CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule

Back


Id	25686f44-5f5f-4388-95e2-eea244481438
Rulename	CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule
Description	“This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.”
Severity	Medium
Tactics	InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess
Techniques	T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001
Required data connectors	CyfirmaCyberIntelligenceDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockMediumSeverityRule.yaml
Version	1.0.1
Arm template	25686f44-5f5f-4388-95e2-eea244481438.json

KQL

//Trojan File Hash Indicators with Block Action
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='MD5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName

YAML

entityMappings:
- entityType: FileHash
  fieldMappings:
  - columnName: MD5
    identifier: Value
  - columnName: Algo_MD5
    identifier: Algorithm
- entityType: FileHash
  fieldMappings:
  - columnName: SHA1
    identifier: Value
  - columnName: Algo_SHA1
    identifier: Algorithm
- entityType: FileHash
  fieldMappings:
  - columnName: SHA256
    identifier: Value
  - columnName: Algo_SHA256
    identifier: Algorithm
queryFrequency: 5m
query: |
  //Trojan File Hash Indicators with Block Action
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='MD5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockMediumSeverityRule.yaml
id: 25686f44-5f5f-4388-95e2-eea244481438
name: CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule
enabled: false
triggerOperator: GreaterThan
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Block Action Rule - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: '{{Description}} - {{name}} '
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
customDetails:
  ThreatType: ThreatType
  TimeGenerated: TimeGenerated
  ConfidenceScore: ConfidenceScore
  ValidFrom: valid_from
  Tags: Tags
  created: created
  Sources: Sources
  Roles: Roles
  Description: Description
  IndicatorID: IndicatorID
  SecurityVendors: SecurityVendors
  Country: Country
  modified: modified
  ThreatActors: ThreatActors
  RecommendedActions: RecommendedActions
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
kind: Scheduled
description: |
  "This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. 
  It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. 
  The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."  
version: 1.0.1
suppressionEnabled: true
suppressionDuration: 5m
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
severity: Medium
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult

ARM