New Query: LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection

queries/leaknet_campaign_deno_runtime_klist_suspicious_execution_detection.yml

@@ -0,0 +1,227 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: "LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection"
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1204.001
+  - T1059.007
+  - T1059.001
+  - T1558.003
+  - T1082
+  - T1033
+  - T1016
+  - T1087
+
+# Description of what the query does and its purpose.
+description: |
+  Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths.
+
+# The author or team that created the query.
+author: cap10
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Endpoint
+
+# Tags for filtering and categorization.
+tags:
+  - Hunting
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  //══════════════════════════════════════════════════════════════════════════════════════════════════
+  // HUNT: Deno Runtime & Klist - Suspicious Execution and Lateral Movement Detection
+  //══════════════════════════════════════════════════════════════════════════════════════════════════
+  //
+  // Version: 1.1
+  // Author: Cybersecurity Operations
+  // Last Updated: 2026-03-18
+  //
+  // DESCRIPTION:
+  // Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026),
+  // which uses ClickFix — a social engineering tactic where compromised websites display
+  // fake error dialogs, coercing users to manually paste and execute a malicious
+  // PowerShell/CMD command. This delivers a staged Deno (JavaScript runtime) binary that
+  // runs malicious payloads entirely in memory, avoiding disk-based detection.
+  //
+  // This query targets the post-delivery kill chain: Deno execution from user-writable
+  // directories, klist usage from interactive shells (indicating Kerberos ticket
+  // harvesting), Deno spawning reconnaissance or administrative tools, and dangerous
+  // runtime flags or remote code fetch patterns in Deno's command line.
+  //
+  // CAMPAIGN DETAILS:
+  // Campaign: LeakNet
+  // Reference: ReliaQuest Threat Research, March 2026
+  // Delivery: ClickFix social engineering → user-pasted PowerShell/CMD command
+  // Payload: Portable Deno binary dropped to AppData/Temp
+  // Execution: In-memory JavaScript payloads via Deno runtime
+  // Post-Exploitation: Credential enumeration (klist), host discovery, C2 callbacks
+  //
+  // VULNERABILITY DETAILS:
+  // CVE: N/A (Campaign-Specific TTPs / Living off the Land)
+  // Type: Initial Access, Execution, Credential Access, Discovery, Lateral Movement
+  // Status: ACTIVE CAMPAIGN — MONITORING FOR ANOMALOUS USAGE
+  //
+  // MITRE ATT&CK MAPPING:
+  //   T1204.001 - User Execution: Malicious Link (ClickFix)
+  //   T1059.007 - Command and Scripting Interpreter: JavaScript/TypeScript
+  //   T1059.001 - Command and Scripting Interpreter: PowerShell
+  //   T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
+  //   T1082     - System Information Discovery
+  //   T1033     - System Owner/User Discovery
+  //   T1016     - System Network Configuration Discovery
+  //   T1087     - Account Discovery
+  //   Tactics: Initial Access, Execution, Credential Access, Discovery, Lateral Movement
+  //
+  // EXPLOITATION REQUIREMENTS:
+  // - User interaction required (ClickFix paste-and-execute social engineering)
+  // - Deno binary present on disk (often portable/non-installed)
+  // - Execution within user-writable context (AppData/Temp)
+  // - Network access for remote script fetching (--allow-net)
+  //
+  // USE CASES:
+  // - Detect Deno-based malware or C2 stagers
+  // - Identify Kerberos ticket enumeration via klist.exe
+  // - Track post-exploitation discovery commands spawned by script runtimes
+  // - Flag dangerous Deno permission flags and remote code execution patterns
+  //
+  // DATA SOURCE:
+  //   Event Type: ProcessRollup2
+  //   Required Fields: ImageFileName, CommandLine, ComputerName, UserName, ParentBaseFileName
+  //   Sensor: CrowdStrike Falcon EDR
+  //
+  // AFFECTED SYSTEMS:
+  // - Windows 10/11
+  // - Windows Server 2016/2019/2022
+  //
+  // FALSE POSITIVES:
+  // - Legitimate developer activity (Deno used in IDE/Repos)
+  // - Automated IT scripts using klist for troubleshooting
+  // - Deno-based internal tools running from standard Program Files paths
+  // - DevOps pipelines that invoke Deno with --allow-net against internal registries
+  //
+  // INVESTIGATION NOTES:
+  // 1. Check if the Deno binary is signed and from a known developer location.
+  // 2. Review the CommandLine for --allow-all or remote URLs (http/https).
+  // 3. Correlate klist usage with recent logins or network connections to Domain Controllers.
+  // 4. Inspect the parent process of klist.exe; interactive shells are higher risk.
+  // 5. Verify if the user is a known developer or DevOps engineer.
+  // 6. Cross-reference SHA256HashData against known-good Deno release hashes.
+  //
+  // TUNING RECOMMENDATIONS:
+  // - Add specific exclusion for local 'dev' or 'git' directories.
+  // - Filter out known-good service accounts that use klist for health checks.
+  // - Baseline Deno usage by SHA256 if a standard version is deployed.
+  // - Add UserName exclusions for known developer accounts if discovery clause is noisy.
+  //
+  // REMEDIATION:
+  // Priority: MEDIUM (Context Dependent)
+  // Action: Quarantine suspicious Deno binaries found in AppData/Temp.
+  // Patches: Ensure Deno is updated to the latest version to prevent engine exploits.
+  //
+  // QUERY LOGIC:
+  // 1. Filters for ProcessRollup2 events.
+  // 2. Checks for Deno in writable paths (Local/Roaming/Temp/ProgramData).
+  // 3. Flags klist.exe when spawned by common shells or script hosts.
+  // 4. Monitors Deno spawning living-off-the-land and discovery binaries.
+  // 5. Identifies dangerous Deno flags or remote fetch commands in the command line.
+  // 6. Applies a global noise reduction for standard Program Files or developer paths.
+  //
+  //══════════════════════════════════════════════════════════════════════════════════════════════════
+
+  #event_simpleName=ProcessRollup2
+  | (
+      /* ── Clause 1: Deno launched from user-writable locations ── */
+      (
+        ImageFileName=/\\deno(\.exe)?$/i
+        AND ImageFileName=/\\(Users\\[^\\]+\\AppData\\(Local|Roaming)|Temp|ProgramData)\\/i
+      )
+
+      OR
+
+      /* ── Clause 2: klist launched from interactive shells or script hosts ── */
+      (
+        ImageFileName=/\\klist\.exe$/i
+        AND ParentBaseFileName=/^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/i
+      )
+
+      OR
+
+      /* ── Clause 3: Suspicious child processes spawned by Deno ── */
+      (
+        ParentBaseFileName=/^deno(\.exe)?$/i
+        AND ImageFileName=/\\(cmd|powershell|pwsh|net|net1|whoami|hostname|nltest|dsquery|quser|qwinsta|vssadmin|wbadmin|reg|wevtutil|ipconfig|systeminfo|tasklist|qprocess|schtasks|wmic|bitsadmin|certutil)\.exe$/i
+      )
+
+      OR
+
+      /* ── Clause 4: Deno with dangerous flags or remote code execution patterns ── */
+      (
+        ImageFileName=/\\deno(\.exe)?$/i
+        AND CommandLine=/(eval|--allow-all|--allow-net|--allow-run|https?:\/\/|atob\(|base64|WebSocket|fetch\()/i
+      )
+    )
+
+  /* ── Noise reduction: exclude Deno running from known-good install/dev paths ── */
+  | !(
+      ImageFileName=/\\deno(\.exe)?$/i
+      AND ImageFileName=/\\(Program Files|Program Files \(x86\)|tools|dev|repos|source|git)\\/i
+    )
+
+  | table([@timestamp, aid, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, SHA256HashData])
+  | sort(@timestamp, order=desc)
+
+  //══════════════════════════════════════════════════════════════════════════════════════════════════
+  // ENHANCEMENT OPTIONS
+  //══════════════════════════════════════════════════════════════════════════════════════════════════
+  //
+  // ── Option A: Correlate Deno process execution with outbound network connections ──
+  // Uses selfJoinFilter to link ProcessRollup2 with NetworkConnectIP4 on the same
+  // agent and process ID, then filters out internal RFC1918/loopback traffic.
+  //
+  //   #event_simpleName = /ProcessRollup2|NetworkConnectIP4/
+  //   | falconPID := ContextProcessId_decimal
+  //   | falconPID := TargetProcessId_decimal
+  //   | selfJoinFilter(field=[aid, falconPID], where=[
+  //       {#event_simpleName = ProcessRollup2 | ImageFileName = /\\deno(\.exe)?$/i},
+  //       {#event_simpleName = NetworkConnectIP4}
+  //   ])
+  //   | RemoteAddressIP4 != "10.*"
+  //   | RemoteAddressIP4 != "172.16.*"
+  //   | RemoteAddressIP4 != "192.168.*"
+  //   | RemoteAddressIP4 != "127.*"
+  //   | groupBy([aid, ComputerName, ImageFileName, RemoteAddressIP4, RemotePort], function=[count(), collect(CommandLine)])
+  //   | sort(_count, order=desc)
+  //
+  // ── Option B: Correlate Deno with DNS requests for domain-based C2 detection ──
+  //
+  //   #event_simpleName = /ProcessRollup2|DnsRequest/
+  //   | falconPID := ContextProcessId
+  //   | falconPID := TargetProcessId
+  //   | selfJoinFilter(field=[aid, falconPID], where=[
+  //       {#event_simpleName = ProcessRollup2 | ImageFileName = /\\deno(\.exe)?$/i},
+  //       {#event_simpleName = DnsRequest}
+  //   ])
+  //   | groupBy([aid, ComputerName, DomainName], function=[count(), collect(CommandLine)])
+  //   | sort(_count, order=desc)
+  //
+  // ── Option C: Group by user to surface high-frequency discovery bursts ──
+  //
+  //   // Append after the main query's table() line:
+  //   // | groupBy([UserName, ComputerName], function=count(as=exec_count))
+  //   // | sort(exec_count, order=desc)
+  //   // | test(exec_count > 5)
+  //
+  //══════════════════════════════════════════════════════════════════════════════════════════════════
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  This query detects post-exploitation activity associated with the LeakNet campaign, which was publicly analyzed by ReliaQuest in March 2026. LeakNet uses ClickFix — a social engineering technique where compromised websites present fake browser or application error dialogs that instruct users to copy a malicious command and paste it into a Run dialog or terminal. The pasted command downloads and executes a portable Deno binary, which then runs JavaScript payloads entirely in memory to evade traditional file-based detection.
+
+  The query monitors CrowdStrike Falcon EDR `ProcessRollup2` telemetry and applies four detection clauses covering distinct stages of the LeakNet kill chain, followed by a noise reduction filter.