Edit

Hunting APT TTPs and LOLBAS Operations - Playbook

Overview

This playbook is designed for cyber investigators using Microsoft Defender for Endpoint (MDE) and Kusto Query Language (KQL) to hunt for tactics, techniques, and procedures (TTPs) associated with APT groups (e.g., APT41) and Living Off the Land Binaries and Scripts (LOLBAS). It draws from MITRE ATT&CK research and observed behaviours involving discovery, lateral movement, credential access, and data collection.

The Playbook Focuses On:

  • Detection Queries: KQL queries for MDE to identify suspicious activities.

  • Investigation Steps: Contextual guidance on interpreting results and pivoting.

  • Response Actions: Recommendations for containment and remediation.

  • Data Sources: Primarily DeviceProcessEvents, DeviceFileEvents, and DeviceNetworkEvents in MDE.

Assume administrative access to MDE for running advanced hunting queries. Run queries over a relevant time frame (e.g., last 30 days) and correlate with MITRE ATT&CK IDs (e.g., T1016 for Network Service Discovery).

Prerequisites

  • Enable advanced logging in Windows Event Viewer (e.g., ESENT for NTDS.dit events).

  • Configure SACLs on sensitive files, such as ntds, dit, for access auditing.

  • Monitor for anomalous processes via Sysmon or MDE.

Playbook Structure

Organised by key tools/commands observed in APT operations.

For each:

  • Description: TTP context and MITRE IDs.

  • KQL Queries: Adapted from provided MDE examples.

  • Investigation Tips: How to analyse results.

  • Mitigation: Preventive measures.

1. Initial Access & Execution: File Downloads

Certutil

Tactic: Execution (TA0002) / Ingress Tool Transfer (TA0011) Description: Used for downloading payloads (e.g., Cobalt Strike BEACON) via URL cache. MITRE: T1105 (Ingress Tool Transfer), T1016 (System Network Configuration Discovery).

KQL Query:

OR

Investigation Tips: Certutil Initiating External Network Connections.

Looks for certutil being used to make outbound connections, indicating a potential file download or data staging.

  • Check DestinationPort in network events (e.g., 80, 443).

  • Pivot to IP addresses like 91.208.184.78.

  • Correlate with file downloads (e.g., 2.exe MD5: 3e856162c36b532925c8226b4ed3481c).

  • Mitigation: Block certutil outbound connections via AppLocker; monitor for anomalous network initiations.

2. Discovery & Enumeration

Dnscmd

Description: Enumerates DNS records and zones for environment discovery. MITRE: T1016 (System Network Configuration Discovery), T1069.002 (Permission Groups Discovery). Enumerates network topology [T1016] and Active Directory structure [T1069.002] via commands like /enumrecords and /enumzones.

KQL Query:

OR

Investigation Tips: Broad Reconnaissance Command Execution

This query targets a wide array of discovery commands, including those used to identify network settings, system details, and domain structure.

  • To detect outliers, look for commands targeting redacted zones.

  • Use stats to detect outliers in process counts.

  • Mitigation: Restrict dnscmd execution to admins; audit DNS queries.

3. Ldifde

Description: Exports AD data for enumeration. MITRE: T1069.001 (Local Groups), T1082 (System Information Discovery).

KQL Query:

Investigation Tips:

  • Scan for exported files in C:\Windows\Temp.

  • Correlate with net group commands. Mitigation:

  • Monitor file creations in Temp directories.

4. Net User/Group/Use

Description: Enumerates local and domain groups/admins.

MITRE: T1069.002 (Permission Groups Discovery).

KQL Query:

OR

Investigation Tips:

  • Identify unusual user contexts (e.g., non-admin).

  • Pivot to lateral movement indicators.

  • Mitigation: Audit net.exe usage; restrict to privileged accounts.

5. Netsh

Description: Shows firewall configs and sets up port proxies for forwarding. MITRE: T1090 (Proxy), T1016 (System Network Configuration Discovery).

KQL Queries:

  • Firewall Enumeration:

  • Port Proxy Addition:

Investigation Tips:

  • Check registry: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp.

  • Review firewall logs for unauthorised rules.

  • Mitigation: Audit registry changes; limit portproxy usage.

6. Nltest

Description: Queries domain trusts and DCs. MITRE: T1482 (Domain Trust Discovery).

KQL Queries:

  • Basic Execution:

  • Recon Commands:

Investigation Tips:

  • Look for /server:/query patterns.

  • Correlate with domain admin queries.

  • Mitigation: Restrict nltest to domain admins.

7. PowerShell

Description: Queries event logs for logons. MITRE: T1059.001 (PowerShell), T1033 (System Owner/User Discovery).

KQL Query:

Investigation Tips:

  • Check for failed logons (Event ID 4625), followed by successful logons.

  • Look for time-and-distance anomalies in logons.

  • Mitigation: Constrain PowerShell via AppLocker; enable script block logging.

8. Reg Query/Save

Description: Dumps registry hives for credentials. MITRE: T1003 (OS Credential Dumping), T1555 (Credentials from Password Stores).

KQL Queries:

  • Save Hives:

  • Query Software:

Investigation Tips:

  • Scan for saved files like ss.dat, sy.dat.

  • Pivot to tools like Mimikatz.

  • Mitigation: Audit registry access; use LSA protection.

9. Systeminfo, Tasklist, Wevtutil

Description: Gathers system info, processes, and event logs. MITRE: T1082 (System Information Discovery).

KQL Query (Combined Enumeration):

Investigation Tips:

  • Correlate with other recon commands.

  • Mitigation: Monitor for batch executions.

10. WMI/WMIC

Description: Queries logical disks; executes remote commands. MITRE: T1047 (Windows Management Instrumentation), T1082.

KQL Query:

Investigation Tips:

  • Enable WMI tracing for user attribution.

  • Mitigation: Restrict WMI via GPO.

11. Ntdsutil

Description: Dumps NTDS.dit for AD credentials. MITRE: T1003.003 (NTDS).

KQL Queries:

  • Shadow Copy Creation:

  • NTDS Dump:

  • File Events:

Investigation Tips:

  • Check ESENT events (IDs 216, 325-327) for ntds.dit references.

  • Look for folders like \Active Directory, \registry.

  • If dumped, assume domain compromise; follow eviction guidance.

  • Mitigation: Harden DCs; audit ntdsutil.exe; block tools like Secretsdump.py.

12. Impacket

Description: Executes commands via WMI, outputs to ADMIN$ with timestamps. MITRE: T1047.

KQL Query:

Investigation Tips:

  • Parse timestamps (e.g., __1684956600.123456) for execution time.

  • Check Security Event ID 5145 for ADMIN$ access.

  • Mitigation: Block Impacket indicators; monitor WMI exec.

13. General Enumeration Commands

Description: Broad recon across the network, AD, and system. MITRE: T1016, T1069, T1082.

KQL Query:

Investigation Tips:

  • Use eventstats for outlier process counts.

  • Correlate with user agents like "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0".

  • Mitigation: Implement network segmentation.

14. Credential Theft

Description: Targets SSH keys, Firefox profiles, and the registry for VNC/PuTTY. MITRE: T1555, T1003. KQL Query:

Investigation Tips:

  • Scan for Mimikatz indicators.

  • Mitigation: Use Credential Guard; encrypt sensitive stores.

15. Additional Commands (7z, RAR, etc.)

Description: Compresses data for exfil. MITRE: T1560 (Archive Collected Data).

KQL Query:

Investigation Tips:

  • Look for hidden PowerShell starts.

  • Mitigation: Block archiving in Temp.

16. RUNDLL32

Description: Proxy for malicious payloads, LSASS dumps. MITRE: T1218.011 (Signed Binary Proxy Execution), T1003.001 (LSASS Memory).

KQL Query:

Investigation Tips:

  • Check for injections into explorer.exe.

  • Mitigation: Monitor DLL loads.

17. Schtasks

Description: Creates tasks for persistence/recon. MITRE: T1053.005 (Scheduled Task).

KQL Query:

Investigation Tips:

  • Filter for LOLBAS in tasks (e.g., calc.exe).

  • Mitigation: Audit task creations; restrict via GPO.

IOCs

  • File Hashes (SHA256):

    • f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

    • ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

    • (Full list in content; use for alerts)

  • File Names: cisco_up.exe, cl64.exe, vm3dservice.exe, etc.

  • Paths: C:\Users\Public\Appfile, C:\Perflogs, C:\Windows\Temp.

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

  • C2 Ports: 80880, 8443, 8043, 800, 10443.

Response Actions

  1. Isolate Affected Hosts: Use MDE isolation.

  2. Credential Reset: If NTDS dumped, reset all domain creds.

  3. Eviction: Follow CISA guidance for actor removal.

  4. Enhance Monitoring: Add Sigma rules to SIEM; use D3FEND for visualisation.

Data Sources and Analytics

  • Command Execution: DeviceProcessEvents | where EventId in (4688, 1, 800).

  • File Access: DeviceFileEvents | where AccessList contains "%%4416" (read) or "%%4417" (write).

  • Analytic Example (Suspicious NTDS Access):

PreviousBusiness Email Compromise Detection PlaybookNextProcess Execution (KQL Triage)

Last updated