Adversaries may be leveraging compromised ASUS update mechanisms to deploy malicious payloads, indicating potential supply chain compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ShadowHammer-like supply chain attacks before they cause widespread damage.
KQL Query
// Event types that may be associated with the implant or container
union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImageLoadEvents
| where Timestamp > ago(30d)
// File SHAs for implant and container
| where InitiatingProcessSHA1 in("e01c1047001206c52c87b8197d772db2a1d3b7b4",
"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")
id: fb6f89ae-4af3-4c37-8f12-d719e882e8a5
name: check-for-shadowhammer-activity-implant
description: |
This query was originally published in the threat analytics report, ShadowHammer supply chain attack
Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems.
The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days.
References:
https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
https://www.asus.com/News/hqfgVUyZ6uyAyJe1
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
- DeviceFileEvents
- DeviceImageLoadEvents
tactics:
- Execution
- Persistence
- Command and control
query: |
// Event types that may be associated with the implant or container
union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImageLoadEvents
| where Timestamp > ago(30d)
// File SHAs for implant and container
| where InitiatingProcessSHA1 in("e01c1047001206c52c87b8197d772db2a1d3b7b4",
"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via ASUS Update Tool
Description: An administrator is performing a routine system update using the official ASUS update tool (asus_update.exe), which is known to be used in legitimate update processes.
Filter/Exclusion: Exclude processes where the executable path contains asus_update.exe and the parent process is a known system update service or task scheduler job.
Scenario: Scheduled Job for Firmware Update
Description: A scheduled job is running to update firmware on ASUS hardware, which is a common administrative task in enterprise environments.
Filter/Exclusion: Exclude events where the process is initiated by a scheduled task with a name containing “ASUS Firmware Update” or similar, and the command line includes known firmware update parameters.
Scenario: Admin Performing Malware Scan with Windows Defender
Description: A system administrator is running a malware scan using Windows Defender, which may trigger similar behavior to the ShadowHammer implant due to scanning processes.
Filter/Exclusion: Exclude processes where the executable is MsMpEng.exe (Windows Defender) and the command line includes scanning or quarantine operations.
Scenario: Legitimate Use of PowerShell for System Maintenance
Description: An administrator is using PowerShell to perform system maintenance tasks, which may involve similar command-line behavior to the ShadowHammer implant.
Filter/Exclusion: Exclude PowerShell processes where the command line includes known administrative tasks (e.g., Get-Service, Stop-Service, Restart-Service) and the user is a domain admin.
Scenario: Software Deployment via SCCM with ASUS Components
Description: A software deployment via System Center Configuration Manager (SCCM) includes ASUS-related software, which may trigger the detection due to similar process behaviors.
Filter/Exclusion: Exclude processes where the parent process is `ccmexec.exe