Malware in the recycle bin (Normalized Process Events)

Back


Id	61988db3-0565-49b5-b8e3-747195baac6e
Rulename	Malware in the recycle bin (Normalized Process Events)
Description	Identifies malware that has been hidden in the recycle bin. To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1564
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml
Version	1.2.3
Arm template	61988db3-0565-49b5-b8e3-747195baac6e.json

KQL

let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);  
imProcessCreate
| where CommandLine has "recycler"
| where Process has_any (procList)
| extend FileName = tostring(split(Process, '\\')[-1])
| where FileName in~ (procList)
| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc

YAML

metadata:
  author:
    name: Yuval Naor
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml
description: |
  'Identifies malware that has been hidden in the recycle bin.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
tags:
- Id: b8266f81-2715-41a6-9062-42486cbc9c73
  version: 1.0.0
- SchemaVersion: 0.1.0
  Schema: ASIMProcessEvent
triggerOperator: gt
queryPeriod: 1d
requiredDataConnectors: []
queryFrequency: 1d
triggerThreshold: 0
tactics:
- DefenseEvasion
query: |
  let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]);  
  imProcessCreate
  | where CommandLine has "recycler"
  | where Process has_any (procList)
  | extend FileName = tostring(split(Process, '\\')[-1])
  | where FileName in~ (procList)
  | project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc  
kind: Scheduled
relevantTechniques:
- T1564
version: 1.2.3
id: 61988db3-0565-49b5-b8e3-747195baac6e
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
name: Malware in the recycle bin (Normalized Process Events)

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61988db3-0565-49b5-b8e3-747195baac6e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61988db3-0565-49b5-b8e3-747195baac6e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Malware in the recycle bin (Normalized Process Events)",
        "description": "'Identifies malware that has been hidden in the recycle bin.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]);  \nimProcessCreate\n| where CommandLine has \"recycler\"\n| where Process has_any (procList)\n| extend FileName = tostring(split(Process, '\\\\')[-1])\n| where FileName in~ (procList)\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1564"
        ],
        "alertRuleTemplateName": "61988db3-0565-49b5-b8e3-747195baac6e",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml",
        "tags": [
          {
            "Id": "b8266f81-2715-41a6-9062-42486cbc9c73",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "templateVersion": "1.2.3"
      }
    }
  ]
}