Technique ID | Title | Link |
---|---|---|
T1218.002 | Signed Binary Proxy Execution: Control Panel | Control Panel |
This set of hunt queries delve into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, addressing its defense evasion and faciolitating investigation of the malware's payload behaviours and TTPs.
This collection of hunt queries aim to detect behaviours associated with malware exploitation of CVW-2023-36025 and subsequent TTPs as part of its intrusion set or attack flow.
- Name: Gavin Knapp
- Github: https://github.com/m4nbat
- Twitter: https://twitter.com/knappresearchlb
- LinkedIn: https://www.linkedin.com/in/grjk83/
- Website:
- https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html
- https://github.com/FalconForceTeam/FalconFriday/blob/master/Defense%20Evasion/T1218-WIN-001.md
- https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64
// source FalconForce https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64
// https://github.com/FalconForceTeam/FalconFriday/blob/master/Defense%20Evasion/T1218-WIN-001.md
//Fairly accurate. Depends on ATP for "Global Prevalence" to filter out false positives.
let suspiciousCPLs = DeviceImageLoadEvents
| where FileName endswith ".cpl"
| summarize by SHA1
| invoke FileProfile(SHA1, 1000)
| where ((isempty(Signer) or not(IsCertificateValid)) and GlobalPrevalence < 100) or GlobalPrevalence < 50;
DeviceImageLoadEvents
| where SHA1 has_any (suspiciousCPLs) and ActionType == "ImageLoaded"
// N/A due to functions being limited to MDE Advanced Hunting