[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes
Id | 09551db0-e147-4a0c-9e7b-918f88847605 |
Rulename | [Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes |
Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
Severity | High |
Tactics | CommandAndControl Execution |
Techniques | T1071.001 T1204 |
Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS MicrosoftThreatProtection NXLogDnsLogs PaloAltoNetworks SecurityEvents WindowsForwardedEvents Zscaler |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetJan272021IOCs.yaml |
Version | 2.0.0 |
Arm template | 09551db0-e147-4a0c-9e7b-918f88847605.json |
let tokens = dynamic(["SSL_HandShaking", "ASN2_TYPE_new", "sql_blob_open", "cmsSetLogHandlerTHR", "ntSystemInfo", "SetWebFilterString", "CleanupBrokerString", "glInitSampler", "deflateSuffix", "ntWindowsProc"]);
let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);
let SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);
let SigNames = dynamic(["Backdoor:Script/ComebackerCompile.A!dha", "Trojan:Win64/Comebacker.A!dha", "Trojan:Win64/Comebacker.A.gen!dha", "Trojan:Win64/Comebacker.B.gen!dha", "Trojan:Win32/Comebacker.C.gen!dha", "Trojan:Win32/Klackring.A!dha", "Trojan:Win32/Klackring.B!dha"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName
),
(_Im_Dns(domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend Type = "imDns", IPAddress = SrcIpAddr, Computer=Dvc
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (SHA256Hash)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hash)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hash)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
| project Type, TimeGenerated, Computer
),
(DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "rundll32.exe"
| where (ProcessCommandLine has "is64bitoperatingsystem" and ProcessCommandLine has "Debug\\Browse") or (ProcessCommandLine has_any (tokens))
| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine
| project Type, TimeGenerated, Computer, Account, CommandLine, FileName
),
(SecurityEvent
| where EventID == 4688
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
( WindowsEvent
| where EventID == 4688
| where EventData has_any ("powershell.exe", "rundll32.exe") and EventData has_any (tokens, "Debug\\Browse","is64bitoperatingsystem" )
| extend ProcessName = tostring(EventData.ProcessName)
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| extend CommandLine = tostring(EventData.CommandLine)
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend DNSName = Request_Name
| extend IPAddress = ClientIP
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend DNSName = Fqdn
| extend IPAddress = SourceIp
),
(AZFWDnsQuery
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPAddress = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
tags:
- SchemaVersion: 0.1.1
Schema: ASIMDns
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWDnsQuery
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetJan272021IOCs.yaml
tactics:
- CommandAndControl
- Execution
triggerOperator: gt
severity: High
name: '[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes'
relevantTechniques:
- T1071.001
- T1204
query: |
let tokens = dynamic(["SSL_HandShaking", "ASN2_TYPE_new", "sql_blob_open", "cmsSetLogHandlerTHR", "ntSystemInfo", "SetWebFilterString", "CleanupBrokerString", "glInitSampler", "deflateSuffix", "ntWindowsProc"]);
let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);
let SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);
let SigNames = dynamic(["Backdoor:Script/ComebackerCompile.A!dha", "Trojan:Win64/Comebacker.A!dha", "Trojan:Win64/Comebacker.A.gen!dha", "Trojan:Win64/Comebacker.B.gen!dha", "Trojan:Win32/Comebacker.C.gen!dha", "Trojan:Win32/Klackring.A!dha", "Trojan:Win32/Klackring.B!dha"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName
),
(_Im_Dns(domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend Type = "imDns", IPAddress = SrcIpAddr, Computer=Dvc
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
| project Type, TimeGenerated, Computer, IPAddress, DNSName
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (SHA256Hash)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hash)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hash)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
| project Type, TimeGenerated, Computer
),
(DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "rundll32.exe"
| where (ProcessCommandLine has "is64bitoperatingsystem" and ProcessCommandLine has "Debug\\Browse") or (ProcessCommandLine has_any (tokens))
| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine
| project Type, TimeGenerated, Computer, Account, CommandLine, FileName
),
(SecurityEvent
| where EventID == 4688
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
( WindowsEvent
| where EventID == 4688
| where EventData has_any ("powershell.exe", "rundll32.exe") and EventData has_any (tokens, "Debug\\Browse","is64bitoperatingsystem" )
| extend ProcessName = tostring(EventData.ProcessName)
| where ProcessName has_any ("powershell.exe", "rundll32.exe")
| extend CommandLine = tostring(EventData.CommandLine)
| where (CommandLine has "is64bitoperatingsystem" and CommandLine has "Debug\\Browse") or (CommandLine has_any (tokens))
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend DNSName = Request_Name
| extend IPAddress = ClientIP
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend DNSName = Fqdn
| extend IPAddress = SourceIp
),
(AZFWDnsQuery
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPAddress = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
queryFrequency: 1d
id: 09551db0-e147-4a0c-9e7b-918f88847605
status: Available
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
queryPeriod: 1d
version: 2.0.0
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09551db0-e147-4a0c-9e7b-918f88847605')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09551db0-e147-4a0c-9e7b-918f88847605')]",
"properties": {
"alertRuleTemplateName": "09551db0-e147-4a0c-9e7b-918f88847605",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetJan272021IOCs.yaml",
"query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(_Im_Dns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where EventID == 4688\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n( WindowsEvent\n| where EventID == 4688\n| where EventData has_any (\"powershell.exe\", \"rundll32.exe\") and EventData has_any (tokens, \"Debug\\\\Browse\",\"is64bitoperatingsystem\" ) \n| extend ProcessName = tostring(EventData.ProcessName)\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| extend CommandLine = tostring(EventData.CommandLine) \n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames)\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)\n| extend DNSName = Fqdn \n| extend IPAddress = SourceIp\n),\n(AZFWDnsQuery\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPAddress = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Execution"
],
"tags": [
{
"Schema": "ASIMDns",
"SchemaVersion": "0.1.1"
}
],
"techniques": [
"T1071",
"T1204"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}