Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dev-0228 File Path Hashes November 2021 (ASIM Version)

Back
Id29a29e5d-354e-4f5e-8321-8b39d25047bf
RulenameDev-0228 File Path Hashes November 2021 (ASIM Version)
DescriptionThis hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.

The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.

This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization
SeverityHigh
TacticsCredentialAccess
Execution
TechniquesT1569
T1003
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml
Version1.2.0
Arm template29a29e5d-354e-4f5e-8321-8b39d25047bf.json
Deploy To Azure
let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
 let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
 let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77",     "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);
 let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]);
 imProcessCreate
 | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))
 // Increase risk score if recent alerts for the host
 | join kind=leftouter (SecurityAlert
 | where ProviderName =~ "MDATP"
 | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
 | mv-expand todynamic(Entities)
 | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)
 | where isnotempty(DvcId)
 // Higher risk score are for Defender alerts related to threat actor
 | extend AlertRiskScore = iif(ThreatName has_any ("Backdoor:MSIL/ShellClient.A", "Backdoor:MSIL/ShellClient.A!dll", "Trojan:MSIL/Mimikatz.BA!MTB"), 1.0, 0.5)
 | project DvcId, AlertRiskScore) on DvcId
 | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
 | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
queryFrequency: 6h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: File
  fieldMappings:
  - columnName: FileName
    identifier: Name
severity: High
triggerThreshold: 0
relevantTechniques:
- T1569
- T1003
query: |
  let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]);
   let files2 = dynamic(["svchost.exe","wdmsvc.exe"]);
   let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77",     "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]);
   let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]);
   imProcessCreate
   | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))
   // Increase risk score if recent alerts for the host
   | join kind=leftouter (SecurityAlert
   | where ProviderName =~ "MDATP"
   | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
   | mv-expand todynamic(Entities)
   | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)
   | where isnotempty(DvcId)
   // Higher risk score are for Defender alerts related to threat actor
   | extend AlertRiskScore = iif(ThreatName has_any ("Backdoor:MSIL/ShellClient.A", "Backdoor:MSIL/ShellClient.A!dll", "Trojan:MSIL/Mimikatz.BA!MTB"), 1.0, 0.5)
   | project DvcId, AlertRiskScore) on DvcId
   | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)
   | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername  
id: 29a29e5d-354e-4f5e-8321-8b39d25047bf
triggerOperator: gt
version: 1.2.0
metadata:
  author:
    name: Ajeet Prakash
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
description: |
  'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.
   The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.
   This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization'  
queryPeriod: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml
requiredDataConnectors: []
name: Dev-0228 File Path Hashes November 2021 (ASIM Version)
tactics:
- CredentialAccess
- Execution
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29a29e5d-354e-4f5e-8321-8b39d25047bf')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29a29e5d-354e-4f5e-8321-8b39d25047bf')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Dev-0228 File Path Hashes November 2021 (ASIM Version)",
        "description": "'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization'\n",
        "severity": "High",
        "enabled": true,
        "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\n let files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\n let FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\",     \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\n let FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\n imProcessCreate\n | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\n // Increase risk score if recent alerts for the host\n | join kind=leftouter (SecurityAlert\n | where ProviderName =~ \"MDATP\"\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n | mv-expand todynamic(Entities)\n | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n | where isnotempty(DvcId)\n // Higher risk score are for Defender alerts related to threat actor\n | extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n | project DvcId, AlertRiskScore) on DvcId\n | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Execution"
        ],
        "techniques": [
          "T1569",
          "T1003"
        ],
        "alertRuleTemplateName": "29a29e5d-354e-4f5e-8321-8b39d25047bf",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "FileName"
              }
            ]
          }
        ],
        "templateVersion": "1.2.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml"
      }
    }
  ]
}