Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Unusual identity creation using exchange powershell

Back
Id0a3f4f4f-46ad-4562-acd6-f17730a5aef4
RulenameUnusual identity creation using exchange powershell
DescriptionThe query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands

Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
SeverityHigh
TacticsPersistence
TechniquesT1136
Required data connectorsMicrosoftThreatProtection
SecurityEvents
KindScheduled
Query frequency12h
Query period12h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml
Version1.1.1
Arm template0a3f4f4f-46ad-4562-acd6-f17730a5aef4.json
Deploy To Azure
(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where CommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and CommandLine has "HealthMailbox55x2yq"
| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
),
(DeviceProcessEvents
| where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq"
| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
)
)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
queryPeriod: 12h
tactics:
- Persistence
kind: Scheduled
triggerThreshold: 0
query: |
  (union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where CommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and CommandLine has "HealthMailbox55x2yq"
  | project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
  | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
  ),
  (DeviceProcessEvents
  | where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq"
  | extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
  | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
  )
  )
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
severity: High
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: InitiatingProcessAccount
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
id: 0a3f4f4f-46ad-4562-acd6-f17730a5aef4
metadata:
  support:
    tier: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Protection
    - Identity
  source:
    kind: Community
tags:
- Europium
version: 1.1.1
description: |
  ' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands
    Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/'  
triggerOperator: gt
queryFrequency: 12h
name: Unusual identity creation using exchange powershell
relevantTechniques:
- T1136
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0a3f4f4f-46ad-4562-acd6-f17730a5aef4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0a3f4f4f-46ad-4562-acd6-f17730a5aef4')]",
      "properties": {
        "alertRuleTemplateName": "0a3f4f4f-46ad-4562-acd6-f17730a5aef4",
        "customDetails": null,
        "description": "' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands\n  Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/'\n",
        "displayName": "Unusual identity creation using exchange powershell",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml",
        "query": "(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where CommandLine has_any (\"New-Mailbox\",\"Update-RoleGroupMember\") and CommandLine has \"HealthMailbox55x2yq\"\n| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\n| extend InitiatingProcessAccount = strcat(AccountDomain, \"\\\\\", AccountName)\n),\n(DeviceProcessEvents\n| where ProcessCommandLine has_any (\"New-Mailbox\",\"Update-RoleGroupMember\") and ProcessCommandLine has \"HealthMailbox55x2yq\"\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\n| extend InitiatingProcessAccount = strcat(AccountDomain, \"\\\\\", AccountName)\n)\n)\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n",
        "queryFrequency": "PT12H",
        "queryPeriod": "PT12H",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "tags": [
          "Europium"
        ],
        "techniques": [
          "T1136"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}