Query Details
Threat Hunting BYOVD Scenarios
Query
// Threat Hunting BYOVD Scenarios // This query identifies recently created driver files on an endpoint with low global prevalence. It then cross-references these files with Windows Event ID 3004, where Windows Code Integrity validates the digital signature of kernel-mode drivers during memory loading. This detection can potentially highlight BYOVD (Bring Your Own Vulnerable Driver) scenarios. let DriverwithLowPrevalence = DeviceFileEvents | where ActionType == "FileCreated" | where FileName endswith ".sys" | invoke FileProfile(SHA1,10000) | where GlobalPrevalence <= 150 | join kind=leftouter DeviceFileCertificateInfo on SHA1 | project FileName; DeviceEvents // Event ID 3004 — Kernel-mode Driver Validation | where ReportId == "3004" | where ActionType == @"DriverLoad" | where FileName has_any(DriverwithLowPrevalence) // #DefenderXDR #MDE #BYOVD #ThreatHunting #FileProfile #KQL // MITRE ATT&CK Mapping // Initial Access: // Technique: T1190 (Exploit Public-Facing Application) // The query may help detect exploitation attempts against public-facing applications. // Technique: T1566.001 (Phishing: Spearphishing Attachment) // The query could be relevant for detecting malicious attachments in spear-phishing emails. // Execution: // Technique: T1047 (Windows Management Instrumentation) // The query involves using WMI for remote command execution. // Persistence: // Technique: T1136.001 (Create Account: Local Account) // The query identifies local account creations. // Defense Evasion: // Technique: T1556 (Modify Authentication Process) // The query may be related to conditional access policy changes.
Explanation
This query is designed to help identify potentially malicious driver files on an endpoint that have been recently created and have low global prevalence. Here's a simplified breakdown of what the query does:
-
Identify New Driver Files:
- It looks for files with the ".sys" extension (which are typically driver files) that have been created recently.
- It checks these files against a global database to see how common they are, focusing on those that are not widely seen (low prevalence).
-
Cross-Reference with Driver Validation Events:
- It then cross-references these low-prevalence driver files with Windows Event ID 3004. This event ID is logged when Windows Code Integrity validates the digital signature of kernel-mode drivers during their loading into memory.
-
Potential Detection of BYOVD Scenarios:
- BYOVD stands for "Bring Your Own Vulnerable Driver." This technique involves attackers using legitimate but vulnerable drivers to execute malicious activities.
- By identifying low-prevalence drivers and checking if they have been validated and loaded, the query aims to detect such scenarios.
-
MITRE ATT&CK Mapping:
- The query is mapped to several techniques in the MITRE ATT&CK framework, indicating its relevance to various stages of an attack, such as initial access, execution, persistence, and defense evasion.
In summary, this query helps in threat hunting by identifying and validating new and uncommon driver files on an endpoint, which could indicate a BYOVD attack.
Details
Steven Lim
Released: August 27, 2024
Tables
DeviceFileEventsDeviceFileCertificateInfoDeviceEvents
Keywords
DeviceFileEventsDeviceFileCertificateInfoDeviceEventsFileNameSHA1GlobalPrevalenceReportIdActionTypeFileProfile
Operators
let|where==endswithinvoke<=joinkind=leftouteronprojecthas_any