Add hunting query: Potential Rootkit Network Activity via Firewall/EDR telemetry delta#14337
Open
YounesA343 wants to merge 4 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel hunting query template intended to detect potential kernel-level EDR network telemetry bypass by comparing perimeter “network truth” (ASimNetworkSessionLogs) vs MDE “host truth” (DeviceNetworkEvents/DeviceNetworkInfo).
Changes:
- Introduces a new hunting query YAML with MITRE mappings, data connectors, query logic, and entity mappings.
- Implements a left-anti join delta approach (firewall sessions present, MDE sessions absent) with pre-filtering to reduce compute.
- Adds alert customization fields (custom details / title+description override) alongside the hunting query.
| @@ -0,0 +1,203 @@ | |||
| id: 564bf64a-bada-4c6b-8821-53138d660f78 | |||
| name: Potential Rootkit Network Activity Missing from MDE | |||
|
|
||
| // Tier 1: Firewall Perimeter Identification | ||
| // ADAPTATION: Analysts MUST adjust these arrays to match their specific perimeter security stack. | ||
| let firewallVendors = dynamic(["Palo Alto Networks", "Fortinet", "Check Point", "Cisco", "Zscaler"]); |
| Identifies outbound network connections logged by perimeter firewalls that are entirely missing from Microsoft Defender for Endpoint (MDE) telemetry. This discrepancy strongly indicates a threat actor operating in kernel space, to hide C2 traffic. | ||
| description-detailed: | | ||
| Advanced adversaries operating in Ring-0 via BYOVD can unlink WFP (Windows Filtering Platform) callouts or inject raw frames into NDIS. This completely blinds EDR sensors like MDE to outbound network telemetry, while the host otherwise appears healthy. By comparing "Network Truth" (out-of-band firewall appliance logs) against "Host Truth" (EDR telemetry), we trap the adversary in a paradox. Kernel-level tampering on the endpoint cannot hide the physical packet leaving the network boundary. | ||
| severity: High |
Comment on lines
+183
to
+185
| alertDetailsOverride: | ||
| alertDisplayNameFormat: "Potential Rootkit Network Activity from {{HostName}} to {{DestinationIP}}" | ||
| alertDescriptionFormat: "Firewall logs indicate {{HostName}} ({{InternalIP}}) transmitted {{TotalBytesSent}} bytes to {{DestinationIP}}, but Microsoft Defender is completely blind to this traffic, indicating likely kernel-level EDR tampering." |
| | where Timestamp between (starttime .. endtime) | ||
| | where isnotempty(IPAddresses) and isnotempty(DeviceName) | ||
| // Expand the JSON array of IP addresses so each IP gets its own row | ||
| | mv-expand todynamic(IPAddresses) |
Contributor
|
Hi @YounesA343 Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a highly resilient, compute-optimized analytic rule targeting advanced adversaries operating in Ring-0 (kernel space) that blind endpoint telemetry to exfiltrate data or communicate with C2 infrastructure.
Adversaries increasingly rely on Bring Your Own Vulnerable Driver (BYOVD) techniques to achieve kernel-level execution. A primary objective of this access is to unlink Windows Filtering Platform (WFP) callouts or inject raw frames directly into NDIS. This effectively blinds EDR sensors (like Microsoft Defender for Endpoint) to outbound network telemetry, allowing malware to beacon while the host otherwise appears completely healthy.
This query relies on the paradox created by this evasion: it compares "Network Truth" (out-of-band physical/virtual firewall appliance logs via
ASimNetworkSessionLogs) against "Host Truth" (EDR telemetry viaDeviceNetworkEvents). By shifting the detection to the network boundary, the endpoint-level ETW/WFP patch is rendered irrelevant.Compute Optimizations Included:
activeMdeNodes): Before executing the expensive anti-join, the query identifies IPs actively reporting to MDE. This filters out IoT, BYOD, and unmanaged devices from the massive Firewall dataset, preventingO(N*M)compute explosions and false positives.DeviceNetworkEventstable to resolve Hostnames and Domains, the query leverages the lightweightDeviceNetworkInfostate table. It unpacks the JSON array to grab the exact DHCP/Hostname mapping witharg_max, saving massive cluster compute.summarizeand explicitly time-bounded before acting as the left table in theleftantijoin against the distinct MDE connection pairs.Triage Readiness:
The query output is highly engineered for Tier 1 SOC analysts. It utilizes
alertDetailsOverrideto inject the compromised host and destination IP directly into the incident title, usescustomDetailsto pin exfiltrated byte counts to the overview blade, and strictly casts schema types to ensureentityMappingstrigger the Sentinel Investigation Graph without errors.Change(s):
PotentialRootkitTrafficMissingFromMDE.yamlto theHunting Queries/Microsoft 365 Defender/ Defense Evasiondirectory.Reason for Change(s):
Version Updated:
Testing Completed:
ASimNetworkSessionLogs,DeviceNetworkEvents, andDeviceNetworkInfoschemas.tostring()) forentityMappingsstrictly follows the V3 entity guidelines.Checked that the validations are passing and have addressed any issues that are present:
.script/tests/DetectionTemplateSchemaValidation/dotnet testlocal validation to ensure YAML structure, metadata (Tactics/Techniques), and KQL syntax are perfectly compliant with the repo's guidelines. Validated for non-ASCII characters.