Threat Hunt rundll32 executions with osquery

Description: In October 2020 Ryuk compromised a company in 5 hours. One of the techniques of the attack was to leverage rundll32 to escalate privileges. The query below interrogates the Windows Event log for an execution of cmd.exe with a command line of “rundll”. If I do say it is a pretty cool query with extraction of the json data from the event log data and categorizing the meaning of the label. Hopefully you can leverage this in your environment as well.

SQL:

SELECT * FROM (
  SELECT
  datetime,
  datetime(julianday(datetime), "localtime") AS datetime_local,
  'T1059' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1059/003' as mitre_attck_url,
  'ryuk, rundll, cmd' as tags,
  json_extract(data,'$.EventData.SubjectUserName') as SubjectUserName,
  json_extract(data,'$.EventData.SubjectDomainName') as SubjectDomainName,
  json_extract(data,'$.EventData.SubjectLogonId') as SubjectLogonId,
  json_extract(data,'$.EventData.NewProcessId') as NewProcessId,
  json_extract(data,'$.EventData.NewProcessName') as NewProcessName,
  json_extract(data,'$.EventData.TokenElevationType') as TokenElevationType,
  json_extract(data,'$.EventData.ProcessId') as ProcessId,
  json_extract(data,'$.EventData.CommandLine') as CommandLine,
  json_extract(data,'$.EventData.TargetUserSid') as TargetUserSid,
  json_extract(data,'$.EventData.TargetUserName') as TargetUserName,
  json_extract(data,'$.EventData.TargetDomainName') as TargetDomainName,
  json_extract(data,'$.EventData.TargetLogonId') as TargetLogonId,
  json_extract(data,'$.EventData.ParentProcessName') as ParentProcessName,
  json_extract(data,'$.EventData.MandatoryLabel') as MandatoryLabel,
  CASE
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-0' THEN 'untrusted'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-4096' THEN 'low_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8192' THEN 'medium_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8448' THEN 'medium_high_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-12288' THEN 'high_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-16384' THEN 'system_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-20480' THEN 'protected_process'
  END MandatoryLabel_Meaning

  FROM (
    SELECT data, datetime FROM windows_eventlog WHERE channel = "Security" AND eventid = 4688 AND datetime > DATE('now', '-1 days')
  )
) WHERE NewProcessName LIKE '%cmd.exe' and CommandLine LIKE '%rundll%';

Operating Systems: Windows Only

References:

Ryuk in 5 Hours – The DFIR Report

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688

#audit #dfir #rundll32 #ryuk #thread_hunting