AV detections related to Tarrask malware
| Id | 1785d372-b9fe-4283-96a6-3a1d83cabfd1 |
| Rulename | AV detections related to Tarrask malware |
| Description | This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ |
| Severity | High |
| Tactics | Persistence |
| Techniques | T1053 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/AVTarrask.yaml |
| Version | 1.0.2 |
| Arm template | 1785d372-b9fe-4283-96a6-3a1d83cabfd1.json |
let Tarrask_threats = dynamic(["HackTool:Win64/Tarrask!MS", "HackTool:Win64/Ligolo!MSR", "Behavior:Win32/ScheduledTaskHide.A", "Tarrask"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=rightouter ( SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = iff(CompromisedEntity has '.', substring(CompromisedEntity,0,indexof(CompromisedEntity,'.')),CompromisedEntity)
| extend DnsDomain = iff(CompromisedEntity has '.', substring(CompromisedEntity,indexof(CompromisedEntity,'.')+1),"")
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/AVTarrask.yaml
severity: High
name: AV detections related to Tarrask malware
entityMappings:
- entityType: Host
fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- entityType: IP
fieldMappings:
- columnName: PublicIP
identifier: Address
relevantTechniques:
- T1053
queryFrequency: 1d
triggerThreshold: 0
queryPeriod: 1d
description: |
'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table
includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc.
This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/'
id: 1785d372-b9fe-4283-96a6-3a1d83cabfd1
version: 1.0.2
tactics:
- Persistence
query: |
let Tarrask_threats = dynamic(["HackTool:Win64/Tarrask!MS", "HackTool:Win64/Ligolo!MSR", "Behavior:Win32/ScheduledTaskHide.A", "Tarrask"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=rightouter ( SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = iff(CompromisedEntity has '.', substring(CompromisedEntity,0,indexof(CompromisedEntity,'.')),CompromisedEntity)
| extend DnsDomain = iff(CompromisedEntity has '.', substring(CompromisedEntity,indexof(CompromisedEntity,'.')+1),"")
status: Available
requiredDataConnectors:
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1785d372-b9fe-4283-96a6-3a1d83cabfd1')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1785d372-b9fe-4283-96a6-3a1d83cabfd1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "AV detections related to Tarrask malware",
"description": "'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table \n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. \n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/'\n",
"severity": "High",
"enabled": true,
"query": "let Tarrask_threats = dynamic([\"HackTool:Win64/Tarrask!MS\", \"HackTool:Win64/Ligolo!MSR\", \"Behavior:Win32/ScheduledTaskHide.A\", \"Tarrask\"]);\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join kind=rightouter ( SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\n| extend CompromisedEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.CompromisedEntity\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\n| extend HostName = iff(CompromisedEntity has '.', substring(CompromisedEntity,0,indexof(CompromisedEntity,'.')),CompromisedEntity)\n| extend DnsDomain = iff(CompromisedEntity has '.', substring(CompromisedEntity,indexof(CompromisedEntity,'.')+1),\"\")\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1053"
],
"alertRuleTemplateName": "1785d372-b9fe-4283-96a6-3a1d83cabfd1",
"customDetails": null,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "PublicIP"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/AVTarrask.yaml",
"status": "Available",
"templateVersion": "1.0.2"
}
}
]
}