Originally published on medium.

Another article explaining my GitHub queries that I build for MS products (MS Defender & Azure Sentinel).

This query here can be used as part of threat hunting. I will talk about queries or posts that will explain how to form a threat hunting methodology in future posts.

Use case Name: Remote Services: Detect Hidden Windows Runs

Description: Monitor processes and command-line arguments for actions indicative of hidden windows.

MITRE Technique: https://attack.mitre.org/techniques/T1564/003/

MITRE Tactic: Defense Evasion

Hunting Query:

search in (DeviceEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceFileEvents)
"-WindowStyle Hidden" or "-w hidden" or "-W Hidden" or "-windowstyle hidden" or "ProcessWindowStyle.Hidden"
| where InitiatingProcessParentFileName == 'powershell.exe' and isnotempty(ProcessCommandLine)
| where InitiatingProcessCommandLine !contains "C:\\WINDOWS\\ccmcache\\" 
and InitiatingProcessCommandLine !contains @"\AppDeployToolkit\"

Query Explanation:

search in (DeviceEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceFileEvents)

We are going to be looking at the device events which could contain command lines and process trees.

"-WindowStyle Hidden" or "-w hidden" or "-W Hidden" or "-windowstyle hidden" or "ProcessWindowStyle.Hidden"

Using strings that are passed as command-line arguments for actions indicative of hidden windows.

| where InitiatingProcessParentFileName == 'powershell.exe' and isnotempty(ProcessCommandLine)

Exclude all the empty command line arguments and focus on arguments run only by “powershell.exe

| where InitiatingProcessCommandLine !contains "C:\\WINDOWS\\ccmcache\\" and InitiatingProcessCommandLine !contains @"\AppDeployToolkit\"

The last step & exclusion depends on the findings, results that vary from the environment/organization where this is run. I have excluded “ccmcache” which excludes all SCCM related executions and AppDeployToolkit which again is responsible for software installations on computers.

Find the code on GitHub here.

Published by Meena Rajendran

Cybersecurity Professional

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s