CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule
| Id | 649f525a-1f92-412d-bfc2-ce642e7a7f1f |
| Rulename | CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule |
| Description | “This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.” |
| Severity | High |
| Tactics | InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess |
| Techniques | T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockHighSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | 649f525a-1f92-412d-bfc2-ce642e7a7f1f.json |
//Trojan File Hash Indicators with Block Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='MD5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
kind: Scheduled
customDetails:
Description: Description
SecurityVendors: SecurityVendors
ConfidenceScore: ConfidenceScore
created: created
Sources: Sources
modified: modified
ThreatActors: ThreatActors
RecommendedActions: RecommendedActions
Country: Country
ThreatType: ThreatType
ValidFrom: valid_from
Tags: Tags
TimeGenerated: TimeGenerated
IndicatorID: IndicatorID
Roles: Roles
suppressionDuration: 5m
entityMappings:
- entityType: FileHash
fieldMappings:
- columnName: MD5
identifier: Value
- columnName: Algo_MD5
identifier: Algorithm
- entityType: FileHash
fieldMappings:
- columnName: SHA1
identifier: Value
- columnName: Algo_SHA1
identifier: Algorithm
- entityType: FileHash
fieldMappings:
- columnName: SHA256
identifier: Value
- columnName: Algo_SHA256
identifier: Algorithm
description: |
"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table.
It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values.
The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: true
version: 1.0.1
name: CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule
id: 649f525a-1f92-412d-bfc2-ce642e7a7f1f
query: |
//Trojan File Hash Indicators with Block Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='MD5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
enabled: false
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Block Action Rule - {{name}} '
alertDescriptionFormat: '{{Description}} - {{name}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockHighSeverityRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/649f525a-1f92-412d-bfc2-ce642e7a7f1f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/649f525a-1f92-412d-bfc2-ce642e7a7f1f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} - {{name}} ",
"alertDisplayNameFormat": "High-Confidence Trojan File Hash Indicators with Block Action Rule - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "649f525a-1f92-412d-bfc2-ce642e7a7f1f",
"customDetails": {
"ConfidenceScore": "ConfidenceScore",
"Country": "Country",
"created": "created",
"Description": "Description",
"IndicatorID": "IndicatorID",
"modified": "modified",
"RecommendedActions": "RecommendedActions",
"Roles": "Roles",
"SecurityVendors": "SecurityVendors",
"Sources": "Sources",
"Tags": "Tags",
"ThreatActors": "ThreatActors",
"ThreatType": "ThreatType",
"TimeGenerated": "TimeGenerated",
"ValidFrom": "valid_from"
},
"description": "\"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. \nIt specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. \nThe query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.\"\n",
"displayName": "CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule",
"enabled": false,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "MD5",
"identifier": "Value"
},
{
"columnName": "Algo_MD5",
"identifier": "Algorithm"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "SHA1",
"identifier": "Value"
},
{
"columnName": "Algo_SHA1",
"identifier": "Algorithm"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "SHA256",
"identifier": "Value"
},
{
"columnName": "Algo_SHA256",
"identifier": "Algorithm"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsBlockHighSeverityRule.yaml",
"query": "//Trojan File Hash Indicators with Block Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where ConfidenceScore >= 80\n and TimeGenerated between (ago(timeFrame) .. now())\n and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles has 'Trojan')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n Algo_MD5='MD5',\n Algo_SHA1= 'SHA1',\n Algo_SHA256='SHA256',\n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| project \n MD5,\n Algo_MD5,\n SHA1,\n Algo_SHA1,\n SHA256,\n Algo_SHA256,\n ThreatActors,\n Sources,\n RecommendedActions,\n Roles,\n Country,\n name,\n Description,\n ConfidenceScore,\n SecurityVendors,\n IndicatorID,\n created,\n modified,\n valid_from,\n Tags,\n ThreatType,\n TimeGenerated,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [
"T1566.001",
"T1547.001"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": true,
"tactics": [
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1027",
"T1071",
"T1204",
"T1547",
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}