Mastering Threat Detection/Hunting with Specific Queries

When it comes to detecting malicious activity and potential security threats, analyzing the right data sources is crucial. Whether you are working with SIEM tools, conducting threat hunting, or performing forensic analysis, the following queries can be invaluable. The logic behind these queries remains consistent, though the format may need to be adjusted based on the platform you are using, such as Timesketch, Kibana, or other log management systems.

1. Detecting System Configuration and Host Information

CurrentControlSet

This query extracts information about the CurrentControlSet, which can help in understanding the system's boot configuration.

Query:

parser:winreg AND key_path:"HKEY_LOCAL_MACHINE\\System\\Select*"

Host Network Interfaces

Identify network interfaces configured on the host to monitor network-related configurations and potential unauthorized changes.

Query:

parser:winreg AND key_path:"*Parameters\\Interfaces*"

Hostname

Retrieve the hostname of the system, which can be used for identification in multi-host environments.

Query:

parser:winreg AND key_path:"*Control\\ComputerName\\ComputerName*"

Network Shares

Monitor network shares on the host, which can reveal potentially exposed resources or unauthorized access.

Query:

parser:winreg AND key_path:"*Lanmanserver\\Shares*" AND NOT message:*empty*

Software-SysInternals Tool Usage Indicator

Detect usage of SysInternals tools, which are often used by both administrators and attackers. This query checks for evidence that the tools have been executed.

Query:

parser:"winreg" AND key_path:"*Software\\Sysinternals\\*" AND values:"*EulaAccepted*"

2. Monitoring Remote Desktop Protocol (RDP) Activity

T1021.001 - AV Scanning Disabled for Attachments

This query identifies registry modifications related to the disabling of antivirus scanning for RDP attachments.

Query:

parser:winreg AND (key_path:"*Microsoft\\Terminal Server Client\\Default*" OR key_path:"*Microsoft\\Terminal Server Client\\Servers*")

T1021.001 - RDP Activity Ended

Monitor for events that indicate the end of an RDP session, which could signify the end of a potential unauthorized access.

Query:

(parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:24 AND NOT xml_string:"*Address>LOCAL*") OR event_identifier:39 OR event_identifier:40 OR event_identifier:23)) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4779)

T1021.001 - RDP Activity Started

Detect when an RDP session starts, focusing on non-local connections that may indicate remote access attempts.

Query:

(parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:21 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:22 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:25 AND NOT xml_string:"*Address>LOCAL*"))) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4624 AND xml_string:"*LogonType\">10*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4778)

3. Identifying Potential Lateral Movement

T1021.002 - Potential SMB Lateral Movement (Source)

Track SMB connections that might indicate lateral movement attempts, particularly focusing on connections over port 445.

Query:

parser:winevtx AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4648 AND xml_string:"*IpPort\">445*"

4. Monitoring Task and Script Execution

T1053.005 - Scheduled Tasks

Scheduled tasks can be used by attackers to persist on a system. This query helps detect such tasks, excluding common Microsoft tasks.

Query:

parser:winreg AND key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree*" AND NOT key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft*" AND NOT message:"*SD: [REG_BINARY] (220 bytes)*"

T1059 - PowerShell Web Request

Detect the use of PowerShell for web requests, which is a common technique in fileless malware attacks.

Query:

parser:"winevtx" AND (event_identifier:"4104" OR event_identifier:"4688" OR event_identifier:"1") AND (message:"*Invoke-WebRequest*" OR message:"*iwr*" OR message:"*wget*" OR message:"*curl*" OR message:"*Net.WebClient*" OR message:"*Start-BitsTransfer*")

T1059.001 - PowerShell Configuration

Monitor changes to PowerShell settings, which might indicate an attacker attempting to modify execution policies or script logging.

Query:

parser:"winreg" AND key_path:"*Microsoft\\PowerShell*" AND (message:*EnableScript* OR message:*ExecutionPolicy* OR message:*EnableModuleLogging*)

5. Security Monitoring and Defense Evasion

T1070.001 - Windows Log Cleared

This query detects the clearing of Windows event logs, a common technique used by attackers to cover their tracks.

Query:

parser:"winevtx" AND source_name:"Microsoft-Windows-Eventlog" AND event_identifier:"1102"

T1078 - Windows Account Activity

Monitor for changes in user accounts, such as enabling, disabling, or modifying permissions.

Query:

parser:"winevtx" AND (event_identifier:"4722" OR event_identifier:"4724" OR event_identifier:"4728" OR event_identifier:"4634" OR event_identifier:"4672" OR event_identifier:"4733")

T1078.003 - Query for a Blank Password for An Account

Detect attempts to query or check for blank passwords on accounts, which may indicate password-guessing attacks.

Query:

parser:"winevtx" AND event_identifier:"4797"

6. Detecting Suspicious Network Activity and Proxy Configurations

T1090 - Proxy Config

Identify modifications to proxy settings, which may indicate the presence of proxy-aware malware or unauthorized network changes.

Query:

parser:"winreg" AND key_path:"HKEY_LOCAL_MACHINE\\Software\\*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings*" AND (values:*AutoDetect* OR values:*ProxyServer* OR values:*ProxyOverride* OR values:*ProxyEnable*)

T1110 - SQL Server Failure

Monitor SQL Server authentication failures, which may indicate brute-force or dictionary attacks.

Query:

parser:winevtx AND display_name:"*Logs\\Application\.evtx" AND event_identifier:"18456"

T1110 - Suspicious Logon Failures

Track multiple failed login attempts across different accounts, which may be indicative of password spraying or brute force attacks.

Query:

parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND (event_identifier:"4625" OR event_identifier:"4767" OR event_identifier:"4740" OR event_identifier:"4776")

T1197-Suspicious BitsTransfer Activity

Query:

parser:"winevtx" AND source_name:"Microsoft-Windows-Bits-Client" AND event_identifier:"59" AND (strings:"*\.ps1*" OR strings:"*\.bat*" OR strings:"*\.exe*" OR strings:"*\.dll*" OR strings:"*\.zip*" OR strings:"*\.rar*" OR strings:"*\.7z*" OR strings:"*\.tar*")

T1204-Execution

Query:

(parser:"winreg" AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (parser:"winevtx" AND event_identifier:"4688") OR (parser:"winreg" AND key_path:"*LastVisitedPidlMRU*") OR (parser:"winreg" AND key_path:"*LastVisitedMRU*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")

T1204-Execution of a Binary via BAM

Query:

parser:"bam" AND binary_path:*exe

T1204-Execution or Existence of a File

Query:

parser:"appcompatcache" AND (path:*exe* OR path:*cpl* OR path:*ps1* OR path:*msi* OR path:*dll* OR path:*bat*)

T1204-User Execution or Shortcut

Query:

parser:"userassist" AND (value_name:*lnk* OR value_name:*exe*)

T1543-Installation or Execution of a Windows Service

Query:

parser:"winevtx" AND (event_identifier:"7045" OR event_identifier:"4697") AND NOT message:"*svchost.exe -k*"

T1546.003-WMI CommandLine Consumer

Query:

tag:Execution AND message:*wmiprvse*

T1547.001-Windows Autorun

Query:

parser:"windows_run" AND (message:*exe* OR message:*.dll* OR message:*.bat* OR message:*.ps1*)

T1548.002-UAC Disabled in Registry

Query:

parser:"winreg" AND key_path:"*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" AND message:"*DisplayType: [REG_DWORD_LE] 0*"

T1560 or T1083-File Save or Discovery

Query:

parser:"winreg" AND key_path:*OpenSave*MRU* AND message:*Shell*

T1560.001-Archived Files

Query:

(data_type:"windows:lnk:link" OR data_type:"windows:shell_item:file_entry" OR data_type:"olecf:dest_list:entry" OR data_type:"windows:registry:mrulistex") AND (message:*.zip* OR message:*.7z* OR message:*.tar.gz* OR message:*.tar* OR message:*.gz*)

T1562.001-Win Defender Disabled

Query:

parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Defender" AND (event_identifier:"5001" OR event_identifier:"5010" OR event_identifier:"5012")

T1562.001-Windows Defender Disabled Registry Key

Query:

parser:"winreg" AND key_path:"*Microsoft\\Windows Defender*" AND (values:"*DisableRealtimeMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiSpyware: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiVirus: \[REG_DWORD_LE\] 1*" OR values:"*DisableBehaviorMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableIOAVProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableOnAccessProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableScanOnRealtimeEnable: \[REG_DWORD_LE\] 1*" OR values:"*DisableEnhancedNotifications: \[REG_DWORD_LE\] 1*" OR values:"*DisableBlockAtFirstSeen: \[REG_DWORD_LE\] 1*")

T1562.001-Windows Defender Disabled via PS

Query:

parser:"winevtx" AND message:"*Set-MpPreference*" AND (message:"*Disable*" OR message:"*Reporting*" OR message:"*SubmitSamplesConsent*" OR message:"*DefaultAction*")

T1562.001-Windows Defender Exclusions

Query:

(parser:"winreg" AND key_path:"*Windows Defender\\Exclusions\*" AND NOT message:*empty*) OR (parser:"winevtx" AND event_identifier:"5007" AND message:*Exclusions*)

T1562.004-Windows Firewall Disabled

Query:

parser:"winreg" AND (display_name:*SOFTWARE OR display_name:*SYSTEM) AND (message:"*EnableFirewall: [REG_DWORD] 0x00000000*" OR message:"*EnableFirewall: [REG_DWORD_LE] 0*")

T1562.004-Windows Firewall Rules

Query:

(parser:"winreg" AND key_path:"*FirewallRules*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Firewall With Advanced Security" AND event_identifier:"2005")

Timezone

Query:

parser:"winreg" AND key_path:"*Control\\TimeZoneInformation*"

Windows Network Adapter Details

Query:

parser:"winreg" AND key_path:"*Tcpip/Parameters/Interfaces*" AND NOT message:*empty*

Windows OS Version

Query:

parser:"winreg" AND data_type:"windows:registry:installation"

Windows Patch Installation Success

Query:

parser:"winevtx" AND source_name:"Microsoft-Windows-WindowsUpdateClient" AND display_name:"*System\\.evtx" AND event_identifier:"19"

Windows User Profiles

Query:

parser:"winreg/winreg_default" AND key_path:"*ProfileList*"

These queries form the backbone of effective threat detection and forensic analysis.

Happy hunting!

Akash Patel