Here's a simple breakdown of what the query does:
-
Data Source: It looks at
DeviceFileEvents, which records file-related activities on devices. -
Time Frame: The query focuses on events that occurred in the last hour (
Timestamp > ago(1h)). -
Action Type: It filters for events where a file was created (
ActionType == "FileCreated"). -
Specific File: It specifically looks for the creation of a file named
WmiMgmt.msc. -
Location: The query checks if this file is created in a path that includes
\Windows\System32\en-US, which is a critical system directory.
The query is associated with certain MITRE ATT&CK techniques, indicating potential malicious behavior:
-
T1070.004: Suggests that creating a file in this directory might be an attempt to hide or replace files to avoid detection.
-
T1059.001: Indicates that the file could be used to execute scripts or commands, leveraging Windows Management Instrumentation (WMI).
-
T1569.002: Suggests that creating files in the System32 directory might be related to executing system services, which can help maintain persistence on the system.
Overall, this query helps in identifying suspicious activities that could indicate the presence of the Fickle Stealer malware attempting to bypass security controls.
