Query Details
MDE KQL To Detect UAC Bypass Of Fickle Stealer
Query
// MDE KQL to detect UAC bypass of Fickle Stealer // https://www.linkedin.com/posts/activity-7209814018230738945-6413/ // The article discusses “Fickle Stealer,” a new malware that uses the Rust programming language to steal sensitive information from Windows users. It is distributed through various methods, including VBA and PowerShell scripts, making it a versatile and dangerous threat. // KQL to detect UAC bypass of Fickle Stealer DeviceFileEvents | where Timestamp > ago(1h) | where ActionType == "FileCreated" | where FileName == "WmiMgmt.msc" | where FolderPath contains "\Windows\System32\en-US"
Explanation
This KQL (Kusto Query Language) query is designed to detect a specific type of malicious activity related to the "Fickle Stealer" malware, which is known for stealing sensitive information from Windows users. The query focuses on identifying attempts to bypass User Account Control (UAC) by monitoring file creation events.
Here's a simple summary of what the query does:
- Data Source: It looks at
DeviceFileEvents, which logs file-related activities on devices. - Time Frame: It filters events to only include those that occurred within the last hour (
Timestamp > ago(1h)). - Action Type: It further narrows down the events to those where a file was created (
ActionType == "FileCreated"). - Specific File: It specifically looks for the creation of a file named
WmiMgmt.msc(FileName == "WmiMgmt.msc"). - Location: It checks if this file was created in the
\Windows\System32\en-USdirectory (FolderPath contains "\Windows\System32\en-US").
In essence, this query helps detect if the "Fickle Stealer" malware is attempting to bypass UAC by creating a specific file in a critical system directory within the last hour.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEvents
Operators
|>ago==contains