KQL Search

Query Details

HomeAI ToolsDevice Query

Nf Ttp Smoke Sandstorm Unusual Coreuicomponentdll Behaviour

Query

# Smoke Sandstorm - SnailResin and SlugResin Infection Detection

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title                       | Link                                      |
|--------------|-----------------------------|-------------------------------------------|
| T1574.002    | Hijack Execution Flow: DLL Search Order Hijacking | [Hijack Execution Flow: DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/002/) |
| T1059.003    | Command and Scripting Interpreter: Windows Command Shell | [Command and Scripting Interpreter: Windows Command Shell](https://attack.mitre.org/techniques/T1059/003/) |

#### Description
SlugResin infection involves the use of a legitimate file to load a malicious binary through DLL search order hijacking, delivering the SlugResin backdoor onto the target's device. This backdoor grants the actor access to the compromised device, potentially leading to further malicious activities like malware deployment, credential theft, privilege escalation, and lateral movement. The infection involves a two-stage process with the SnailResin loader and SlugResin backdoor, both associated with the Smoke Sandstorm threat group. The infection chain includes the use of a zip file ("bringthemhome.zip") containing malicious DLL files and a benign executable, which leads to the execution of the backdoor and establishment of a command-and-control connection.

#### Risk
The risk addressed by this detection is the stealthy execution of malicious code through DLL hijacking, enabling persistent access and control over compromised systems. The ability of this technique to blend in with normal activity makes it particularly dangerous.

#### Author 
- **Name:** Gavin Knapp
- **Github:** [https://github.com/m4nbat](https://github.com/m4nbat)
- **Twitter:** [https://twitter.com/knappresearchlb](https://twitter.com/knappresearchlb)
- **LinkedIn:** [https://www.linkedin.com/in/grjk83/](https://www.linkedin.com/in/grjk83/)
- **Website:**

#### References
- Microsoft TI (Closed)
- [Microsoft Documentation on DLL Search Order Hijacking](https://docs.microsoft.com/en-us/security/engineering/dll-search-order-hijacking)

## Advanced Hunting

### Unusual CoreUIComponent.dll Behaviour Detection

```KQL
DeviceImageLoadEvents
| where FileName == 'CoreUIComponent.dll'
| where not(FolderPath has_any (@"\Windows\System32", @"\Windows\SysWOW64", @"\winsxs\", @"\program files"))
```

### Microsoft Defender Antivirus Detections

```KQL
AlertInfo 
| where Title has_any ("An executable loaded an unexpected dll","DLL search order hijack","Possible Sideload stealer activity","Possible S1deload stealer activity","Smoke Sandstorm activity group")
```
### Microsoft Defender for Endpoint Alerts

```KQL
let malware = datatable (name:string)["Trojan:Win64/SnailResin","Backdoor:Win64/SlugResin","Trojan:Win32/BassBreaker"];
AlertInfo 
| join AlertEvidence on AlertId
| extend Malware = tostring(parse_json(AdditionalFields).Name)
| where ( EntityType =~ "Malware" ) and isnotempty(Malware)  and Malware has_any(malware)
```

Explanation

The query is designed to detect the presence of the Smoke Sandstorm threat group's SnailResin and SlugResin infections, which involve the use of DLL search order hijacking to execute malicious code. The query looks for unusual behavior related to the CoreUIComponent.dll file and checks for specific alerts related to DLL hijacking and the Smoke Sandstorm activity group. It also searches for alerts in Microsoft Defender for Endpoint that indicate the presence of the SnailResin and SlugResin malware. The purpose of this query is to identify and mitigate the risk of stealthy execution of malicious code through DLL hijacking.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 1, 2024

Tables

DeviceImageLoadEvents AlertInfo AlertEvidence

Keywords

Devices,Intune,User,KQL,Keywords,Query,MITREATT&CKTechnique,HijackExecutionFlow,DLLSearchOrderHijacking,CommandandScriptingInterpreter,WindowsCommandShell,SlugResininfection,SmokeSandstorm,backdoor,malwaredeployment,credentialtheft,privilegeescalation,lateralmovement,zipfile,bringthemhome.zip,maliciousDLLfiles,benignexecutable,command-and-controlconnection,risk,stealthyexecution,maliciouscode,DLLhijacking,persistentaccess,control,compromisedsystems,author,Name,GavinKnapp,Github,Twitter,LinkedIn,References,MicrosoftTI,MicrosoftDocumentation,AdvancedHunting,UnusualCoreUIComponent.dllBehaviourDetection,MicrosoftDefenderAntivirusDetections,MicrosoftDefenderforEndpointAlerts,Trojan:Win64/SnailResin,Backdoor:Win64/SlugResin,Trojan:Win32/BassBreaker.

Operators

wherenothas_any==joinextendtostringparse_jsonwhereisnotemptyhas_any

Actions