CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule

Back


Id	4afd8960-8bee-4cac-bb5e-a4f200b1f9f3
Rulename	CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule
Description	“This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.”
Severity	High
Tactics	InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess
Techniques	T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001
Required data connectors	CyfirmaCyberIntelligenceDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorHighSeverityRule.yaml
Version	1.0.1
Arm template	4afd8960-8bee-4cac-bb5e-a4f200b1f9f3.json

KQL

//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName

YAML

description: |
  "This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. 
  It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. 
  The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."  
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
suppressionEnabled: true
suppressionDuration: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 4afd8960-8bee-4cac-bb5e-a4f200b1f9f3
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  Tags: Tags
  TimeGenerated: TimeGenerated
  SecurityVendors: SecurityVendors
  Country: Country
  ThreatActors: ThreatActors
  Roles: Roles
  ThreatType: ThreatType
  ValidFrom: valid_from
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  Sources: Sources
  Description: Description
  ConfidenceScore: ConfidenceScore
  created: created
  modified: modified
query: |
  //Trojan File Hash Indicators with Monitor Action
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorHighSeverityRule.yaml
kind: Scheduled
queryPeriod: 5m
enabled: false
name: CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
version: 1.0.1
entityMappings:
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
triggerOperator: GreaterThan

ARM