Deimos Component Execution
| Id | c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b |
| Rulename | Deimos Component Execution |
| Description | Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021. |
| Severity | High |
| Tactics | Execution Collection Exfiltration |
| Techniques | T1059 T1005 T1020 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml |
| Version | 1.0.0 |
| Arm template | c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b.json |
DeviceEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "AmsiScriptContent"
| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerOperator: gt
queryFrequency: 1h
description: |
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
version: 1.0.0
queryPeriod: 1h
name: Deimos Component Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml
id: c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b
tags:
- SolarMarker
- Jupyter
- Ransomware
tactics:
- Execution
- Collection
- Exfiltration
relevantTechniques:
- T1059
- T1005
- T1020
severity: High
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
query: |
DeviceEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "AmsiScriptContent"
| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b')]",
"properties": {
"alertRuleTemplateName": "c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b",
"customDetails": null,
"description": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.\n",
"displayName": "Deimos Component Execution",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml",
"query": "DeviceEvents \n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| where ActionType == \"AmsiScriptContent\"\n| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()\"}'\n| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"Execution",
"Exfiltration"
],
"tags": [
"SolarMarker",
"Jupyter",
"Ransomware"
],
"techniques": [
"T1005",
"T1020",
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}