Query Details
Sysinternals Tools Zero Day Vulnerability Detection
Query
// Sysinternals Tools Zero Day Vulnerability Detection // https://www.foto-video-it.de/2025/allgemein/disclosure-sysinternals/ let SysinternalsTools=externaldata(RawData:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SysinternalsTools.txt'] | parse RawData with BinariesName:string; let SysinternalsToolsBinaries = SysinternalsTools | project BinariesName; let SuspiciousSysInternalsEP = DeviceEvents | where FolderPath startswith "\\\\" | where FileName has_any(SysinternalsToolsBinaries) | distinct DeviceName; DeviceEvents | where ActionType == @"DriverLoad" | where FileName endswith ".dll" | where FolderPath startswith "\\\\" | where DeviceName has_any(SuspiciousSysInternalsEP)
Explanation
This KQL query is designed to detect potential zero-day vulnerabilities related to Sysinternals tools. Here's a simplified breakdown of what the query does:
-
Load External Data: It retrieves a list of Sysinternals tool binaries from an external source, specifically a text file hosted on GitHub.
-
Parse and Project Data: The query extracts the names of these binaries from the raw data and creates a list of these binary names.
-
Identify Suspicious Endpoints: It searches through device events to find any instances where files with names matching the Sysinternals binaries are located in network paths (indicated by paths starting with "\\"). It identifies devices (endpoints) where such suspicious activity occurs.
-
Filter Device Events: Finally, it filters device events to find instances where a driver (with a ".dll" file extension) is loaded from a network path on any of the suspicious endpoints identified earlier.
In essence, the query is looking for suspicious activity involving Sysinternals tools being executed from network locations, which could indicate a potential security threat or vulnerability exploitation.
Details
Steven Lim
Released: February 4, 2025
Tables
Keywords
Operators