LoFP LoFP / legitimate third-party applications or security tools may query these update domains for windows defender updates. filter alerts for trusted software and verified update mechanisms.

Techniques

Sample rules

Windows Non-System Process Querying Definition Update

Description

Detects DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for WD update downloads, when the querying process is not a Windows system component. BlueHammer utilizes these definition updates as part of its exploit chain.

Detection logic

`sysmon`
EventID="22"
QueryName="*definitionupdates.microsoft.com*"
NOT Image IN (
    "*:\\Program Files\\Microsoft Office\\*",
    "*:\\Program Files\\Windows Defender\\*",
    "*:\\ProgramData\\Microsoft\\Windows Defender\\*",
    "*:\\Windows\\System32\\*",
    "*:\\Windows\\SysWOW64\\*"
)

| stats count min(_time) as firstTime max(_time) as lastTime BY answer answer_count dvc Computer process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| rename Computer as dest

| `windows_non_system_process_querying_definition_update_filter`