| ID | Technique | Tactic |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1071.001 | Web Protocols | Command and Control |
Detection: Windows Non-System Process Querying Definition Update
Description
Detects DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for WD update downloads, when the querying process is not a Windows system component. BlueHammer utilizes these definition updates as part of its exploit chain.
Search
1`sysmon`
2EventID="22"
3QueryName="*definitionupdates.microsoft.com*"
4NOT Image IN (
5 "*:\\Program Files\\Microsoft Office\\*",
6 "*:\\Program Files\\Windows Defender\\*",
7 "*:\\ProgramData\\Microsoft\\Windows Defender\\*",
8 "*:\\Windows\\System32\\*",
9 "*:\\Windows\\SysWOW64\\*"
10)
11
12| stats count min(_time) as firstTime max(_time) as lastTime BY answer answer_count dvc Computer process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus
13
14| `security_content_ctime(firstTime)`
15
16| `security_content_ctime(lastTime)`
17
18| rename Computer as dest
19
20| `windows_non_system_process_querying_definition_update_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 22 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_non_system_process_querying_definition_update_filter | search * |
windows_non_system_process_querying_definition_update_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Command and Control
DE.AE
CIS 10
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
APT42
AppleJeus
BITTER
BRONZE BUTLER
BlackByte
Chimera
Cobalt Group
Confucius
Daggerfly
Dark Caracal
FIN13
FIN4
FIN6
FIN8
Gamaredon Group
HAFNIUM
Higaisa
Inception
Ke3chang
Kimsuky
LAPSUS$
Lazarus Group
Leviathan
LuminousMoth
Magic Hound
Medusa Group
Metador
Moonstone Sleet
MoustachedBouncer
MuddyWater
Mustang Panda
OilRig
Orangeworm
PLATINUM
Rancor
RedCurl
RedEcho
Rocke
Sandworm Team
Scattered Spider
Sea Turtle
Sidewinder
SilverTerrier
Stealth Falcon
TA505
TA551
TeamTNT
Threat Group-3390
Tonto Team
Tropic Trooper
Turla
UNC3886
VOID MANTICORE
Volt Typhoon
WIRTE
Whitefly
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
CVE
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Legitimate third-party applications or security tools may query these update domains for Windows Defender updates. Filter alerts for trusted software and verified update mechanisms.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Non-System process $Image$ queried Windows Defender Definition Updates domain $QueryName$ on $dest$. | dest | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| process_name | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1