Known PHOSPHORUS group domains/IP - October 2020
| Id | 7249500f-3038-4b83-8549-9cd8dfa2d498 |
| Rulename | Known PHOSPHORUS group domains/IP - October 2020 |
| Description | Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: |
| Severity | High |
| Tactics | CommandAndControl InitialAccess |
| Techniques | T1071 T1566 |
| Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA DNS Fortinet OfficeATP PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml |
| Version | 1.1.1 |
| Arm template | 7249500f-3038-4b83-8549-9cd8dfa2d498.json |
let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend RequestURLIP = extract(IPRegex, 0, Message)
| where (isnotempty(DNSName) and DNSName has_any (DomainNames))
or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))
or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
),
(DnsEvents
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated , HostCustomEntity = Computer),
(SecurityAlert
| where ProviderName =~ 'OATP'
| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,
isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
parse_json(Entities)[9].Upn)
| where Entities has_any (EmailAddresses)
| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),
(AzureDiagnostics
| where ResourceType =~ "AZUREFIREWALLS"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend timestamp = TimeGenerated))
queryPeriod: 1d
version: 1.1.1
relevantTechniques:
- T1071
- T1566
queryFrequency: 1d
kind: Scheduled
name: Known PHOSPHORUS group domains/IP - October 2020
id: 7249500f-3038-4b83-8549-9cd8dfa2d498
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml
severity: High
query: |
let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend RequestURLIP = extract(IPRegex, 0, Message)
| where (isnotempty(DNSName) and DNSName has_any (DomainNames))
or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))
or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
),
(DnsEvents
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated , HostCustomEntity = Computer),
(SecurityAlert
| where ProviderName =~ 'OATP'
| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,
isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
parse_json(Entities)[9].Upn)
| where Entities has_any (EmailAddresses)
| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),
(AzureDiagnostics
| where ResourceType =~ "AZUREFIREWALLS"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend timestamp = TimeGenerated))
tactics:
- CommandAndControl
- InitialAccess
description: |
'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.
References: '
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog (Cisco)
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog (PaloAlto)
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog (Zscaler)
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog (Fortinet)
- connectorId: OfficeATP
dataTypes:
- SecurityAlert (OATP)
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics (Azure Firewall)
- AZFWApplicationRule
- AZFWDnsQuery
status: Available
triggerThreshold: 0
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7249500f-3038-4b83-8549-9cd8dfa2d498')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7249500f-3038-4b83-8549-9cd8dfa2d498')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Known PHOSPHORUS group domains/IP - October 2020",
"description": "'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: '\n",
"severity": "High",
"enabled": true,
"query": "let DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n),\n(DnsEvents\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames) \n| extend timestamp = TimeGenerated),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess"
],
"techniques": [
"T1071",
"T1566"
],
"alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml",
"status": "Available",
"templateVersion": "1.1.1"
}
}
]
}