Adversaries may be leveraging compromised ASUS update domains to download malicious payloads, indicating potential supply chain compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ShadowHammer-like supply chain attacks targeting enterprise systems.
KQL Query
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"
id: 1217e1fd-ebbb-4fdc-8b18-81be69876b3a
name: check-for-shadowhammer-activity-download-domain
description: |
This query was originally published in the threat analytics report, ShadowHammer supply chain attack
Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems.
The following query checks for activity associated with the ShadowHammer download domain over the past 30 days.
References:
https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
https://www.asus.com/News/hqfgVUyZ6uyAyJe1
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Command and control
query: |
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via ASUS Live Update Tool
Description: An administrator is performing a routine system update using the ASUS Live Update Tool, which is a legitimate tool for updating ASUS hardware firmware.
Filter/Exclusion: Exclude processes initiated by the ASUS Live Update Tool (asusliveupdate.exe) or signed by ASUS’s trusted certificate.
Scenario: Scheduled maintenance job for firmware updates
Description: A scheduled job runs nightly to check for and apply firmware updates to ASUS devices, which is a standard practice in enterprise environments.
Filter/Exclusion: Exclude processes associated with scheduled tasks that match known enterprise update schedules or use the ASUS firmware update API.
Scenario: Admin using Windows Task Scheduler to manage device updates
Description: An administrator uses the Windows Task Scheduler to automate firmware updates on ASUS devices, which is a common administrative task.
Filter/Exclusion: Exclude tasks that are created or modified by the Windows Task Scheduler and are associated with known enterprise update management tools.
Scenario: Legitimate domain access for internal monitoring tools
Description: A monitoring tool or SIEM system is accessing a domain associated with ASUS for telemetry or compatibility checks, which is a normal part of system diagnostics.
Filter/Exclusion: Exclude domains that are whitelisted for internal monitoring tools or are known to be used by enterprise diagnostic and management systems.
Scenario: User downloading ASUS firmware from a trusted internal repository
Description: A user is downloading ASUS firmware from a company-approved internal repository for testing or deployment purposes.
Filter/Exclusion: Exclude domains that are part of the organization’s internal infrastructure or are signed by internal CA certificates.