Hunt for nuget/Squirrel update vulnerability
A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.
In the post, Teams is mentioned as example but other affected application were mentioned on twitter.
So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!
To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.
Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.
To make it more easy to overview we’re adding the URL to a column
To continue this we can count unique URL’s to find anomalies
Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/
ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1),
ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1),
"Default")
| where exeURL != "Default"
| sort by EventTime desc
|project EventTime,
ComputerName,
exeURL,
FolderPath,
ProcessCommandLine,
AccountName,
InitiatingProcessCommandLine,
ReportId,
ProcessId,
InitiatingProcessId
Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.
Happy Hunting!