Detect File and Directory Discovery Techniques on Windows using KQL

Source

Hi Medium! Here we are again with a new article about Sentinel in our series, we will talk today about how we can use Atomic Red to run Discovery techniques, and how to use KQL in detecting File and Directory Discovery Techniques, I will have different articles on the same topic, so stay tuned 😊

This article will cover the following:

What is Atomic Red?
What is KQL in Sentinel?

My Setup
What we will do?

File and Directory Discovery T1083
Why it is important to track File and Directory Discovery
Atomic Red Test Simulation
Detect Atomic Test #1 — File and Directory Discovery (cmd.exe)
Detect Atomic Test #2 — File and Directory Discovery (PowerShell)

Conclusion

What is Atomic Red?

Atomic Red Team is a library of tests that every security team can execute to simulate adversarial activity and validate their defenses. For more details on how to use it you can check my previous article: Simulate Discovery Techniques on Windows via Atomic Red

What is KQL in Sentinel?

Kusto Query Language is the language you will use to work with and manipulate data in Microsoft Sentinel. The logs you feed into your workspace aren’t worth much if you can’t analyze them and get the important information hidden in all that data. — More

My Setup

My setup is all hosted on Azure cloud, where I have one machine to simulate testing attacks on it and Sentinel to collect logs, you can follow those articles to have the same setup:

• Set a Sentinel environment and start collecting Windows logs on Azure
• How to Set Atomic Red

What we will do?

In this article and the next ones, I will share with you how you can detect those techniques in Sentinel, using the same KQL I am sharing with you, you can use it to create alerts in your Sentinel to detect future threats. You can check the following article to create alerts in your Sentinel, Detect and Alert on Sentinel

File and Directory Discovery T1083

It is always important to know where we are, same for the attacker, he needs to know where he is and where he can go, by discovering the available files, directories and shares that may be hosted in other places (other machines in the network or in Cloud).

Per MiTRE definition:

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Why it is important to track File and Directory Discovery

It’s important to detect if files and directory are modified, for example, if the attacker try to change specific configuration files or libraries especially in production environment where we do not expect such changes.

When it comes to discovery, this will raise a lot of false positive, especially developers run those commands to list where they are and where they can go a lot, and we do not want to have this excessive numbers of alerts and warning in our SOC.

From my experience, this detection helps in specific scenario, where we do not expect user or developers activities; this is more applicable when we have containers in production and we do not expect any changes.

Atomic Red Test Simulation

Same as other technique we execute our command followed by our Technique reference:

PS> Invoke-AtomicTest T1083

Detect Atomic Test #1 — File and Directory Discovery (cmd.exe)

This is basically the common command that can be ran on CMD level to discover files and directories. For more details on the ran commands you can check this Link.

Code:

I kept my detection very simple limited to the commands that are used to list files and dir in windows, I advise to focus on specific directories if you would like to evade false positive:

Sysmon_Event_Parser
| extend process = case(process_command_line contains "dir", process_command_line,
process_command_line contains "tree", process_command_line, "")
| where isnotempty(process)

Output:

Detect Atomic Test #2 — File and Directory Discovery (PowerShell)

Same approach as the previous one but now from power-shell, you can find more details on the following Link

Code:

Sysmon_Event_Parser
| extend process = case(process_command_line contains "ls", process_command_line, process_command_line contains "get-childitem", process_command_line, process_command_line contains "gci", process_command_line, "")
| where isnotempty(process)

Output:

Conclusion

In this article, we showed how we can detect files and directories discovery techniques using KQL, stay tuned for the rest of the techniques in the article that will follow.

I hope that you enjoyed the article, please let me know if there is something to improve or to change in the comment section 😏

Useful Links

• Red Canary provided a nice explaination of detection here and here
• Atomic Red Team
• Azure Docs Github
• Useful Hunting Queries

Connect with me for more details LinkedIn