Query Details

Smoke Sandstorm - SnailResin and SlugResin Infection Detection

Nf Ttp Smoke Sandstorm Unusual Coreuicomponentdll Behaviour

Query

DeviceImageLoadEvents
| where FileName == 'CoreUIComponent.dll'
| where not(FolderPath has_any (@"\Windows\System32", @"\Windows\SysWOW64", @"\winsxs\", @"\program files"))

About this query

Explanation

The query is designed to detect the presence of the Smoke Sandstorm threat group's SnailResin and SlugResin infections, which involve the use of DLL search order hijacking to execute malicious code. The query looks for unusual behavior related to the CoreUIComponent.dll file and checks for specific alerts related to DLL hijacking and the Smoke Sandstorm activity group. It also searches for alerts in Microsoft Defender for Endpoint that indicate the presence of the SnailResin and SlugResin malware. The purpose of this query is to identify and mitigate the risk of stealthy execution of malicious code through DLL hijacking.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 1, 2024

Tables

DeviceImageLoadEvents AlertInfo AlertEvidence

Keywords

DevicesIntuneUserKQLKeywordsQueryMITRE ATT&CK TechniqueHijack Execution FlowDLL Search Order HijackingCommand and Scripting InterpreterWindows Command ShellSlugResin infectionSmoke Sandstormbackdoormalware deploymentcredential theftprivilege escalationlateral movementzip filebringthemhome.zipmalicious DLL filesbenign executablecommand-and-control connectionriskstealthy executionmalicious codeDLL hijackingpersistent accesscontrolcompromised systemsauthorNameGavin KnappGithubTwitterLinkedInReferencesMicrosoft TIMicrosoft DocumentationAdvanced HuntingUnusual CoreUIComponent.dll Behaviour DetectionMicrosoft Defender Antivirus DetectionsMicrosoft Defender for Endpoint AlertsTrojan:Win64/SnailResinBackdoor:Win64/SlugResinTrojan:Win32/BassBreaker.

Operators

wherenothas_any==joinextendtostringparse_jsonisnotempty

Actions

GitHub