Query Details

Threat Hunting BYOVD Scenarios

Query

// Threat Hunting BYOVD Scenarios

// This query identifies recently created driver files on an endpoint with low global prevalence. It then cross-references these files with Windows Event ID 3004, where Windows Code Integrity validates the digital signature of kernel-mode drivers during memory loading. This detection can potentially highlight BYOVD (Bring Your Own Vulnerable Driver) scenarios.

let DriverwithLowPrevalence =
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".sys"
| invoke FileProfile(SHA1,1000)
| where GlobalPrevalence <= 150 or isempty(GlobalPrevalence)
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| project FileName;
DeviceEvents
// Event ID 3004 — Kernel-mode Driver Validation
| where ReportId == "3004"
| where ActionType == @"DriverLoad"
| where FileName has_any(DriverwithLowPrevalence)


// #DefenderXDR #MDE #BYOVD #ThreatHunting #FileProfile #KQL

// MITRE ATT&CK Mapping

// Initial Access:
// Technique: T1190 (Exploit Public-Facing Application)
// The query may help detect exploitation attempts against public-facing applications.
// Technique: T1566.001 (Phishing: Spearphishing Attachment)
// The query could be relevant for detecting malicious attachments in spear-phishing emails.
// Execution:
// Technique: T1047 (Windows Management Instrumentation)
// The query involves using WMI for remote command execution.
// Persistence:
// Technique: T1136.001 (Create Account: Local Account)
// The query identifies local account creations.
// Defense Evasion:
// Technique: T1556 (Modify Authentication Process)
// The query may be related to conditional access policy changes.

Explanation

This query is designed for threat hunting, specifically targeting scenarios involving "Bring Your Own Vulnerable Driver" (BYOVD). Here's a simplified breakdown:

  1. Objective: The query aims to identify newly created driver files on a computer that are not commonly found globally. These files are then checked against Windows Event ID 3004, which is an event where Windows checks the digital signature of kernel-mode drivers when they are loaded into memory.

  2. Process:

    • Step 1: It looks for files with a ".sys" extension (which are typically driver files) that have been recently created on a device.
    • Step 2: It checks the global prevalence of these files using their SHA1 hash. If a file is not widely prevalent (found in 150 or fewer instances globally) or if its prevalence is unknown, it is flagged.
    • Step 3: It attempts to match these flagged files with any digital certificate information available.
    • Step 4: It then checks if any of these flagged driver files have been loaded into memory, as indicated by Windows Event ID 3004.
  3. Purpose: By identifying these low-prevalence drivers and checking if they are loaded, the query can potentially highlight scenarios where attackers might be using vulnerable drivers to compromise a system (BYOVD).

  4. Relevance to MITRE ATT&CK:

    • The query is mapped to several MITRE ATT&CK techniques, indicating its potential utility in detecting various attack vectors such as exploiting public-facing applications, spear-phishing, remote command execution, local account creation, and modifying authentication processes.

In summary, this query is a tool for detecting potentially malicious driver files that could be used in sophisticated attacks, by leveraging their low prevalence and checking their integrity during loading.

Details

Steven Lim profile picture

Steven Lim

Released: August 27, 2024

Tables

DeviceFileEventsDeviceFileCertificateInfoDeviceEvents

Keywords

DeviceFileEventsCertificateInfoWindowsEventKernelModeDriverDigitalSignatureMemoryLoadingLoadDefenderXDRMDEBYOVDThreatHuntingProfileKQLMITREATT&CKInitialAccessExploitPublicFacingApplicationPhishingSpearphishingAttachmentExecutionManagementInstrumentationPersistenceCreateAccountLocalDefenseEvasionModifyAuthenticationProcess

Operators

let|whereendswithinvokeorisemptyjoinkind=leftouteronprojecthas_any

Actions

GitHub