Hunting Attacks Using ATP part 2

in progress

1. Persistence via Registry Run Keys/Startup Folder

  • Overview:

Attackers establish persistence by configuring programs or scripts to execute automatically during system startup or user logon. This is often achieved by adding entries to Registry Run keys or placing shortcuts and scripts in startup folders. This ensures that malicious code runs with each reboot, maintaining the attacker's foothold.

Techniques include:

  • Registry Modification: Adding values to HKLM or HKCU Run keys.

  • Startup Folder: Placing files in the Startup folder within the user's profile or All Users directory.

  • Service Creation: Configuring services to start automatically.

This persistence mechanism is stealthy, as it leverages standard system functionality.

  • ATT&CK ID: T1547.001

  • Trigger Condition:

    • Creation or modification of Registry keys associated with startup execution.

    • Files or shortcuts added to startup folders.

    • New services set to auto-start with suspicious executables.

  • How to Hunt Using Advanced Hunting:

DeviceRegistryEvents
| where RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Run"
| where ActionType == "RegistryValueSet"
| where InitiatingProcessAccountName !in ("System", "AdminUser")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData

DeviceFileEvents
| where FolderPath endswith @"\Startup" and ActionType == "FileCreated"
| where InitiatingProcessAccountName !in ("System", "AdminUser")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath

These queries detect modifications to startup mechanisms by unexpected users, indicating potential persistence setup.

2- Boot or Logon Autostart Execution

  • Overview:

    Attackers achieve persistence by configuring their code to execute automatically during system boot or user logon. This broad category includes various methods such as:

    • Service Installation: Creating new services set to auto-start.

    • Scheduled Tasks: Configuring tasks to run at startup.

    • Boot Scripts: Modifying scripts that run during the boot process.

    By leveraging autostart mechanisms, attackers ensure their malware remains active even after system reboots.

  • ATT&CK ID: T1547

  • Trigger Condition:

    • Creation of new services or modification of existing ones.

    • Scheduled tasks set to trigger at system startup.

    • Changes to boot configuration files or scripts.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in ("sc.exe", "powershell.exe", "schtasks.exe")
| where ProcessCommandLine has_any ("create", "config", "/sc onstart")
| where InitiatingProcessAccountName !in ("system", "AdminUser")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

This query detects attempts to configure services or scheduled tasks to run at startup by unauthorized users.

3- Web Shell

  • Overview:

    A web shell is a malicious script that provides a command interface on a web server. Attackers upload web shells to compromised web servers to:

    • Execute Commands Remotely: Run system commands on the server.

    • Maintain Persistence: Retain access to the server over time.

    • Pivot to Internal Networks: Use the server as a foothold to access internal resources

    .

    Web shells can be written in various scripting languages, such as PHP, ASP, JSP, or even HTML with embedded code.

  • ATT&CK ID: T1505.003

  • Trigger Condition:

    • Unexpected files in web directories.

    • Execution of web server processes initiating system commands.

    • Unusual outbound connections from web server processes.

How to Hunt Using Advanced Hunting:

// Query for DeviceFileEvents
DeviceFileEvents
| where FolderPath contains "inetpub\\wwwroot" or FolderPath contains "Apache\\htdocs"
| where FileName endswith ".php" or FileName endswith ".asp" or FileName endswith ".jsp" or FileName endswith ".aspx"
| where ActionType == "FileCreated"
| where InitiatingProcessAccountName != "WebAdmin"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

// Query for DeviceProcessEvents
DeviceProcessEvents
| where InitiatingProcessFileName in ("w3wp.exe", "httpd.exe", "nginx.exe")
| where FileName in ("cmd.exe", "powershell.exe", "bash")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

These queries detect the creation of new web files in web directories and web server processes spawning command shells, indicating potential web shell activity.

4- Ingress Tool Transfer

  • Overview:

Attackers transfer tools or files into a compromised environment to facilitate their operations. This can include malware, exploit code, or utilities for reconnaissance and lateral movement.

Methods of transfer:

  • Download via HTTP/HTTPS: Using web protocols to retrieve files.

  • File Sharing Protocols: Using SMB, FTP, or SCP.

  • Email Attachments: Sending tools via phishing emails.

Ingress tool transfer is often a precursor to further malicious activities.

  • ATT&CK ID: T1105

  • Trigger Condition:

    • Downloading executables from external sources.

    • Unusual network connections to file-sharing services.

    • Use of command-line tools to fetch external resources.

  • How to Hunt Using Advanced Hunting:

DeviceNetworkEvents
| where InitiatingProcessFileName in ("powershell.exe", "curl.exe", "wget.exe", "certutil.exe")
| where RemoteUrl != ""
| where InitiatingProcessCommandLine has_any ("DownloadFile", "wget", "curl", "certutil -urlcache -split -f")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, InitiatingProcessCommandLine

This query identifies processes commonly used to download files from external sources, which may indicate tool transfer.

5- DNS Tunneling

  • Overview:

    DNS tunneling is a method where attackers encode data of other programs or protocols in DNS queries and responses. Since DNS traffic is often allowed through firewalls and not closely monitored, it provides a covert channel for command and control communications or data exfiltration.

    Characteristics:

    • Data Encoding: Information is embedded within DNS request and response payloads.

    • Custom DNS Servers: Attackers use controlled DNS servers to receive data.

    • Persistent Communication: Maintains a stealthy communication channel.

    DNS tunneling can bypass traditional security controls that do not inspect DNS traffic content.

  • ATT&CK ID: T1572

  • Trigger Condition:

    • Unusually large volume of DNS queries to uncommon domains.

    • DNS queries with long or suspicious subdomain names.

    • Use of TXT records in DNS responses carrying payloads.

  • How to Hunt Using Advanced Hunting:

DeviceNetworkEvents
| where Protocol == "DNS"
| where RemoteUrl matches regex @".{50,}"  // Domain names longer than 50 characters
| summarize QueryCount = count() by RemoteUrl
| where QueryCount > 100

This query detects excessive DNS queries to domains with unusually long names, which may indicate DNS tunneling.

6- Rogue Domain Controller

  • Overview:

    Attackers introduce a rogue domain controller into an Active Directory environment to manipulate domain services and gain elevated privileges. By setting up a domain controller under their control, they can:

    • Intercept Authentication Traffic: Capture or modify credentials.

    • Distribute Malicious Group Policies: Execute code on multiple systems.

    • Manipulate Directory Data: Alter user accounts, permissions, or security settings.

    Establishing a rogue domain controller can severely compromise the security of an entire domain.

  • ATT&CK ID: T1207

  • Trigger Condition:

    • Unauthorized promotion of a system to a domain controller.

    • Network traffic indicating replication of directory services with unknown systems.

    • Changes to Active Directory topology without proper authorization.

  • How to Hunt Using Advanced Hunting:


DeviceProcessEvents
| where FileName == "dcpromo.exe" or ProcessCommandLine contains "Install-ADDSDomainController"
| where InitiatingProcessAccountName !in ("DomainAdmin")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine


DeviceNetworkEvents
| where RemotePort == 389 or RemotePort == 636  // LDAP and LDAPS
| where RemoteIP !in ("known_domain_controllers")
| summarize ConnectionCount = count() by RemoteIP 
| where ConnectionCount > 100

These queries detect attempts to promote a system to a domain controller by unauthorized users and identify unusual LDAP traffic patterns indicative of rogue domain controllers.

7- Data from Local System

  • Overview:

    Attackers collect files and sensitive information from the local system to understand the environment and prepare for further actions, such as data exfiltration or credential harvesting. They may search for documents, databases, configuration files, or other data that could be valuable or aid in escalating privileges.

    Common methods include:

    • Manual Searching: Browsing directories and files of interest.

    • Automated Tools: Using scripts or programs to locate files based on criteria like file extensions or keywords.

    • Copying Data: Collecting and staging data in preparation for exfiltration.

  • ATT&CK ID: T1005

  • Trigger Condition:

    • Processes accessing multiple files with sensitive extensions (e.g., .docx, .pdf, .xls).

    • Unusual processes reading files from user directories.

    • High volume of file access operations in a short time frame by a single process.

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
| where ActionType == "FileRead"
| where FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pdf" or FileName endswith ".txt" or FileName endswith ".csv"
| where InitiatingProcessFileName !in ("explorer.exe", "winword.exe", "excel.exe")
| summarize ReadCount = count() by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(Timestamp, 1h)
| where ReadCount > 100
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, ReadCount

This query identifies processes that read a large number of sensitive files within an hour, which may indicate data collection by an attacker.

8. Account Manipulation

  • Overview:

Attackers manipulate user accounts to maintain access, escalate privileges, or create backdoor accounts. They may create new accounts, modify existing accounts, or change permissions and group memberships. This manipulation allows them to:

  • Maintain Persistence: Keep access even if initial compromised accounts are detected.

  • Elevate Privileges: Gain administrative rights.

  • Evade Detection: Use legitimate credentials to blend in.

  • ATT&CK ID: T1098

  • Trigger Condition:

    • Creation of new user accounts by non-administrative users.

    • Changes to account privileges or group memberships.

    • Password changes for critical accounts without proper authorization.

  • How to Hunt Using Advanced Hunting:

DeviceEvents
| where ActionType in ("UserAccountCreated", "UserAccountModified", "UserAccountPasswordChanged")
| where InitiatingProcessAccountName !in ("AdminUser", "HRManager")
| project Timestamp, DeviceName, TargetUserName, ActionType, InitiatingProcessAccountName

This query detects account creation and modification events initiated by unexpected users, indicating possible account manipulation.

9- Screen Capture

  • Overview:

    Attackers capture screenshots of the user's desktop to collect sensitive information displayed on the screen. This can include:

    • Credentials: Login screens or password input fields.

    • Sensitive Data: Confidential documents, emails, or applications.

    • User Activities: Monitoring user behavior.

    Screen capture tools can be built into malware or executed via scripts and may save images locally or transmit them to remote servers.

  • ATT&CK ID: T1113

  • Trigger Condition:

    • Processes accessing screen capture APIs.

    • Creation of image files in unexpected directories.

    • Use of screen capture utilities by non-authorized users.

  • How to Hunt Using Advanced Hunting:

union 
    (DeviceProcessEvents
    | where ProcessCommandLine has_any ("PrintWindow", "BitBlt", "GetDC", "Screenshot")
    | where InitiatingProcessFileName !in ("known_legitimate_app.exe")
    | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine),
    
    (DeviceFileEvents
    | where FileName endswith ".png" or FileName endswith ".jpg" or FileName endswith ".bmp"
    | where FolderPath has_any ("\\Temp\\", "\\AppData\\")
    | where InitiatingProcessFileName !in ("explorer.exe", "mspaint.exe")
    | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName)

These queries detect processes using screen capture functions and the creation of image files in suspicious locations.

10 - Clipboard Data

  • Overview:

    Attackers monitor and capture data copied to the clipboard to collect sensitive information, such as passwords, personal data, or cryptocurrency wallet addresses. Malware can access clipboard contents through APIs and may trigger actions when specific data patterns are detected.

  • ATT&CK ID: T1115

  • Trigger Condition:

    • Processes accessing clipboard APIs.

    • Unexpected clipboard activity by background processes.

    • Modification of clipboard data without user interaction.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where ProcessCommandLine contains "GetClipboardData"
| where InitiatingProcessFileName !in ("known_legitimate_app.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

This query identifies processes accessing clipboard data using APIs, which may indicate malicious activity.

11 - Indicator Removal on Host

  • Overview:

    Attackers attempt to delete or alter artifacts on a host system to avoid detection and hinder forensic analysis. Actions include:

    • Clearing Logs: Deleting event logs or audit records.

    • Deleting Files: Removing malware files or scripts after execution.

    • Modifying Timestamps: Changing file creation or modification dates.

    These efforts help attackers maintain stealth and prolong their presence on compromised systems.

  • ATT&CK ID: T1070

  • Trigger Condition:

    • Use of commands to delete or clear logs (e.g., wevtutil, Clear-EventLog).

    • Deletion of files from security software directories.

    • Changes to file attributes or timestamps.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in ("wevtutil.exe", "powershell.exe")
| where ProcessCommandLine has_any  ("cl", "clear-log", "Clear-EventLog", "wevtutil cl")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

DeviceFileEvents
| where ActionType == "FileDeleted"
| where FolderPath has_any  ("\\Logs\\", "\\Security\\", "\\Windows\\System32\\winevt\\Logs\\")
| where InitiatingProcessAccountName !in ("System", "AdminUser")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

These queries detect attempts to clear logs or delete files related to security events, which may indicate an attempt to remove indicators of compromise.

12 - Hardware Additions

  • Overview:

    Attackers may introduce unauthorized hardware devices into a network to gain access or perform malicious activities. Examples include:

    • Rogue Devices: Plugging in malicious USB devices that act as keyboards or network cards.

    • Network Implants: Installing hardware implants that intercept network traffic.

    • Peripheral Devices: Using devices like microphones or cameras to capture data.

    Physical access to systems allows attackers to bypass certain security measures and establish a foothold within the network.

  • ATT&CK ID: T1200

  • Trigger Condition:

    • Detection of new hardware devices connected to systems.

    • Unusual USB devices or network interfaces appearing on endpoints.

    • Unauthorized users accessing physical areas with sensitive equipment.

  • How to Hunt Using Advanced Hunting:

DeviceEvents
| where ActionType == "UsbDriveMounted"
| where DeviceName !in ("known_devices")
| project Timestamp, DeviceName, DeviceId, InitiatingProcessAccountName

DeviceNetworkEvents
| where LocalPort in (new network interfaces)
| where InitiatingProcessAccountName !in ("System", "NetworkService")
| project Timestamp, DeviceName, LocalIP, LocalPort, InitiatingProcessAccountName

These queries detect new USB devices and network interfaces connected to systems, which may indicate unauthorized hardware additions.

13 - Defacement

  • Overview:

    Attackers modify visual content on websites, applications, or systems to display unauthorized messages, images, or other content. Defacement is often used to:

    • Spread Propaganda: Promote political or ideological messages.

    • Demonstrate Capabilities: Showcase the attacker's skills.

    • Cause Disruption: Damage the organization's reputation.

    Defacement can affect public-facing websites or internal applications and may indicate a broader compromise.

  • ATT&CK ID: T1491

  • Trigger Condition:

    • Changes to web content files (e.g., HTML, PHP, ASPX files).

    • Unauthorized modifications to application interfaces.

    • Sudden appearance of unfamiliar images or text on websites.

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
| where FolderPath contains "\\inetpub\\wwwroot\\" or "\\Apache\\htdocs\\"
| where ActionType == "FileModified"
| where InitiatingProcessAccountName !in ("WebAdmin")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

DeviceProcessEvents
| where InitiatingProcessFileName in ("w3wp.exe", "httpd.exe", "nginx.exe")
| where FileName in ("cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

These queries detect modifications to web content files by unauthorized users and web server processes spawning shells, indicating potential defacement activities.

14 - Domain Trust Discovery

  • Overview:

    Attackers gather information about domain trusts within an Active Directory environment to identify potential paths for lateral movement and privilege escalation. They may use built-in commands or tools to enumerate:

    • Trust Relationships: Understanding how domains are connected.

    • Forest Structures: Identifying other domains within the forest.

    • Access Rights: Determining where they can authenticate.

    This reconnaissance helps attackers plan their next steps to expand their access within the network.

  • ATT&CK ID: T1482

  • Trigger Condition:

    • Execution of commands querying domain trusts (e.g., nltest, Get-ADTrust).

    • LDAP queries targeting domain trust information.

    • Unusual processes accessing Active Directory services.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName == "nltest.exe"
| where ProcessCommandLine contains "/domain_trusts" or "/all_trusts"
| where InitiatingProcessAccountName !in ("DomainAdmin")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "Get-ADTrust"
| where InitiatingProcessAccountName !in ("DomainAdmin")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

These queries detect the use of tools and commands to discover domain trust relationships by unauthorized users.

15 - Exploitation for Credential Access

  • Overview:

    Attackers exploit software vulnerabilities to obtain credential information from systems. By leveraging flaws in applications or operating systems, they can bypass security controls and access sensitive data such as password hashes, tokens, or plaintext credentials.

    Common tactics:

    • Memory Exploitation: Gaining access to process memory to extract credentials.

    • Local Privilege Escalation: Exploiting vulnerabilities to run code with higher privileges.

    • Targeting Authentication Mechanisms: Attacking components that handle credentials.

  • ATT&CK ID: T1212

  • Trigger Condition:

    • Use of exploit tools targeting known vulnerabilities.

    • Processes accessing LSASS memory without proper authorization.

    • Unusual crashes or instability in security-related processes.

  • How to Hunt Using Advanced Hunting:

    DeviceProcessEvents
| where FileName in ("procdump.exe", "outlook.exe")
| where ProcessCommandLine contains "lsass"
| where InitiatingProcessAccountName !in ("System", "AdminUser")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

These queries detect attempts to access LSASS memory or exploit vulnerabilities to obtain credentials.

16 - System Services: Service Execution

  • Overview:

    Attackers execute malicious code by creating or modifying system services. Services run with high privileges and can be configured to start automatically, providing persistence and elevated execution contexts.

    Techniques include:

    • Creating New Services: Setting up services that execute attacker-controlled code.

    • Modifying Existing Services: Changing the configuration of legitimate services to run malicious code.

    • Service Binary Replacement: Replacing the executable of a service with a malicious one.

  • ATT&CK ID: T1569.002

  • Trigger Condition:

    • Creation of new services by non-administrative accounts.

    • Changes to service configurations pointing to unknown executables.

    • Services set to run from unusual directories.

  • How to Hunt Using Advanced Hunting:


DeviceProcessEvents
| where FileName == "sc.exe" or FileName == "powershell.exe"
| where ProcessCommandLine contains_any ("create", "config", "binPath")
| where InitiatingProcessAccountName !in ("System", "AdminUser")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

DeviceRegistryEvents
| where RegistryKey contains "\\System\\CurrentControlSet\\Services\\"
| where ActionType == "RegistryValueSet"
| where InitiatingProcessAccountName !in ("System", "AdminUser")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

These queries detect the creation or modification of services by unauthorized users, indicating potential malicious service execution.

17- Remote Access Tools

  • Overview:

    Attackers use remote access tools (RATs) to maintain control over compromised systems. RATs provide functionalities like file transfer, command execution, screen capture, and keylogging. They often operate covertly, hiding their presence from users and security software.

    Common RATs include:

    • Custom Malware: Tailored tools designed for specific campaigns.

    • Legitimate Software Misuse: Abuse of remote administration tools like TeamViewer or Remote Desktop.

    • Open Source RATs: Tools like DarkComet or njRAT.

  • ATT&CK ID: T1219

  • Trigger Condition:

    • Execution of known RAT binaries.

    • Unusual listening ports or network connections to remote hosts.

    • Processes exhibiting remote access behaviors.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in ("TeamViewer.exe", "AnyDesk.exe", "remote.exe", "rat.exe")
| where InitiatingProcessAccountName !in ("ITSupport", "AdminUser")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

DeviceNetworkEvents
| where LocalPort >= 1024
| where RemoteIP !in ("trusted_ips")
| summarize ConnectionCount = count() by InitiatingProcessFileName, RemoteIP
| where InitiatingProcessFileName in ("TeamViewer.exe", "AnyDesk.exe", "remote.exe", "rat.exe")
| project  InitiatingProcessFileName, RemoteIP, ConnectionCount

These queries detect the execution and network activities of remote access tools by unauthorized users.

18 - Masquerading: Match Legitimate Name or Location

  • Overview:

    Attackers rename files or place them in locations that match legitimate software to deceive users and security tools. By mimicking trusted applications or system files, they aim to:

    • Avoid Detection: Evade signature-based detection mechanisms.

    • Gain User Trust: Trick users into executing malicious files.

    • Bypass Application Whitelisting: Exploit policies that allow certain file names or paths.

  • ATT&CK ID: T1036.005

  • Trigger Condition:

    • Executables with names matching legitimate system files but located in incorrect directories.

    • Files placed in directories that are not typical for the file type.

    • Duplicate file names with slight variations (e.g., "explorer.exe" vs. "explore.exe").

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
| where FileName in~ ("svchost.exe", "explorer.exe", "notepad.exe")
| where not(FolderPath startswith "C:\\Windows\\")
| where FolderPath startswith_any ("C:\\Users\\", "C:\\Temp\\", "C:\\ProgramData\\")
| project Timestamp, DeviceName, FileName, FolderPath

DeviceProcessEvents
| where FileName has_any ("svchost.exe", "explorer.exe")
| where ProcessVersionInfoProductName != "Microsoft® Windows® Operating System"
| project Timestamp, DeviceName, FileName, ProcessVersionInfoProductName

These queries identify files and processes masquerading as legitimate system files but located in incorrect directories or with incorrect metadata.

19 - Unsecured Credentials: Private Keys

  • Overview:

    Attackers search for unsecured private keys on compromised systems. Private keys are used in asymmetric cryptography for authentication, encryption, and signing. If attackers obtain private keys, they can:

    • Decrypt Data: Access encrypted communications or files.

    • Authenticate as Trusted Entities: Impersonate servers or users.

    • Sign Malicious Code: Make malware appear legitimate.

    Private keys may be stored unencrypted or with weak protections, making them vulnerable.

  • ATT&CK ID: T1552.004

  • Trigger Condition:

    • Access to files with extensions like .pem, .key, .pfx.

    • Use of commands to search for private key files.

    • Unusual processes reading or copying private key files.

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
    | where FileName endswith ".pem" or FileName endswith ".key" or FileName endswith ".pfx" or FileName endswith "id_rsa" or FileName endswith "id_dsa"
    | where ActionType == "FileAccessed"
    | where InitiatingProcessFileName !in ("ssh.exe", "putty.exe")
    | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName,
    
    DeviceProcessEvents
    | where ProcessCommandLine has_any ("grep -i 'PRIVATE KEY'", "findstr /i 'PRIVATE KEY'")
    | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

These queries detect access to private key files by unauthorized processes and attempts to search for private keys.

20 - Archive Collected Data

  • Overview:

    Attackers compress or encrypt collected data before exfiltration to reduce size and evade detection. Archiving tools and libraries are used to package data into formats like ZIP, RAR, or 7z, sometimes with password protection.

    Benefits include:

  • Efficiency: Reducing the amount of data to transfer.

  • Obfuscation: Hiding the contents from inspection.

  • Bypassing Controls: Evading data loss prevention (DLP) systems.

  • ATT&CK ID: T1560

  • Trigger Condition:

    • Use of archiving utilities to compress data.

    • Creation of archive files in unusual locations.

    • Archiving of sensitive directories or large amounts of data.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in ("rar.exe", "winrar.exe", "7z.exe", "zip.exe")
| where ProcessCommandLine has_any ("a", "add", "rar", "zip")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

DeviceFileEvents
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| where FolderPath startswith "C:\\Users\\" or FolderPath startswith "C:\\Temp\\" or FolderPath startswith "C:\\Windows\\Temp\\"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

  • These queries detect the use of archiving tools and the creation of archive files in suspicious locations.

PreviousHunting with ATPNextHunting Attacks Using ATP part 1

Last updated