Query Details
Soc Ghoulish
Query
//Detects SocGhoulish which does the following:
//1. browsers spawning the Windows Scripting Host (wscript.exe) process
//2. running the whoami command and redirecting the output to a file
//3. domain trust discovery checks with nltest and related commands
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "iexplore.exe", "edge.exe") and InitiatingProcessCommandLine has "wscript.exe"
or InitiatingProcessCommandLine has "whoami" and InitiatingProcessCommandLine has ">"
or InitiatingProcessCommandLine has "nltest"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
Explanation
This KQL (Kusto Query Language) query is designed to detect suspicious activities associated with a threat called "SocGhoulish." It looks for three specific behaviors:
- Web browsers (like Chrome, Firefox, Internet Explorer, and Edge) starting the Windows Scripting Host (wscript.exe) process.
- The execution of the "whoami" command with its output being redirected to a file.
- Commands related to domain trust discovery, specifically using "nltest."
The query filters events from DeviceProcessEvents where these conditions are met and then selects and displays the time the event was generated, the device name, the name of the initiating process, and the command line used to initiate the process.
Details
Rod Trent
Released: September 3, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsDeviceNameInitiatingProcessFileNameInitiatingProcessCommandLineTimeGenerated
Operators
in~andhasorproject