KNOTWEED-AV Detections | SOC Hunt Feed

Hunt Hypothesis

The KNOTWEED-AV Detections rule identifies instances where Microsoft Defender Antivirus has flagged files associated with the KNOTWEED malware family, indicating potential adversarial activity targeting Azure environments. SOC teams should proactively hunt for this behavior to detect and respond to KNOTWEED-related threats before they cause significant damage.

KQL Query

// AV Detections
let knotweed_sigs = dynamic(["JumplumpDropper", "Jumplump", "Corelump", "Mexlib", "Medcerc ", "SuspModuleLoad"]);
AlertEvidence
| where Timestamp > ago(30d)
| where ThreatFamily in~ (knotweed_sigs)
| join MtpAlerts on AlertId
| project OriginalReportOccurrenceTime, LastSeen, MachineId1, ThreatFamily, AlertId

Analytic Rule Definition

id: 24b0f252-08fd-4f70-b387-9015bea1b34c
name: KNOTWEED-AV Detections
description: |
  'This query looks for Microsoft Defender Antivirus detections with the family names used by KNOTWEED'
requiredDataConnectors:
  - connectorId: MicrosoftDefenderAdvancedThreatProtection
    dataTypes:
      - SecurityAlert (MDATP)
tactics:
relevantTechniques:
query: |
  // AV Detections
  let knotweed_sigs = dynamic(["JumplumpDropper", "Jumplump", "Corelump", "Mexlib", "Medcerc ", "SuspModuleLoad"]);
  AlertEvidence
  | where Timestamp > ago(30d)
  | where ThreatFamily in~ (knotweed_sigs)
  | join MtpAlerts on AlertId
  | project OriginalReportOccurrenceTime, LastSeen, MachineId1, ThreatFamily, AlertId

Required Data Sources

Sentinel Table	Notes
`AlertEvidence`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml)

False Positive Guidance

Scenario: Microsoft Defender Antivirus performs a scheduled scan of the system drive.
Filter/Exclusion: ProcessName == "WindowsDefenderAntivirusService" or ProcessName == "MsMpEng.exe"
Scenario: An administrator runs a full system scan using Microsoft Defender via the GUI or command line.
Filter/Exclusion: ProcessName == "msmpeng.exe" and CommandLine contains "Scan" or "FullScan"
Scenario: A legitimate scheduled task is configured to run a malware scan using Microsoft Defender.
Filter/Exclusion: TaskName contains "Microsoft Defender Scan" or TaskName contains "Windows Defender"
Scenario: A system update or patching process triggers a temporary increase in antivirus activity.
Filter/Exclusion: ProcessName == "wusa.exe" or EventID == 6008 (system event log for unexpected shutdowns, though not directly related, can be used in conjunction with other filters)
Scenario: A third-party security tool or endpoint protection software is installed and interacts with Microsoft Defender, causing false positives.
Filter/Exclusion: ProcessName contains "McAfee" or ProcessName contains "Bitdefender" (or any known third-party AV tool)