Query Details

Detecting Windows Downdate Abuse

Query

// Detecting Windows Downdate Abuse
// https://www.blackhat.com/us-24/briefings/schedule/#windows-downdate-downgrade-attacks-using-windows-updates-38963
// https://www.bleepingcomputer.com/news/microsoft/windows-downdate-tool-lets-you-unpatch-windows-systems/

// Detect the cloning of Windows Downdate python with Python PSUtil & Git presence
let EndpointwithPythonPSUtilGit =
DeviceTvmSoftwareInventory 
| where (SoftwareName contains "psutil" and SoftwareName contains "python")
or (SoftwareName contains "git" and SoftwareVendor == "github")
| distinct DeviceName;
DeviceFileEvents 
| where ActionType=="FileCreated"
| where FolderPath contains "downdate"
| where DeviceName has_any(EndpointwithPythonPSUtilGit)

// Detected Windows Downdate Binary
DeviceFileEvents 
| where ActionType=="FileCreated"
| where SHA256 == "a34e71ededf334d3d6a480e3738c91fccbb4d2c1fbeec7192db9793a2541e8ca"

// The Windows Downdate tool primarily maps to the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts: By downgrading components, attackers can exploit older vulnerabilities to gain unauthorized access using valid accounts1.
// T1543 - Create or Modify System Process: Downgrading critical OS components can involve creating or modifying system processes to reintroduce vulnerabilities1.
// T1562 - Impair Defenses: Downgrading security components like Credential Guard can impair defenses, making it easier for attackers to bypass security measures1.
// T1218 - Signed Binary Proxy Execution: Using legitimate tools and binaries to execute malicious actions, which can be facilitated by downgrading to vulnerable versions1.

Explanation

This KQL query is designed to detect potential abuse of a tool called "Windows Downdate," which is used to downgrade Windows systems, potentially reintroducing vulnerabilities. Here's a simplified breakdown of what the query does:

  1. Identify Devices with Specific Software:

    • The query first identifies devices that have both the Python psutil library and Git installed. This is done by checking the software inventory for the presence of these tools, which might be used in the downdate process.
  2. Detect File Creation Related to Downdate:

    • It then looks for any file creation events on these devices where the file path includes "downdate." This suggests that the downdate tool or related files might be present or being used.
  3. Identify Specific Downdate Binary:

    • The query also checks for the creation of a specific file with a known SHA256 hash, which corresponds to a known Windows Downdate binary. This helps in identifying the use of a specific version of the tool.
  4. Link to MITRE ATT&CK Techniques:

    • The query notes that the use of the Windows Downdate tool can be associated with several MITRE ATT&CK techniques, such as exploiting valid accounts, modifying system processes, impairing defenses, and executing malicious actions using legitimate tools.

Overall, this query helps in identifying potential security risks associated with the downgrading of Windows systems, which can make them vulnerable to attacks.

Details

Steven Lim profile picture

Steven Lim

Released: September 14, 2024

Tables

DeviceTvmSoftwareInventoryDeviceFileEvents

Keywords

DeviceTvmSoftwareInventoryFileEventsNameVendorActionTypeFolderPathSHA256

Operators

let|wherecontainsandordistincthas_any==

MITRE Techniques

Actions

GitHub