CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule
| Id | 4afd8960-8bee-4cac-bb5e-a4f200b1f9f3 |
| Rulename | CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule |
| Description | “This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.” |
| Severity | High |
| Tactics | InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess |
| Techniques | T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorHighSeverityRule.yaml |
| Version | 1.0.0 |
| Arm template | 4afd8960-8bee-4cac-bb5e-a4f200b1f9f3.json |
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
enabled: false
id: 4afd8960-8bee-4cac-bb5e-a4f200b1f9f3
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
dataTypes:
- CyfirmaIndicators_CL
query: |
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
name: CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule
description: |
"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table.
It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values.
The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."
triggerOperator: GreaterThan
queryPeriod: 5m
suppressionDuration: 5m
severity: High
entityMappings:
- fieldMappings:
- identifier: Algorithm
columnName: Algo_MD5
- identifier: Value
columnName: MD5
entityType: FileHash
- fieldMappings:
- identifier: Algorithm
columnName: Algo_SHA1
- identifier: Value
columnName: SHA1
entityType: FileHash
- fieldMappings:
- identifier: Algorithm
columnName: Algo_SHA256
- identifier: Value
columnName: SHA256
entityType: FileHash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorHighSeverityRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} '
alertDescriptionFormat: '{{Description}} - {{name}} '
triggerThreshold: 0
suppressionEnabled: true
queryFrequency: 5m
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5m
enabled: false
customDetails:
modified: modified
ConfidenceScore: ConfidenceScore
RecommendedActions: RecommendedActions
created: created
ThreatActors: ThreatActors
ValidFrom: valid_from
Description: Description
SecurityVendors: SecurityVendors
IndicatorID: IndicatorID
TimeGenerated: TimeGenerated
Tags: Tags
Sources: Sources
Country: Country
ThreatType: ThreatType
Roles: Roles
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4afd8960-8bee-4cac-bb5e-a4f200b1f9f3')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4afd8960-8bee-4cac-bb5e-a4f200b1f9f3')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} - {{name}} ",
"alertDisplayNameFormat": "High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "4afd8960-8bee-4cac-bb5e-a4f200b1f9f3",
"customDetails": {
"ConfidenceScore": "ConfidenceScore",
"Country": "Country",
"created": "created",
"Description": "Description",
"IndicatorID": "IndicatorID",
"modified": "modified",
"RecommendedActions": "RecommendedActions",
"Roles": "Roles",
"SecurityVendors": "SecurityVendors",
"Sources": "Sources",
"Tags": "Tags",
"ThreatActors": "ThreatActors",
"ThreatType": "ThreatType",
"TimeGenerated": "TimeGenerated",
"ValidFrom": "valid_from"
},
"description": "\"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. \nIt specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. \nThe query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.\"\n",
"displayName": "CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule",
"enabled": false,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_MD5",
"identifier": "Algorithm"
},
{
"columnName": "MD5",
"identifier": "Value"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_SHA1",
"identifier": "Algorithm"
},
{
"columnName": "SHA1",
"identifier": "Value"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_SHA256",
"identifier": "Algorithm"
},
{
"columnName": "SHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5M",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorHighSeverityRule.yaml",
"query": "//Trojan File Hash Indicators with Monitor Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where ConfidenceScore >= 80\n and TimeGenerated between (ago(timeFrame) .. now())\n and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n Algo_MD5='md5',\n Algo_SHA1= 'SHA1',\n Algo_SHA256='SHA256',\n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| project \n MD5,\n Algo_MD5,\n SHA1,\n Algo_SHA1,\n SHA256,\n Algo_SHA256,\n ThreatActors,\n Sources,\n RecommendedActions,\n Roles,\n Country,\n name,\n Description,\n ConfidenceScore,\n SecurityVendors,\n IndicatorID,\n created,\n modified,\n valid_from,\n Tags,\n ThreatType,\n TimeGenerated,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [
"T1566.001",
"T1547.001"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": true,
"tactics": [
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1027",
"T1071",
"T1204",
"T1547",
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}