Elise backdoor | SOC Hunt Feed

Hunt Hypothesis

The Elise backdoor detection rule identifies potential adversary persistence by leveraging a known malicious PowerShell script, which may indicate a compromised environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage APT activity that could lead to long-term persistence and data exfiltration.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where (FolderPath =~ @"C:\Windows\SysWOW64\cmd.exe" and ProcessCommandLine has @"\Windows\Caches\NavShExt.dll") 
     or (ProcessCommandLine endswith @"\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting")
| top 100 by Timestamp desc

Analytic Rule Definition

id: 2a044f6d-a670-4977-9c7b-da556aa6c8d0
name: Elise backdoor
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where (FolderPath =~ @"C:\Windows\SysWOW64\cmd.exe" and ProcessCommandLine has @"\Windows\Caches\NavShExt.dll") 
       or (ProcessCommandLine endswith @"\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting")
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Elise backdoor.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is executed to perform system maintenance, such as disk cleanup or log rotation.
Filter/Exclusion: Check for CommandLine containing schtasks.exe with known maintenance task names (e.g., Cleanup-SystemLogs), and ensure the process is running under a service account with limited privileges.
Scenario: Windows Event Log Cleanup Job
Description: A job using wevtutil.exe is run to clean up old event logs, which is a common administrative task.
Filter/Exclusion: Filter events where CommandLine includes wevtutil.exe and the command is related to log cleanup (e.g., wevtutil cl Application), and verify the user is a domain admin or system service account.
Scenario: PowerShell Script for User Management
Description: A PowerShell script is used to manage user accounts, such as disabling or enabling users, which can trigger the rule due to process creation or command execution.
Filter/Exclusion: Filter for CommandLine containing powershell.exe and check for known user management commands (e.g., Disable-User, Enable-User), and ensure the script is signed and sourced from a trusted location.
Scenario: Remote Desktop Services Session Management
Description: A legitimate remote desktop session is established, and the mstsc.exe process is created, which may be flagged due to process creation patterns.
Filter/Exclusion: Filter for CommandLine containing mstsc.exe and check for the presence of a valid RDP connection, including IP address and session details from the event log.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Malwarebytes or **Windows Defender