Merge pull request #218 from martyav/martyav-miners

pages related to doublepulsar

Author: tali-ash

Execution/detect-doublepulsar-execution.md

@@ -0,0 +1,46 @@
+# Detect DoublePulsar execution
+
+This query was originally published in the threat analytics report, *Motivated miners*.
+
+[Doublepulsar](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoublePulsar&threatId=-2147239036) is a backdoor developed by the National Security Agency (NSA). First [disclosed in 2017](https://www.scmagazine.com/home/security-news/cybercrime/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/), it is now used by many malicious actors. Software [patches](https://support.microsoft.com/en-us/help/4013389/title) are available.
+
+The following query detects possible DoublePulsar execution events.
+
+See [Detect web server exploitation by DoublePulsar](detect-web-server-exploit-doublepulsar.md) for a query that detects behaviors associated with campaigns that use DoublePulsar.
+
+## Query
+
+```Kusto
+//DoublePulsar execution
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where SHA1 == "be855cd1bfc1e1446a3390c693f29e2a3007c04e" or
+(ProcessCommandLine contains "targetport" and ProcessCommandLine contains "targetip" and 
+(ProcessCommandLine contains "payload" or ProcessCommandLine contains "verifybackdoor"))
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Execution/detect-web-server-exploit-doublepulsar.md

@@ -0,0 +1,94 @@
+# Detect web server exploitation by DoublePulsar
+
+This query was originally published in the threat analytics report, *Motivated miners*.
+
+[Doublepulsar](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoublePulsar&threatId=-2147239036) is a backdoor developed by the National Security Agency (NSA). First [disclosed in 2017](https://www.scmagazine.com/home/security-news/cybercrime/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/), it is now used by many malicious actors. Software [patches](https://support.microsoft.com/help/4013389/title) are available.
+
+The following query detects activity broadly associated with campaigns that use DoublePulsar to exploit web servers.
+
+See [Detect DoublePulsar execution](detect-doublepulsar-execution.md) for a query that detects possible DoublePulsar execution events.
+
+## Query
+
+```Kusto
+DeviceProcessEvents
+| where Timestamp >= ago(7d)
+| where 
+// "Grandparent" process is Oracle WebLogic or some process loading Confluence
+InitiatingProcessParentFileName == "beasvc.exe" or 
+InitiatingProcessFileName == "beasvc.exe" 
+or InitiatingProcessCommandLine contains "//confluence"
+// Calculate for Base64 in Commandline
+| extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"), 
+Total = countof(ProcessCommandLine, ".", "regex")
+| extend Ratio = todouble(Caps) / todouble(Total) 
+| where
+(
+    FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
+    // Omit known clean processes
+    and ProcessCommandLine !startswith "POWERSHELL.EXE  -C \"GET-WMIOBJECT -COMPUTERNAME"
+    and ProcessCommandLine !contains "ApplicationNo"
+    and ProcessCommandLine !contains "CustomerGroup"
+    and ProcessCommandLine !contains "Cosmos"
+    and ProcessCommandLine !contains "Unrestricted"
+    and
+    (
+        ProcessCommandLine contains "$" // PowerShell variable declaration
+        or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
+        or ProcessCommandLine contains "encodedcommand"
+        or ProcessCommandLine contains "wget"
+        //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
+    )
+)
+or
+(
+    FileName =~ "cmd.exe" // cmd.exe is spawned
+    and ProcessCommandLine contains "@echo" and 
+    ProcessCommandLine contains ">" // Echoing commands into a file
+)
+or
+(
+    FileName =~ "certutil.exe" // CertUtil.exe abuse
+    and ProcessCommandLine contains "-split" 
+    // the "-split" parameter is required to write files to the disk
+)
+| project
+       Timestamp,
+       InitiatingProcessCreationTime ,
+       DeviceId ,
+       Grandparent_PID = InitiatingProcessParentId,
+       Grandparent = InitiatingProcessParentFileName,
+       Parent_Account = InitiatingProcessAccountName,
+       Parent_PID = InitiatingProcessId,
+       Parent = InitiatingProcessFileName ,
+       Parent_Commandline = InitiatingProcessCommandLine,
+       Child_PID = ProcessId,
+       Child = FileName ,
+       Child_Commandline = ProcessCommandLine
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team