MICROSOFT SENTINEL | MALWARE
Malware Family KQL Queries — Week of 2023–07–24
KQL queries to detect SmokeLoader malware
Welcome to our 2023–07–24 edition of malware family indicators and detection queries for Microsoft Sentinel! This week we’re looking at SmokeLoader, a pretty standard downloader malware. Note that this is not a full malware analysis write-up but a focused look at ways Microsoft Sentinel users can detect potential related activity.
We’re releasing malware family content for Microsoft Sentinel users each week. Sign up to be notified when we release new content here: https://www.reversinglabs.com/threat-intel-weekly-newsletter-sign-up
SmokeLoader overview
SmokeLoader has been seen since 2014. It is primarily used to download other malware. Like other loaders, it generally appears via phishing and malicious attachments. In addition to loader capabilities, SmokeLoader includes several plugins, including a keylogger, file search, and DDoS module. It is important to note that SmokeLoader is designed to avoid targeting Russian systems. As of 2023, SmokeLoader continues to pose a significant threat.
Infection chain
Detection opportunities
Initial stage
Like most other variants of loader malware, the initial infection starts via phishing. Typically, a Microsoft Word or Excel document with embedded macros is run that exploits vulnerabilities in Microsoft Office and begins downloading Smoke Loader.
T1204.002: Malicious File
Malicious files used by Smoke Loader may exploit vulnerabilities in Microsoft Office. For example, recent samples have seen exploitation attempts for CVE-2017–11882, which allows code execution in the Equation Editor (EQNEDT32.EXE) component. Use this KQL query to identify applications being run from the Equation Editor:
// description: smoke loader has been seen exploiting cve-2017–11882
DeviceProcessEvents
| where InitiatingProcessFolderPath contains "EQNEDT32.EXE"
| where ProcessCommandLine matches regex @"(?i)C:\\Users\\.*\\AppData\\Local\\Temp\\.*.exe"
| union
(SysmonParser
| where EventID == 1
| where ParentImage contains "EQNEDT32.EXE"
| where CommandLine matches regex @"(?i)C:\\Users\\.*\\AppData\\Local\\Temp\\.*.exe"),
(SecurityEvent
| where EventID == 4688
| where ParentProcessName contains "EQNEDT32.EXE"
| where CommandLine matches regex @"(?i)C:\\Users\\.*\\AppData\\Local\\Temp\\.*.exe")Download/installation stage
Once the macros in the infected file are run, they reach out to download the second stage. A persistence mechanism, such as creating a scheduled task, may also be used.
T1053.005: Scheduled Task
Smoke Loader will attempt to create scheduled tasks to persist on the system:
This query will identify new schtasks.exe processes that create a new task in an unusual location:
// description: identifies new scheduled tasks created in an unusual location
let SmokeLoaderRegex = @"(?i)C:\\Users\\.*\\AppData\\Local\\(Temp|[0–9a-z-]{1,}).*";
DeviceProcessEvents
| where FileName == "schtasks.exe"
| where InitiatingProcessFolderPath matches regex SmokeLoaderRegex
| where ProcessCommandLine contains "/Create /SC"
| extend TaskRun = tolower(extract(@'/TR "(.*?)" /F', 1, ProcessCommandLine))
| where TaskRun == InitiatingProcessFolderPath
| union
(SysmonParser
| where EventID == 1
| where CommandLine contains "schtasks.exe"
| where ParentImage matches regex SmokeLoaderRegex
| extend TaskRun = extract(@'/TR "(.*?)" /F', 1, CommandLine)
| where TaskRun == ParentImage),
(SecurityEvent
| where EventID == 4688
| where Process == "schtasks.exe"
| where ParentProcessName matches regex SmokeLoaderRegex
| extend TaskRun = extract(@'/TR "(.*?)" /F', 1, CommandLine)
| where TaskRun == ParentProcessName)Delivery/execution stage
The delivery/execution stage sees the introduction of the plugins used by Smoke Loader. These will generally be executable files that perform different tasks. The samples used for this post ultimately resulted in Stop/DJVU ransomware deployment.
T1105: Ingress Tool Transfer
Several plugins are typically downloaded and placed in %APPDATA% with randomly generated folder and file names:
This KQL query will identify new file creation events that may be related to SmokeLoader retrieving the various plugins:
// description: 20230724 - Smoke Loader file creation events
let SmokeLoaderRegex = @"C:\\Users\\.*\\AppData\\Local\\(Temp|[0–9a-z\-]{1,})\\.*\.exe";
DeviceFileEvents
| where ActionType == "FileCreated"
| where InitiatingProcessFolderPath matches regex SmokeLoaderRegex or FolderPath matches regex SmokeLoaderRegex
| union
(SysmonParser
| where EventID == 11
| where TargetFilename matches regex SmokeLoaderRegex)Conclusion
This post provided a few examples of KQL queries that Microsoft Sentinel users can implement to check their environment for signs of Smoke Loader malware activity. The MITRE ATT&CK techniques covered here include:
- T1204.002: Malicious File
- T1053.005: Scheduled Task
- T1105: Ingress Tool Transfer
Be sure to check out GitHub repository with all of our malware family indicators and queries for Microsoft Sentinel here:
