
Description: In October 2020 Ryuk compromised a company in 5 hours. One of the techniques of the attack was to leverage rundll32 to escalate privileges. The query below interrogates the Windows Event log for an execution of cmd.exe with a command line of “rundll”. If I do say it is a pretty cool query with extraction of the json data from the event log data and categorizing the meaning of the label. Hopefully you can leverage this in your environment as well.

SQL:
SELECT * FROM (
SELECT
datetime,
datetime(julianday(datetime), "localtime") AS datetime_local,
'T1059' as mitre_attck_id,
'https://attack.mitre.org/techniques/T1059/003' as mitre_attck_url,
'ryuk, rundll, cmd' as tags,
json_extract(data,'$.EventData.SubjectUserName') as SubjectUserName,
json_extract(data,'$.EventData.SubjectDomainName') as SubjectDomainName,
json_extract(data,'$.EventData.SubjectLogonId') as SubjectLogonId,
json_extract(data,'$.EventData.NewProcessId') as NewProcessId,
json_extract(data,'$.EventData.NewProcessName') as NewProcessName,
json_extract(data,'$.EventData.TokenElevationType') as TokenElevationType,
json_extract(data,'$.EventData.ProcessId') as ProcessId,
json_extract(data,'$.EventData.CommandLine') as CommandLine,
json_extract(data,'$.EventData.TargetUserSid') as TargetUserSid,
json_extract(data,'$.EventData.TargetUserName') as TargetUserName,
json_extract(data,'$.EventData.TargetDomainName') as TargetDomainName,
json_extract(data,'$.EventData.TargetLogonId') as TargetLogonId,
json_extract(data,'$.EventData.ParentProcessName') as ParentProcessName,
json_extract(data,'$.EventData.MandatoryLabel') as MandatoryLabel,
CASE
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-0' THEN 'untrusted'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-4096' THEN 'low_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8192' THEN 'medium_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8448' THEN 'medium_high_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-12288' THEN 'high_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-16384' THEN 'system_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-20480' THEN 'protected_process'
END MandatoryLabel_Meaning
FROM (
SELECT data, datetime FROM windows_eventlog WHERE channel = "Security" AND eventid = 4688 AND datetime > DATE('now', '-1 days')
)
) WHERE NewProcessName LIKE '%cmd.exe' and CommandLine LIKE '%rundll%';
Operating Systems: Windows Only
References:
Ryuk in 5 Hours – The DFIR Report
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
#audit #dfir #rundll32 #ryuk #thread_hunting