From cc6a3d78df0cc4e7c21c1dd97914a1e6326ddfa3 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 30 Oct 2020 17:53:58 -0400 Subject: [PATCH 1/5] added hiding-java-class-file.md --- Defense evasion/hiding-java-class-file.md | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 Defense evasion/hiding-java-class-file.md diff --git a/Defense evasion/hiding-java-class-file.md b/Defense evasion/hiding-java-class-file.md new file mode 100644 index 00000000..99473583 --- /dev/null +++ b/Defense evasion/hiding-java-class-file.md @@ -0,0 +1,41 @@ +# Hiding a Java class file + +This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*. + +Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capabilities of the Java framework. It can check which operating system a target is running and adapt accordingly, allowing it to successfully compromise both Windows and macOS devices. + +The query below checks for attempts to disguise Java class files (i.e., complied code with a *.class* extension). Although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar defense evasion techniques. + +## Query + +```kusto +union DeviceFileEvents, DeviceProcessEvents +| where ProcessCommandLine contains "attrib +h +s +r " +and ProcessCommandLine contains ".class" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From cff43c6bb2475af3193b43c6c3b9585552c70a62 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 30 Oct 2020 18:09:48 -0400 Subject: [PATCH 2/5] added jar-attachments.md --- Defense evasion/hiding-java-class-file.md | 3 ++ Initial access/jar-attachments.md | 45 +++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 Initial access/jar-attachments.md diff --git a/Defense evasion/hiding-java-class-file.md b/Defense evasion/hiding-java-class-file.md index 99473583..3f112b0e 100644 --- a/Defense evasion/hiding-java-class-file.md +++ b/Defense evasion/hiding-java-class-file.md @@ -6,6 +6,9 @@ Adwind is a remote access tool (RAT) that takes advantage of the cross-platform The query below checks for attempts to disguise Java class files (i.e., complied code with a *.class* extension). Although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar defense evasion techniques. +See [Hiding a Java class file](../Initial%20access/jar-attachments.md) for an additional query that detects behavior associated with Adwind attacks + + ## Query ```kusto diff --git a/Initial access/jar-attachments.md b/Initial access/jar-attachments.md new file mode 100644 index 00000000..74b4aaa8 --- /dev/null +++ b/Initial access/jar-attachments.md @@ -0,0 +1,45 @@ +# Detecting a JAR attachment + +This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*. + +Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capabilities of the Java framework. It can check which operating system a target is running and adapt accordingly, allowing it to successfully compromise both Windows and macOS devices. + +The query below must be run in Microsoft 365 Defender. This query detects events where a single Java archive, or JAR file, was attached to an incoming email. Since Adwind is distributed as a JAR file, this can help detect the initial access stage of a Adwind attack. Note that, although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar techniques. Also note that JAR attachments are not necessarily or even often malware, and that further research will be needed to determine if query results are associated with malicious behavior. + +See [Hiding a Java class file](../Defense%20evasion/hiding-java-class-file.md) for an additional query that detects behavior associated with Adwind attacks, + +## Query + +```kusto +let mailsHTML = EmailAttachmentInfo +| where FileType startswith "Jar" +| distinct NetworkMessageId; +EmailEvents +| where NetworkMessageId in (mailsHTML) and AttachmentCount == 1 +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | v | Microsoft 365 Defender exclusive | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From 781380a2439237c2906bdba776a921a342a9eea7 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Mon, 2 Nov 2020 11:32:12 -0500 Subject: [PATCH 3/5] added hiding-java-class-file.md, typo --- Defense evasion/hiding-java-class-file.md | 3 +-- Initial access/jar-attachments.md | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Defense evasion/hiding-java-class-file.md b/Defense evasion/hiding-java-class-file.md index 3f112b0e..89eb157f 100644 --- a/Defense evasion/hiding-java-class-file.md +++ b/Defense evasion/hiding-java-class-file.md @@ -6,8 +6,7 @@ Adwind is a remote access tool (RAT) that takes advantage of the cross-platform The query below checks for attempts to disguise Java class files (i.e., complied code with a *.class* extension). Although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar defense evasion techniques. -See [Hiding a Java class file](../Initial%20access/jar-attachments.md) for an additional query that detects behavior associated with Adwind attacks - +See [Detecting a JAR attachment](../Initial%20access/jar-attachments.md) for an additional query that detects behavior associated with Adwind attacks. ## Query diff --git a/Initial access/jar-attachments.md b/Initial access/jar-attachments.md index 74b4aaa8..ea4c794f 100644 --- a/Initial access/jar-attachments.md +++ b/Initial access/jar-attachments.md @@ -6,7 +6,7 @@ Adwind is a remote access tool (RAT) that takes advantage of the cross-platform The query below must be run in Microsoft 365 Defender. This query detects events where a single Java archive, or JAR file, was attached to an incoming email. Since Adwind is distributed as a JAR file, this can help detect the initial access stage of a Adwind attack. Note that, although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar techniques. Also note that JAR attachments are not necessarily or even often malware, and that further research will be needed to determine if query results are associated with malicious behavior. -See [Hiding a Java class file](../Defense%20evasion/hiding-java-class-file.md) for an additional query that detects behavior associated with Adwind attacks, +See [Hiding a Java class file](../Defense%20evasion/hiding-java-class-file.md) for an additional query that detects behavior associated with Adwind attacks. ## Query From 53c9c2613572283039cd4bb0ed76ac6f88403f64 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 4 Nov 2020 15:28:23 -0500 Subject: [PATCH 4/5] Update hiding-java-class-file.md --- Defense evasion/hiding-java-class-file.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Defense evasion/hiding-java-class-file.md b/Defense evasion/hiding-java-class-file.md index 89eb157f..1295dd48 100644 --- a/Defense evasion/hiding-java-class-file.md +++ b/Defense evasion/hiding-java-class-file.md @@ -12,7 +12,7 @@ See [Detecting a JAR attachment](../Initial%20access/jar-attachments.md) for an ```kusto union DeviceFileEvents, DeviceProcessEvents -| where ProcessCommandLine contains "attrib +h +s +r " +| where ProcessCommandLine has "attrib +h +s +r " and ProcessCommandLine contains ".class" ``` From 0e92475f6a8a42ae91aa179cf1fde8e5dbce4aac Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 4 Nov 2020 15:48:37 -0500 Subject: [PATCH 5/5] Update jar-attachments.md To account for multiple attachments --- Initial access/jar-attachments.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Initial access/jar-attachments.md b/Initial access/jar-attachments.md index ea4c794f..a0343f60 100644 --- a/Initial access/jar-attachments.md +++ b/Initial access/jar-attachments.md @@ -15,7 +15,7 @@ let mailsHTML = EmailAttachmentInfo | where FileType startswith "Jar" | distinct NetworkMessageId; EmailEvents -| where NetworkMessageId in (mailsHTML) and AttachmentCount == 1 +| where NetworkMessageId in (mailsHTML) and AttachmentCount > 0 ``` ## Category