Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

THALLIUM domains included in DCU takedown

Back
Id70b12a3b-4896-42cb-910c-5ffaf8d7987d
RulenameTHALLIUM domains included in DCU takedown
DescriptionTHALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown.

Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.

References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/
SeverityHigh
TacticsCommandAndControl
CredentialAccess
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
NXLogDnsLogs
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ThalliumIOCs.yaml
Version1.5.1
Arm template70b12a3b-4896-42cb-910c-5ffaf8d7987d.json
Deploy To Azure
let DomainNames = dynamic(["seoulhobi.biz", "reader.cash", "pieceview.club", "app-wallet.com", "bigwnet.com", "bitwoll.com", "cexrout.com", "change-pw.com", "checkprofie.com", "cloudwebappservice.com", "ctquast.com", "dataviewering.com", "day-post.com", "dialy-post.com", "documentviewingcom.com", "dovvn-mail.com", "down-error.com", "drivecheckingcom.com", "drog-service.com", "encodingmail.com", "filinvestment.com", "foldershareing.com", "golangapis.com", "hotrnall.com", "lh-logins.com", "login-use.com", "mail-down.com", "matmiho.com", "mihomat.com", "natwpersonal-online.com", "nidlogin.com", "nid-login.com", "nidlogon.com", "pw-change.com", "rnaii.com", "rnailm.com", "sec-live.com", "secrityprocessing.com", "securitedmode.com", "securytingmail.com", "set-login.com", "usrchecking.com", "com-serviceround.info", "mai1.info", "reviewer.mobi", "files-download.net", "fixcool.net", "hanrnaii.net", "office356-us.org", "smtper.org"]);
(union isfuzzy=true
(CommonSecurityLog 
| parse Message with * '(' DNSName ')' * 
| where isnotempty(FileHash)
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
(VMConnection 
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName  in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(AzureDiagnostics 
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)  
| extend DNSName = DestinationHost 
| extend IPCustomEntity = SourceHost 
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallNetworkRule"
| where msg_s has_any (DomainNames)
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule
| extend IPCustomEntity = SourceIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
| extend
    ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
    SourcePort = tostring(SourcePortInt),
    QueryID =  tostring(QueryID)
| extend IPCustomEntity = SourceIP
| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
| order by TimeGenerated
),
(AZFWApplicationRule
| where Fqdn has_any (DomainNames)
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
queryFrequency: 1d
triggerOperator: gt
tactics:
- CommandAndControl
- CredentialAccess
description: |
  'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. 
   Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.
   References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ '  
status: Available
name: THALLIUM domains included in DCU takedown
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ThalliumIOCs.yaml
severity: High
triggerThreshold: 0
version: 1.5.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
id: 70b12a3b-4896-42cb-910c-5ffaf8d7987d
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
kind: Scheduled
query: |
  let DomainNames = dynamic(["seoulhobi.biz", "reader.cash", "pieceview.club", "app-wallet.com", "bigwnet.com", "bitwoll.com", "cexrout.com", "change-pw.com", "checkprofie.com", "cloudwebappservice.com", "ctquast.com", "dataviewering.com", "day-post.com", "dialy-post.com", "documentviewingcom.com", "dovvn-mail.com", "down-error.com", "drivecheckingcom.com", "drog-service.com", "encodingmail.com", "filinvestment.com", "foldershareing.com", "golangapis.com", "hotrnall.com", "lh-logins.com", "login-use.com", "mail-down.com", "matmiho.com", "mihomat.com", "natwpersonal-online.com", "nidlogin.com", "nid-login.com", "nidlogon.com", "pw-change.com", "rnaii.com", "rnailm.com", "sec-live.com", "secrityprocessing.com", "securitedmode.com", "securytingmail.com", "set-login.com", "usrchecking.com", "com-serviceround.info", "mai1.info", "reviewer.mobi", "files-download.net", "fixcool.net", "hanrnaii.net", "office356-us.org", "smtper.org"]);
  (union isfuzzy=true
  (CommonSecurityLog 
  | parse Message with * '(' DNSName ')' * 
  | where isnotempty(FileHash)
  | where DNSName in~ (DomainNames)
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
  ),
  (_Im_Dns (domain_has_any=DomainNames)
  | extend DNSName = DnsQuery
  | extend IPAddress = SrcIpAddr
  ),
  (VMConnection 
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where isnotempty(DNSName)
  | where DNSName  in~ (DomainNames)
  | extend IPAddress = RemoteIp
  ),
  (AzureDiagnostics 
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (DomainNames)  
  | extend DNSName = DestinationHost 
  | extend IPCustomEntity = SourceHost 
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallNetworkRule"
  | where msg_s has_any (DomainNames)
  | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
  | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
  | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
  | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule
  | extend IPCustomEntity = SourceIP
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallDnsProxy"
  | where msg_s has_any (DomainNames)
  | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
  | extend
      ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
      SourcePort = tostring(SourcePortInt),
      QueryID =  tostring(QueryID)
  | extend IPCustomEntity = SourceIP
  | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
  | order by TimeGenerated
  ),
  (AZFWApplicationRule
  | where Fqdn has_any (DomainNames)
  | extend IPCustomEntity = SourceIp
  ),
  (AZFWDnsQuery
  | where isnotempty(QueryName)
  | where QueryName has_any (DomainNames)
  | extend DNSName = QueryName
  | extend IPCustomEntity = SourceIp
  )
  )
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress   
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70b12a3b-4896-42cb-910c-5ffaf8d7987d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70b12a3b-4896-42cb-910c-5ffaf8d7987d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "THALLIUM domains included in DCU takedown",
        "description": "'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ '\n",
        "severity": "High",
        "enabled": true,
        "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName  in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames)  \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n| parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n| parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n| parse msg_s with * \" Rule Collection: \"  RuleCollection \". Rule: \" Rule\n| extend IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n| extend\n    ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n    SourcePort = tostring(SourcePortInt),\n    QueryID =  tostring(QueryID)\n| extend IPCustomEntity = SourceIP\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n| order by TimeGenerated\n),\n(AZFWApplicationRule\n| where Fqdn has_any (DomainNames)\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "CredentialAccess"
        ],
        "alertRuleTemplateName": "70b12a3b-4896-42cb-910c-5ffaf8d7987d",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "1.5.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ThalliumIOCs.yaml",
        "status": "Available",
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ]
      }
    }
  ]
}