Query Details

Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce

Detect Suspicious Ncrypt Usage By Cli Tool Or Unknown Process With Nonce

Query

let cli_tools = dynamic(["powershell", "python"]);
// Get all possible nonce requests
let nonce_requests = (
    DeviceNetworkEvents
    | where Timestamp > ago(1h)
    | where ActionType startswith "ConnectionSuccess"
    | where RemoteUrl =~ "login.microsoftonline.com"
    | project-rename NonceTimestamp = Timestamp
);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
// Check if the same initiating process is doing a nonce request
| join kind=inner nonce_requests on InitiatingProcessId, DeviceId
// Only flag when nonce was request 10min before of after ncrypt usage
| where Timestamp between (todatetime(NonceTimestamp - 10m) .. todatetime(NonceTimestamp + 10m))
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where (
    // Flag CLI tools
    InitiatingProcessFileName has_any (cli_tools) or 
    // Flag unknown processes
    GlobalPrevalence < 250
)

About this query

Explanation

This query is designed to detect suspicious activities related to the use of the ncrypt.dll file, which is associated with cryptographic operations on Windows systems. Specifically, it looks for processes that use ncrypt.dll and also make requests to Microsoft's login service, which could indicate an attempt to generate unauthorized authentication tokens.

Here's a simplified breakdown of the query:

  1. Identify Nonce Requests: The query first identifies network events where a device successfully connects to "login.microsoftonline.com" within the last hour. These events are potential requests for a nonce, a unique number used once in authentication processes.

  2. Detect Suspicious ncrypt.dll Usage: It then looks for events where ncrypt.dll is used, flagged by the Windows Defender Application Control (WDAC) audit policy, within the same time frame.

  3. Correlate Events: The query correlates these two sets of events by matching the process ID and device ID to see if the same process is involved in both activities.

  4. Time Constraint: It further filters these correlated events to ensure that the nonce request occurred within 10 minutes before or after the ncrypt.dll usage, indicating a close temporal relationship.

  5. Flag Suspicious Processes: Finally, it flags processes that are either command-line tools like PowerShell or Python, or processes that are not commonly seen (low global prevalence), as these could be indicative of malicious activity.

Overall, this query aims to identify potential misuse of cryptographic functions and authentication processes, which could be part of an attack to forge credentials or extract sensitive information.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: April 26, 2025

Tables

DeviceNetworkEventsDeviceEvents

Keywords

DevicesEntraIDProcessCredentialManagerWebCredentialsDeviceNetworkEventsFileProfile

Operators

letdynamicagostartswith=~project-renamewherejoin kind=inneronbetweentodatetimeinvokehas_any<

MITRE Techniques

Actions

GitHub