Detecting the DFSCoerce attack

By Gianni Castaldi

Today the threat researcher Filip Dragovic released a new PoC: DFSCoerce for us all to play with.

I tested the PoC against a Microsoft Defender for Endpoint tenant to see if and how it is detected.

At this moment it is not detected yet, but I was able to create a detection for it.

The steps I took to create this detection were:

  • Run the PoC
  • Perform a search on the targeted device to see how it comes up in the telemetry
  • Parse the AddionalFields so I can extend them to easier columns
  • Use project-reorder to show the newly created columns

My initial query looks like:

DeviceEvents
| where ActionType == "NamedPipeEvent" 
| where AdditionalFields contains "netdfs"
| extend AF = parse_json(AdditionalFields)
| extend PipeName = AF.PipeName
, DesiredAccess = AF.DesiredAccess
, RemoteClientsAccess = AF.RemoteClientsAccess
, FileOperation = AF.FileOperation
, NamedPipeEnd = AF.NamedPipeEnd
| project-reorder PipeName, DesiredAccess, RemoteClientsAccess, FileOperation,NamedPipeEnd

What I noticed when working on this detection is that the DesiredAccess of the PoC was 3, while the DesiredAccess for other NamedPipeEvents were higher:

    So when you have a noisy environment, you might be able to filter it on the DesiredAccess column.

    Good luck with hunting and detecting this new vector.

    Thanks for reading and if you have any questions or ideas for a blog post let me know.

    Alternative Text

    By Gianni Castaldi

    MVP | NinjaCat | Researching and Engineering Cyber Security @ KustoWorks

    By continuing to use the site, you agree to the use of cookies. more information

    The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

    Close