When working with Advanced Hunting in Defender ATP, you tend to always want to update your queries as you learn. You will probably also notice that sometimes your query wasn’t broad enough or all information was not available at the time. And sometimes you just want to make it look better for others to use in a shared environment.
We have updated the Squirrel hunting query to adjust to more parameters which can be used. we simple remove the check for a parameter and focus on the http part instead.
There are also some legit domains which are used by some of the applications, slack and discord to mention some of them.
ProcessCreationEvents | where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe") | where (ProcessCommandLine contains "http") | extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine) | where URL !in ("https://slack.com/desktop/update/windows_x64", "https://discordapp.com/api/updates/stable") | sort by EventTime desc | project EventTime, ComputerName, URL, FolderPath, ProcessCommandLine, AccountName, InitiatingProcessCommandLine, ReportId, ProcessId, InitiatingProcessId
Pingback: Hunt for nuget/Squirrel update vulnerability – SEC-LABS R&D