CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule
| Id | 649f525a-1f92-412d-bfc2-ce642e7a7f1f |
| Rulename | CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule |
| Description | “This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.” |
| Severity | High |
| Tactics | InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess |
| Techniques | T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockHighSeverityRule.yaml |
| Version | 1.0.0 |
| Arm template | 649f525a-1f92-412d-bfc2-ce642e7a7f1f.json |
//Trojan File Hash Indicators with Block Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='MD5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
suppressionDuration: 5m
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
description: |
"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table.
It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values.
The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockHighSeverityRule.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Block Action Rule - {{name}} '
alertDescriptionFormat: '{{Description}} - {{name}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
query: |
//Trojan File Hash Indicators with Block Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='MD5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
version: 1.0.0
name: CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5m
matchingMethod: AllEntities
reopenClosedIncident: false
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
- identifier: Value
columnName: MD5
- identifier: Algorithm
columnName: Algo_MD5
entityType: FileHash
- fieldMappings:
- identifier: Value
columnName: SHA1
- identifier: Algorithm
columnName: Algo_SHA1
entityType: FileHash
- fieldMappings:
- identifier: Value
columnName: SHA256
- identifier: Algorithm
columnName: Algo_SHA256
entityType: FileHash
suppressionEnabled: true
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
severity: High
enabled: false
id: 649f525a-1f92-412d-bfc2-ce642e7a7f1f
customDetails:
ConfidenceScore: ConfidenceScore
ThreatActors: ThreatActors
IndicatorID: IndicatorID
created: created
modified: modified
ValidFrom: valid_from
Tags: Tags
Country: Country
SecurityVendors: SecurityVendors
TimeGenerated: TimeGenerated
Description: Description
ThreatType: ThreatType
Roles: Roles
Sources: Sources
RecommendedActions: RecommendedActions
triggerOperator: GreaterThan
triggerThreshold: 0
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/649f525a-1f92-412d-bfc2-ce642e7a7f1f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/649f525a-1f92-412d-bfc2-ce642e7a7f1f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} - {{name}} ",
"alertDisplayNameFormat": "High-Confidence Trojan File Hash Indicators with Block Action Rule - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "649f525a-1f92-412d-bfc2-ce642e7a7f1f",
"customDetails": {
"ConfidenceScore": "ConfidenceScore",
"Country": "Country",
"created": "created",
"Description": "Description",
"IndicatorID": "IndicatorID",
"modified": "modified",
"RecommendedActions": "RecommendedActions",
"Roles": "Roles",
"SecurityVendors": "SecurityVendors",
"Sources": "Sources",
"Tags": "Tags",
"ThreatActors": "ThreatActors",
"ThreatType": "ThreatType",
"TimeGenerated": "TimeGenerated",
"ValidFrom": "valid_from"
},
"description": "\"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. \nIt specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. \nThe query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.\"\n",
"displayName": "CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule",
"enabled": false,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "MD5",
"identifier": "Value"
},
{
"columnName": "Algo_MD5",
"identifier": "Algorithm"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "SHA1",
"identifier": "Value"
},
{
"columnName": "Algo_SHA1",
"identifier": "Algorithm"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "SHA256",
"identifier": "Value"
},
{
"columnName": "Algo_SHA256",
"identifier": "Algorithm"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5M",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockHighSeverityRule.yaml",
"query": "//Trojan File Hash Indicators with Block Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where ConfidenceScore >= 80\n and TimeGenerated between (ago(timeFrame) .. now())\n and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n Algo_MD5='MD5',\n Algo_SHA1= 'SHA1',\n Algo_SHA256='SHA256',\n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| project \n MD5,\n Algo_MD5,\n SHA1,\n Algo_SHA1,\n SHA256,\n Algo_SHA256,\n ThreatActors,\n Sources,\n RecommendedActions,\n Roles,\n Country,\n name,\n Description,\n ConfidenceScore,\n SecurityVendors,\n IndicatorID,\n created,\n modified,\n valid_from,\n Tags,\n ThreatType,\n TimeGenerated,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [
"T1566.001",
"T1547.001"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": true,
"tactics": [
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1027",
"T1071",
"T1204",
"T1547",
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}