Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - Known Diamond Sleet related maldoc hash

[Deprecated] - Known Diamond Sleet related maldoc hash

Back
Id3174a9ec-d0ad-4152-8307-94ed04fa450a
Rulename[Deprecated] - Known Diamond Sleet related maldoc hash
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
CredentialAccess
Required data connectorsCiscoASA
PaloAltoNetworks
SecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetOct292020IOCs.yaml
Version2.0.0
Arm template3174a9ec-d0ad-4152-8307-94ed04fa450a.json
Deploy To Azure
let SHA256Hash = "1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471" ;
(union isfuzzy=true
(CommonSecurityLog 
| parse Message with * '(' DNSName ')' * 
| where isnotempty(FileHash)
| where FileHash in (SHA256Hash) 
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA265 ',' * 
| where isnotempty(Hashes)
| where Hashes in (SHA256Hash) 
| extend Account = UserName
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress

kind: Scheduled
tactics:
- CommandAndControl
- CredentialAccess
triggerThreshold: 0
triggerOperator: gt
version: 2.0.0
status: Available
queryFrequency: 1d
id: 3174a9ec-d0ad-4152-8307-94ed04fa450a
requiredDataConnectors:
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
name: '[Deprecated] - Known Diamond Sleet related maldoc hash'
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetOct292020IOCs.yaml
queryPeriod: 1d
severity: High
query: |
  let SHA256Hash = "1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471" ;
  (union isfuzzy=true
  (CommonSecurityLog 
  | parse Message with * '(' DNSName ')' * 
  | where isnotempty(FileHash)
  | where FileHash in (SHA256Hash) 
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
  ),
  (Event
  //This query uses sysmon data depending on table name used this may need updataing
  | where Source == "Microsoft-Windows-Sysmon"
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend Hashes = EventDetail.[16].["#text"]
  | parse Hashes with * 'SHA256=' SHA265 ',' * 
  | where isnotempty(Hashes)
  | where Hashes in (SHA256Hash) 
  | extend Account = UserName
  )
  )
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress