Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improving query in T1036-WIN-001 #7

Open
jkb-s opened this issue Oct 23, 2023 · 0 comments
Open

Improving query in T1036-WIN-001 #7

jkb-s opened this issue Oct 23, 2023 · 0 comments

Comments

@jkb-s
Copy link

jkb-s commented Oct 23, 2023

Hi @olafhartong

Query proposed here Defense Evasion/T1036-WIN-001.md does not work very well.
First of all it is written is such way that resulting data in memory is huge which obviously affects its performance, but it does not have to be so.

The IsSigned value in DeviceFileCertificateInfo is always 1 so the condition | where IsSigned == 0 or IsTrusted == 0 is basically IsTrusted == 0. That is because DeviceFileCertificateInfo stores information about file certificates - only signed files have certificates, so all files in this table are signed.

IsTrusted == 0 is problematic because sometimes some devices have trust issues and due to performance optimization we want to eliminate summarization per device and focus on SHA1.

So here is my proposed query:

let PublicConnections = materialize(
    DeviceNetworkEvetns
    | where ActionType == "ConnectionSuccess" 
        and RemoteIPType == "Public" 
        and InitiatingProcessId !in (0,4)
);
let UnTrusted =
    DeviceFileCertificateInfo
    | summarize Trust = make_set(IsTrusted) by SHA1
    | where array_length(Trust) < 2
    | mv-expand Trust
    | where Trust == false; // Really untrusted
UnTrusted
| join PublicConnections on $left.SHA1 == $right.InitiatingProcessSHA1
| summarize count(), 
            Devices = make_set(DeviceName), 
            IPs = make_set(RemoteIP), 
            URLs = make_set(RemoteUrl) 
         by InitiatingProcessSHA1, InitiatingProcessFileName, InitiatingProcessFolderPath
| project-rename SHA1 = InitiatingProcessSHA1
| invoke FileProfile()

I can run this easily for 30 days of data within really big environment.
Crucial point is to start the join with UnTrusted table because it is definitely smaller than PublicConnections.

I know that this query does not have anything for unsigned binaries. That is because MDE is totally unreliable in this matter. I did try with DeviceProcessEvents to get a summary per InitiatingProcessSHA1 where the signature is not valid, got results, checked the SHA1 and ... what a surprise - its valid.
In my opinion for the Unsigned binaries making connections we have to figure something else.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkb-s