Click Fix Lo L Bin Abuse
Query
//THX to Maurice Fielenbach https://www.linkedin.com/posts/mauricefielenbach_threathunting-dfir-cybersecurity-activity-7429953431588659200-c0zE/
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where (
(FileName in~ ("wscript.exe", "cscript.exe") and ProcessCommandLine has "SyncAppvPublishingServer.vbs")
or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("process", "call", "create"))
or (FileName =~ "ssh.exe" and ProcessCommandLine has "ProxyCommand")
)
| where ProcessCommandLine has_any (
"gal", "i*x",
"gcm", "*stM*",
"jsdelivr.net",
"github",
"powershell"
)About this query
Explanation
This query is designed to detect potentially malicious activities on Windows systems by monitoring specific command-line executions. It focuses on identifying suspicious use of certain Windows executables and keywords that are often associated with malicious behavior or obfuscation techniques. Here's a simplified breakdown:
-
Time Frame: The query looks at events from the past 7 days.
-
Targeted Executables:
- wscript.exe or cscript.exe: These are Windows Script Host executables. The query checks if they are running a script named 'SyncAppvPublishingServer.vbs'.
- wmic.exe: This is the Windows Management Instrumentation Command-line tool. The query checks if it is used with commands like 'process', 'call', or 'create'.
- ssh.exe: This is the Secure Shell client. The query checks if it is used with the 'ProxyCommand' option.
-
Suspicious Keywords: The query further filters the command lines to see if they contain any of the following keywords, which might indicate malicious activity:
- "gal", "i*x", "gcm", "stM": These could be part of obfuscated commands or scripts.
- "jsdelivr.net", "github": These are external resources that might be used to load malicious scripts or payloads.
- "powershell": This is a powerful scripting language often used in attacks.
Overall, the query aims to identify suspicious command-line activities that could indicate abuse of legitimate Windows tools for malicious purposes, aligning with specific MITRE ATT&CK techniques.
