Detecting Malware Infection (MITRE ATT&CK: T1566, T1059)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Detecting Malware Infection (MITRE ATT&CK: T1566, T1059)

Overview:

Malware infection often involves scripts, executables, and payloads designed to compromise systems, execute commands, or maintain persistence. These infections can lead to lateral movement, data theft, or further compromises within the network.

Below are 25 Example Queries for Malware Infection Detection:

1. Detect Suspicious PowerShell Commands (Encoded Commands) PowerShell-encoded commands often indicate obfuscation used in malware payloads.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "encodedCommand" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system"| summarize count() by TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

Note: The following is an example of how to decode PowerShell-encoded commands:

# Example encoded string
$EncodedCommand = "enter encoded string"

# Convert from Base64 to bytes
$Bytes = [System.Convert]::FromBase64String($EncodedCommand)

# Convert bytes to string (UTF-16 LE)
$DecodedCommand = [System.Text.Encoding]::Unicode.GetString($Bytes)

# Output the decoded command
Write-Output $DecodedCommand

Method 2: Decode Using Python

Here’s how you can decode it using Python:

import base64

# Encoded command string
encoded_command = "Enter encoded string"

# Decode the Base64 string
decoded_bytes = base64.b64decode(encoded_command)

# Convert bytes to string (UTF-16 LE)
decoded_command = decoded_bytes.decode("utf-16-le")

# Print the decoded command
print(decoded_command)

1. Identify Execution of Suspicious EXEs from Temp Directories Malware often resides in temp directories before execution.

DeviceProcessEvents | where FileName endswith ".exe" and FolderPath contains "Temp" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" | where  FileName !in~ ("DismHost.exe", "Update.exe") and FolderPath startswith "C:\\Windows\\Temp\\" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Track Use of MSHTA for Malicious Script Execution MSHTA is frequently abused to execute malicious scripts.

DeviceProcessEvents | where FileName == "mshta.exe"  | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Detect Rundll32 Execution of Malicious DLLs Rundll32 is often used to execute malicious DLLs, a common malware technique.

DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has ".dll" | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" and InitiatingProcessAccountName !="local service" and InitiatingProcessAccountName !="lokaler dienst"  | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Monitor Execution of Suspicious Scripting Engines Malicious scripts may be executed via WScript or CScript.

DeviceProcessEvents | where FileName in ("wscript.exe", "cscript.exe") | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" and InitiatingProcessAccountName !="local service" and InitiatingProcessAccountName !="lokaler dienst" and InitiatingProcessAccountName !startswith "sys" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Track EXE File Downloads and Execution via CertUtil CertUtil is often abused to download malware payloads.

DeviceProcessEvents | where FileName == "certutil.exe" and ProcessCommandLine has "URL" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Identify the Use of LOLBins (Living Off the Land Binaries) Standard system binaries like bitsadmin and msiexec are often used in attacks.

DeviceProcessEvents | where FileName in ("bitsadmin.exe", "msiexec.exe") | where InitiatingProcessAccountName !="network service" and InitiatingProcessAccountName !="system" and InitiatingProcessAccountName !="local service" and InitiatingProcessAccountName !="lokaler dienst" and InitiatingProcessAccountName !startswith "sys" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Detect Creation of Suspicious Scheduled Tasks Malware often uses scheduled tasks for persistence.

DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has "create" | where InitiatingProcessAccountName !="system" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Monitor PowerShell Script Downloads via Invoke-WebRequest Invoke-WebRequest is used to download malicious scripts from the internet.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Invoke-WebRequest" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Track Suspicious Use of Bitsadmin for File Transfers Bitsadmin is sometimes leveraged to download or upload malicious files.

DeviceProcessEvents | where FileName == "bitsadmin.exe" and ProcessCommandLine has "transfer" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine

1. Detect New EXE Files in User Directories New EXE files appearing in user directories may indicate malware delivery.

DeviceFileEvents | where FileName endswith ".exe" and FolderPath contains "Users" | where InitiatingProcessAccountName != "system"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath

1. Monitor Process Spawning from Office Applications Malicious macros in Office documents may spawn child processes.

DeviceProcessEvents | where InitiatingProcessFileName in ("winword.exe", "excel.exe", "powerpnt.exe")| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath

1. Detect the Use of Task Scheduler to Maintain Persistence Scheduled tasks can be created by malware to ensure persistence.

DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has_any ("create", "add") | where InitiatingProcessAccountName != "system"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Identify Script Execution via CMD (Batch Scripts) CMD can be used to execute batch scripts in malware infections.

DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has_any (".bat", "start") | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName !startswith "svc-wc" and InitiatingProcessAccountName !startswith "sys_"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Track PowerShell Use of Bypass Execution Policies Malicious PowerShell scripts often bypass execution policies.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "-ExecutionPolicy Bypass" | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName !startswith "sys_" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Detect DLL Side-Loading or Injection DLL injection or side-loading is used to execute malicious code within trusted processes.

DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has ".dll" | where InitiatingProcessAccountName !="system" and InitiatingProcessAccountName != "lokaler dienst" and InitiatingProcessAccountName != "local service" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Monitor Unusual Use of MSBuild for Malware Execution MSBuild is sometimes leveraged to execute code or load malware.

DeviceProcessEvents | where FileName == "MSBuild.exe" | where InitiatingProcessAccountName !startswith "sys_" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Detect Use of Hidden Windows for Malware Persistence (explorer.exe) Malware can use hidden windows to hide its execution from the user.

DeviceProcessEvents | where FileName == "explorer.exe" and ProcessCommandLine has "hidden" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Monitor Suspicious Use of CMD for File Deletion Malware may delete files to cover its tracks using the "del" command.

DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has "del" | where InitiatingProcessAccountName != "system" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Track Use of Remote Desktop Protocol for Malicious Access RDP is often used to access compromised systems remotely.

DeviceLogonEvents | where LogonType == "RemoteInteractive" and ActionType == "LogonSuccess" | where AccountName !startswith "sys_" | summarize count() by AccountName, DeviceName, RemoteIP, IsLocalAdmin, LogonType, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath

1. Detect Powershell Execution Using Uncommon Flags Malicious scripts may use uncommon flags to bypass detection (e.g., -windowstyle hidden).

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "-windowstyle hidden" | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName != "network service"| summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Monitor the Use of VSSAdmin for Shadow Copy Deletion Malware (such as ransomware) may delete volume shadow copies to prevent recovery.

DeviceProcessEvents | where FileName == "vssadmin.exe" and ProcessCommandLine has "delete shadows" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath

1. Identify Unusual Network Traffic from Newly Executed Binaries Malware often communicates with external C2 servers after execution.

DeviceNetworkEvents | where InitiatingProcessFileName endswith ".exe" and RemoteUrl != "" | where InitiatingProcessAccountName != "system" and InitiatingProcessAccountName != "network service" and InitiatingProcessAccountName != "lokaler dienst" and InitiatingProcessAccountName != "netzwerkdienst" | summarize count() by DeviceName, ActionType, RemoteIP, LocalIP, RemotePort, RemoteUrl, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessParentFileName

1. Detect Execution of Signed Binaries Used by Attackers Attackers may abuse trusted signed binaries for malicious purposes (e.g., regsvr32, msiexec).

DeviceProcessEvents | where FileName in ("regsvr32.exe", "msiexec.exe") | where InitiatingProcessAccountName != "system" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath, InitiatingProcessFolderPath

1. Monitor the Use of Certutil for Decoding Malicious Payloads Certutil can be used to decode base64-encoded malicious payloads.

DeviceProcessEvents | where FileName == "certutil.exe" and ProcessCommandLine has "decode" | summarize count() by TimeGenerated, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath, InitiatingProcessFolderPath