KNOTWEED-File Hash IOCs

Hunt Hypothesis

Adversaries may be using known malicious file hashes associated with the KNOTWEED IOC to execute malicious payloads within the environment. SOC teams should proactively hunt for these hashes in Azure Sentinel to identify potential compromise and prevent lateral movement or data exfiltration.

KQL Query

// malware hash indicators
let hashes = dynamic([
"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629", // SHA-256 Malicious Excel document and VBA
"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f", // SHA-256 Malicious Excel document and VBA
"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964", // SHA-256 Jumplump malware
"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b", // SHA-256 Jumplump malware
"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc", // SHA-256 Jumplump malware
"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206", // SHA-256 Jumplump malware
"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc", // SHA-256 Jumplump malware
"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d", // SHA-256 Jumplump malware
"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d", // SHA-256 Jumplump malware
"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec", // SHA-256 Jumplump malware
"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53", // SHA-256 Jumplump malware
"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431", // SHA-256 Jumplump malware
"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc", // SHA-256 Jumplump malware
"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d", // SHA-256 Corelump malware
"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca", // SHA-256 Mex tool
"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6"  // SHA-256 Passlib tool
]);
let iochashes =
print hashes
| mv-expand sha256hashes=hashes
| distinct tostring(sha256hashes);
union withsource=TableName Device*
| where Timestamp > ago(7d)
| where SHA256 in (iochashes)

Analytic Rule Definition

id: b375df05-2b5b-4318-8f07-0a9611c8b314
name: KNOTWEED-File Hash IOCs
description: |
  'This query identifies matches based on KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables'
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceEvents
tactics:
  - InitialAccess
  - Execution
relevantTechniques:
query: |
  // malware hash indicators
  let hashes = dynamic([
  "78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629", // SHA-256 Malicious Excel document and VBA
  "0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f", // SHA-256 Malicious Excel document and VBA
  "441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964", // SHA-256 Jumplump malware
  "cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b", // SHA-256 Jumplump malware
  "fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc", // SHA-256 Jumplump malware
  "5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206", // SHA-256 Jumplump malware
  "7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc", // SHA-256 Jumplump malware
  "02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d", // SHA-256 Jumplump malware
  "7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d", // SHA-256 Jumplump malware
  "afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec", // SHA-256 Jumplump malware
  "894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53", // SHA-256 Jumplump malware
  "4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431", // SHA-256 Jumplump malware
  "7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc", // SHA-256 Jumplump malware
  "c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d", // SHA-256 Corelump malware
  "fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca", // SHA-256 Mex tool
  "e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6"  // SHA-256 Passlib tool
  ]);
  let iochashes =
  print hashes
  | mv-expand sha256hashes=hashes
  | distinct tostring(sha256hashes);
  union withsource=TableName Device*
  | where Timestamp > ago(7d)
  | where SHA256 in (iochashes)

MITRE ATT&CK Context

• Tactic: InitialAccess
• Tactic: Execution

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml)

False Positive Guidance

• Scenario: Regular file integrity monitoring scan using Microsoft Defender for Endpoint
  Filter/Exclusion: Exclude events where the file hash is associated with a known system file or a file in the Program Files or System32 directories.

• Scenario: Scheduled PowerShell script execution for log file analysis
  Filter/Exclusion: Exclude events where the file path contains C:\Windows\System32\WindowsPowerShell\v1.0\ or includes the word log.

• Scenario: Windows Update installation process generating temporary files
  Filter/Exclusion: Exclude events where the file path includes C:\Windows\Temp\ or the file hash matches known Windows update hashes.

• Scenario: System File Checker (SFC) scan initiated by an administrator
  Filter/Exclusion: Exclude events where the file path includes C:\Windows\System32\ and the process name is sfc.exe.

• Scenario: Backup job running using Veeam Backup & Replication or Commvault
  Filter/Exclusion: Exclude events where the file path contains C:\Backup\ or the process name matches the backup tool’s executable.