Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Silk Typhoon Suspicious File Downloads

Back
Id03e04c97-8cae-48b3-9d2f-4ab262e4ffff
RulenameSilk Typhoon Suspicious File Downloads.
DescriptionThis query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.

Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SeverityMedium
TacticsInitialAccess
TechniquesT1190
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/SilkTyphoonSuspiciousFileDownloads.yaml
Version1.0.3
Arm template03e04c97-8cae-48b3-9d2f-4ab262e4ffff.json
Deploy To Azure
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
http_proxy_oab_CL
| where RawData contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
| extend Extension = strcat(".",split(File, ".")[-1])
| extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
// Uncomment the following line to alert only on interactive file download type
//| where InteractiveFile =~ "Yes"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/SilkTyphoonSuspiciousFileDownloads.yaml
query: |
  let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
  http_proxy_oab_CL
  | where RawData contains "Download failed and temporary file"
  | extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
  | extend Extension = strcat(".",split(File, ".")[-1])
  | extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
  // Uncomment the following line to alert only on interactive file download type
  //| where InteractiveFile =~ "Yes"
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
description: |
  'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 
  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'  
severity: Medium
requiredDataConnectors: []
name: Silk Typhoon Suspicious File Downloads.
triggerThreshold: 0
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - 0-day Vulnerability
  author:
    name: Microsoft Security Research
  support:
    tier: Community
tactics:
- InitialAccess
version: 1.0.3
relevantTechniques:
- T1190
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
kind: Scheduled
queryFrequency: 1d
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/03e04c97-8cae-48b3-9d2f-4ab262e4ffff')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/03e04c97-8cae-48b3-9d2f-4ab262e4ffff')]",
      "properties": {
        "alertRuleTemplateName": "03e04c97-8cae-48b3-9d2f-4ab262e4ffff",
        "customDetails": null,
        "description": "'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'\n",
        "displayName": "Silk Typhoon Suspicious File Downloads.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/SilkTyphoonSuspiciousFileDownloads.yaml",
        "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}