Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AV detections related to Tarrask malware

Back
Id1785d372-b9fe-4283-96a6-3a1d83cabfd1
RulenameAV detections related to Tarrask malware
DescriptionThis query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table

includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc.

This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.

Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
SeverityHigh
TacticsPersistence
TechniquesT1053
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/AVTarrask.yaml
Version1.0.1
Arm template1785d372-b9fe-4283-96a6-3a1d83cabfd1.json
Deploy To Azure
let Tarrask_threats = dynamic(["HackTool:Win64/Tarrask!MS", "HackTool:Win64/Ligolo!MSR", "Behavior:Win32/ScheduledTaskHide.A", "Tarrask"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=rightouter ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
triggerOperator: gt
id: 1785d372-b9fe-4283-96a6-3a1d83cabfd1
queryFrequency: 1d
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: CompromisedEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: PublicIP
    identifier: Address
requiredDataConnectors:
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
severity: High
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/AVTarrask.yaml
query: |
  let Tarrask_threats = dynamic(["HackTool:Win64/Tarrask!MS", "HackTool:Win64/Ligolo!MSR", "Behavior:Win32/ScheduledTaskHide.A", "Tarrask"]);
  DeviceInfo
  | extend DeviceName = tolower(DeviceName)
  | join kind=rightouter ( SecurityAlert
  | where ProviderName == "MDATP"
  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
  | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
  | where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)
  | extend CompromisedEntity = tolower(CompromisedEntity)
  ) on $left.DeviceName == $right.CompromisedEntity  
description: |
  'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table 
   includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. 
   This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
   Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/'  
name: AV detections related to Tarrask malware
relevantTechniques:
- T1053
tactics:
- Persistence
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1785d372-b9fe-4283-96a6-3a1d83cabfd1')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1785d372-b9fe-4283-96a6-3a1d83cabfd1')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "AV detections related to Tarrask malware",
        "description": "'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/'\n",
        "severity": "High",
        "enabled": true,
        "query": "let Tarrask_threats = dynamic([\"HackTool:Win64/Tarrask!MS\", \"HackTool:Win64/Ligolo!MSR\", \"Behavior:Win32/ScheduledTaskHide.A\", \"Tarrask\"]);\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join kind=rightouter ( SecurityAlert\n| where ProviderName == \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\n| extend CompromisedEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.CompromisedEntity\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1053"
        ],
        "alertRuleTemplateName": "1785d372-b9fe-4283-96a6-3a1d83cabfd1",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "CompromisedEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "PublicIP"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/AVTarrask.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}