Hunting Threats Series

Hunting Threats Series

In this article, we will delve into the world of threat hunting and explore four to six techniques to detect and mitigate various types of threats.

Threat Hunting # 4: Detecting DDE Activity in Excel / Word Files

The Dynamic Data Exchange (DDE) protocol is a set of rules that allows applications to share data and exchange information. However, an attacker could use DDE to execute arbitrary commands, making it a significant threat. Microsoft Office documents can be directly or indirectly embedded with malicious files containing DDE commands, which can be executed by means of phishing or hosting site content, thus avoiding the use of VB macros.

When a document containing DDE is opened, office procedures will pop up two consecutive warnings. The victim must click “Open” and select “Yes” to bypass security warnings. The last command will be executed, and we can find the information in the event log file: % SystemRoot% \ System32 \ Winevt \ Logs \ OAlerts.evtx (EventID = 300).

To detect DDE activity, we can look for the following:

• The event log file contains the EventID 300, which indicates that a DDE command was executed.
• The message body contains the SID value in the known highly privileged Active Directory user / group.
• The victim has clicked “Open” and selected “Yes” to bypass security warnings.

Detection Logic:

We can use the following AQL query to detect DDE activity:

SELECT "SourceUserName", "ObjectType", "ObjectName" 
FROM events 
WHERE "EventID" = 300 
AND (UTF8 (payload) IMATCHES '. * S-1-5-21-. * -. (512 | 502 | 500 | 505 | 519 | 520 | 544 | 551 | 555) * ') 
LAST 180 DAYS

Reference Material:

• https://attack.mitre.org/techniques/T1173/
• About Dynamic Data Exchange (DDE) - Win32 apps | Microsoft Learn

Threat Hunting # 5: Detecting Enumeration by Net.exe

In the investigation stage, finding the attacker is crucial, as it means they have bypassed all your perimeters and standard endpoint security solutions. Microsoft Net.exe tool can be used to enumerate local and domain user / group.

However, the detection method is limited by the program command value and the name of the program to verify the line. This is a weak detection method, and a program can be bypassed by renaming or special characters in the command line.

To detect enumeration, we can look for the eventID 4661, which indicates an attempt to enumerate the known highly privileged Active Directory user / group. We can use the following AQL query to detect enumeration:

SELECT "SourceUserName", "ObjectType", "ObjectName" 
FROM events 
WHERE "EventID" = 4661 
AND (UTF8 (payload) IMATCHES '. * S-1-5-21-. * -. (512 | 502 | 500 | 505 | 519 | 520 | 544 | 551 | 555) * ') 
LAST 180 DAYS

Reference Material:

• Security Identifiers | Microsoft Learn
• Windows Security Log Event ID 4661 - A handle to an object was requested

Threat Hunting # 6: Detecting Real or Fake Computer Account to Hide in the Daylight - Part I

Each domain-joined Windows computer has a computer account, which provides access to network resources and domain authentication and audit a computer. However, many known cases are detected in accordance with the “$” name suffix, which is not a true indicator of the computer account.

An attacker can create a dummy or real computer account and hide their activities from standard monitoring methods. They can get the hash effective high NLTM rights to the computer account, making it unnecessary to create an account directly hidden.

To detect real or fake computer account, we can look for the following:

• Mimic user account created computer account name (such as MSSQLDB01 $)
• Pseudo computer account interactive logon (such as RDP)
• In the short login account from two different computers compared with the same IP
• Use a real computer account’s NTLM logon but the source has a different workstation computer account
• Detecting EventID = 4720 and “Account Name” contains “$” sign
• Detecting NTLM authentication (EID = 4776) and “Logon Account” is like “. * $” And “Source Workstations”! = “Logon Account”
• Detecting EventID = 4624 and “the Account the Name” like. “$” And Different “the Account the Name” and Same, “Source Network Address” the WITHIN 2min

Detection Logic:

We can use the following AQL queries to detect real or fake computer account:

SELECT username, "DestinationUserName", "GroupID" 
FROM events 
WHERE "EventID" = 4720 
AND DestinationUserName IMATCHES '. * $' 
LAST 90 DAYS

SELECT "SourceUserName", "Source Workstation", "ErrorCode", COUNT () AS CC 
FROM Events 
WHERE "EventID" = 4776 
AND SourceUserName imatches '.$' 
AND NOT (SUBSTRING ( "SourceUserName", 0, STRLEN ( "SourceUserName" ) -1) = "Source Workstation" ) 
GROUP BY SourceUserName, "Source Workstation", "ErrorCode" 
LAST 90 DAYS

SELECT "DestinationUserName", "AuthenticationPackage", "LogonType" 
FROM events 
WHERE "EventID" = 4624 
AND DestinationUserName imatches '. + $' 
AND (LogonType = 10 OR LogonType = 2 OR LogonType = 7) 
LAST 90 DAYS

Reference Material:

• Windows Security Log Event ID 4776 - The domain controller attempted to validate the credentials for an account
• Windows Security Log Event ID 4720 - A user account was created
• Windows Security Log Event ID 4741 - A computer account was created