Detecting the DFSCoerce attack
By Gianni Castaldi
Today the threat researcher Filip Dragovic released a new PoC: DFSCoerce for us all to play with.
I tested the PoC against a Microsoft Defender for Endpoint tenant to see if and how it is detected.
At this moment it is not detected yet, but I was able to create a detection for it.
The steps I took to create this detection were:
- Run the PoC
- Perform a search on the targeted device to see how it comes up in the telemetry
- Parse the AddionalFields so I can extend them to easier columns
- Use project-reorder to show the newly created columns
My initial query looks like:
DeviceEvents
| where ActionType == "NamedPipeEvent"
| where AdditionalFields contains "netdfs"
| extend AF = parse_json(AdditionalFields)
| extend PipeName = AF.PipeName
, DesiredAccess = AF.DesiredAccess
, RemoteClientsAccess = AF.RemoteClientsAccess
, FileOperation = AF.FileOperation
, NamedPipeEnd = AF.NamedPipeEnd
| project-reorder PipeName, DesiredAccess, RemoteClientsAccess, FileOperation,NamedPipeEnd
What I noticed when working on this detection is that the DesiredAccess of the PoC was 3, while the DesiredAccess for other NamedPipeEvents were higher:
So when you have a noisy environment, you might be able to filter it on the DesiredAccess column.
Good luck with hunting and detecting this new vector.
Thanks for reading and if you have any questions or ideas for a blog post let me know.