Known ZINC Comebacker and Klackring malware hashes
Id | 09551db0-e147-4a0c-9e7b-918f88847605 |
Rulename | Known ZINC Comebacker and Klackring malware hashes |
Description | ZINC attacks against security researcher campaign malware hashes. |
Severity | High |
Tactics | CommandAndControl Execution |
Techniques | T1071.001 T1204 |
Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS MicrosoftThreatProtection NXLogDnsLogs PaloAltoNetworks SecurityEvents WindowsForwardedEvents Zscaler |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ZincJan272021IOCs.yaml |
Version | 1.7.1 |
Arm template | 09551db0-e147-4a0c-9e7b-918f88847605.json |
let tokens = dynamic(["SSL_HandShaking", "ASN2_TYPE_new", "sql_blob_open", "cmsSetLogHandlerTHR", "ntSystemInfo", "SetWebFilterString", "CleanupBrokerString", "glInitSampler", "deflateSuffix", "ntWindowsProc"]);
let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);
let SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);
let SigNames = dynamic(["Backdoor:Script/ComebackerCompile.A!dha", "Trojan:Win64/Comebacker.A!dha", "Trojan:Win64/Comebacker.A.gen!dha", "Trojan:Win64/Comebacker.B.gen!dha", "Trojan:Win32/Comebacker.C.gen!dha", "Trojan:Win32/Klackring.A!dha", "Trojan:Win32/Klackring.B!dha"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName
),
(_Im_Dns(domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend Type = "imDns", IPAddress = SrcIpAddr, Computer=Dvc
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (SHA256Hash)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hash)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hash)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
| project Type, TimeGenerated, Computer
),
(DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "rundll32.exe"
| where (ProcessCommandLine has "is64bitoperatingsystem" and ProcessCommandLine has "Debug\\Browse") or (ProcessCommandLine has_any (tokens))
| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine
| project Type, TimeGenerated, Computer, Account, CommandLine, FileName
),
(SecurityEvent
| where EventID == 4688
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
( WindowsEvent
| where EventID == 4688
| where EventData has_any ("powershell.exe", "rundll32.exe") and EventData has_any (tokens, "Debug\\Browse","is64bitoperatingsystem" )
| extend ProcessName = tostring(EventData.ProcessName)
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| extend CommandLine = tostring(EventData.CommandLine)
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend DNSName = Request_Name
| extend IPAddress = ClientIP
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend DNSName = Fqdn
| extend IPAddress = SourceIp
),
(AZFWDnsQuery
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPAddress = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
queryFrequency: 1d
metadata:
author:
name: jannieli
source:
kind: Community
categories:
domains:
- Security - Threat Intelligence
support:
tier: Community
triggerOperator: gt
tactics:
- CommandAndControl
- Execution
description: |
'ZINC attacks against security researcher campaign malware hashes.'
status: Available
relevantTechniques:
- T1071.001
- T1204
name: Known ZINC Comebacker and Klackring malware hashes
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ZincJan272021IOCs.yaml
severity: High
triggerThreshold: 0
version: 1.7.1
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
tags:
- Schema: ASIMDns
SchemaVersion: 0.1.1
id: 09551db0-e147-4a0c-9e7b-918f88847605
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWDnsQuery
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
kind: Scheduled
query: |
let tokens = dynamic(["SSL_HandShaking", "ASN2_TYPE_new", "sql_blob_open", "cmsSetLogHandlerTHR", "ntSystemInfo", "SetWebFilterString", "CleanupBrokerString", "glInitSampler", "deflateSuffix", "ntWindowsProc"]);
let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);
let SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);
let SigNames = dynamic(["Backdoor:Script/ComebackerCompile.A!dha", "Trojan:Win64/Comebacker.A!dha", "Trojan:Win64/Comebacker.A.gen!dha", "Trojan:Win64/Comebacker.B.gen!dha", "Trojan:Win32/Comebacker.C.gen!dha", "Trojan:Win32/Klackring.A!dha", "Trojan:Win32/Klackring.B!dha"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName
),
(_Im_Dns(domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend Type = "imDns", IPAddress = SrcIpAddr, Computer=Dvc
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (SHA256Hash)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hash)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hash)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
| project Type, TimeGenerated, Computer
),
(DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "rundll32.exe"
| where (ProcessCommandLine has "is64bitoperatingsystem" and ProcessCommandLine has "Debug\\Browse") or (ProcessCommandLine has_any (tokens))
| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine
| project Type, TimeGenerated, Computer, Account, CommandLine, FileName
),
(SecurityEvent
| where EventID == 4688
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
( WindowsEvent
| where EventID == 4688
| where EventData has_any ("powershell.exe", "rundll32.exe") and EventData has_any (tokens, "Debug\\Browse","is64bitoperatingsystem" )
| extend ProcessName = tostring(EventData.ProcessName)
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| extend CommandLine = tostring(EventData.CommandLine)
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend DNSName = Request_Name
| extend IPAddress = ClientIP
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend DNSName = Fqdn
| extend IPAddress = SourceIp
),
(AZFWDnsQuery
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPAddress = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09551db0-e147-4a0c-9e7b-918f88847605')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09551db0-e147-4a0c-9e7b-918f88847605')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Known ZINC Comebacker and Klackring malware hashes",
"description": "'ZINC attacks against security researcher campaign malware hashes.'\n",
"severity": "High",
"enabled": true,
"query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(_Im_Dns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where EventID == 4688\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n( WindowsEvent\n| where EventID == 4688\n| where EventData has_any (\"powershell.exe\", \"rundll32.exe\") and EventData has_any (tokens, \"Debug\\\\Browse\",\"is64bitoperatingsystem\" ) \n| extend ProcessName = tostring(EventData.ProcessName)\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| extend CommandLine = tostring(EventData.CommandLine) \n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames)\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)\n| extend DNSName = Fqdn \n| extend IPAddress = SourceIp\n),\n(AZFWDnsQuery\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPAddress = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Execution"
],
"techniques": [
"T1071.001",
"T1204"
],
"alertRuleTemplateName": "09551db0-e147-4a0c-9e7b-918f88847605",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ZincJan272021IOCs.yaml",
"templateVersion": "1.7.1",
"tags": [
{
"Schema": "ASIMDns",
"SchemaVersion": "0.1.1"
}
],
"status": "Available"
}
}
]
}