Techniques
Sample rules
Windows Non-System Process Querying Definition Update
- source: splunk
- technicques:
Description
Detects DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for WD update downloads, when the querying process is not a Windows system component. BlueHammer utilizes these definition updates as part of its exploit chain.
Detection logic
`sysmon`
EventID="22"
QueryName="*definitionupdates.microsoft.com*"
NOT Image IN (
"*:\\Program Files\\Microsoft Office\\*",
"*:\\Program Files\\Windows Defender\\*",
"*:\\ProgramData\\Microsoft\\Windows Defender\\*",
"*:\\Windows\\System32\\*",
"*:\\Windows\\SysWOW64\\*"
)
| stats count min(_time) as firstTime max(_time) as lastTime BY answer answer_count dvc Computer process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename Computer as dest
| `windows_non_system_process_querying_definition_update_filter`