Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Known ZINC related maldoc hash

Back
Id3174a9ec-d0ad-4152-8307-94ed04fa450a
RulenameKnown ZINC related maldoc hash
DescriptionDocument hash used by ZINC in highly targeted spear phishing campaign.
SeverityHigh
TacticsCommandAndControl
CredentialAccess
Required data connectorsCiscoASA
PaloAltoNetworks
SecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ZincOct292020IOCs.yaml
Version1.0.2
Arm template3174a9ec-d0ad-4152-8307-94ed04fa450a.json
Deploy To Azure
let SHA256Hash = "1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471" ;
(union isfuzzy=true
(CommonSecurityLog 
| parse Message with * '(' DNSName ')' * 
| where isnotempty(FileHash)
| where FileHash in (SHA256Hash) 
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA265 ',' * 
| where isnotempty(Hashes)
| where Hashes in (SHA256Hash) 
| extend Account = UserName
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
queryFrequency: 1d
metadata:
  author:
    name: Ashwin Patil
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
triggerOperator: gt
tactics:
- CommandAndControl
- CredentialAccess
description: |
    'Document hash used by ZINC in highly targeted spear phishing campaign.'
status: Available
query: |
  let SHA256Hash = "1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471" ;
  (union isfuzzy=true
  (CommonSecurityLog 
  | parse Message with * '(' DNSName ')' * 
  | where isnotempty(FileHash)
  | where FileHash in (SHA256Hash) 
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
  ),
  (Event
  //This query uses sysmon data depending on table name used this may need updataing
  | where Source == "Microsoft-Windows-Sysmon"
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend Hashes = EventDetail.[16].["#text"]
  | parse Hashes with * 'SHA256=' SHA265 ',' * 
  | where isnotempty(Hashes)
  | where Hashes in (SHA256Hash) 
  | extend Account = UserName
  )
  )
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ZincOct292020IOCs.yaml
severity: High
triggerThreshold: 0
version: 1.0.2
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
name: Known ZINC related maldoc hash
id: 3174a9ec-d0ad-4152-8307-94ed04fa450a
requiredDataConnectors:
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
kind: Scheduled
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3174a9ec-d0ad-4152-8307-94ed04fa450a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3174a9ec-d0ad-4152-8307-94ed04fa450a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Known ZINC related maldoc hash",
        "description": "'Document hash used by ZINC in highly targeted spear phishing campaign.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "CredentialAccess"
        ],
        "alertRuleTemplateName": "3174a9ec-d0ad-4152-8307-94ed04fa450a",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "1.0.2",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ZincOct292020IOCs.yaml",
        "status": "Available"
      }
    }
  ]
}