Malware in the recycle bin

Back


Id	75bf9902-0789-47c1-a5d8-f57046aa72df
Rulename	Malware in the recycle bin
Description	The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin. The list of these binaries is sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1564
Required data connectors	SecurityEvents WindowsForwardedEvents WindowsSecurityEvents
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/malware_in_recyclebin.yaml
Version	1.1.5
Arm template	75bf9902-0789-47c1-a5d8-f57046aa72df.json

KQL

let procList = externaldata(Process:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv"] with (format="csv", ignoreFirstRecord=True);
let recycle_bin_paths = dynamic([@":\RECYCLER", @":\$RECYCLE.BIN"]);
let ProcessCreationEvents=(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,
FileName = Process, CommandLine,  ParentProcessName
),
(WindowsEvent
| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)
| extend CommandLine = tostring(EventData.CommandLine)
| where isnotempty(CommandLine)
| extend SubjectUserName = tostring(EventData.SubjectUserName)
| extend SubjectDomainName = tostring(EventData.SubjectDomainName) 
| extend NewProcessName = tostring(EventData.NewProcessName)  
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,
FileName = Process, CommandLine,  ParentProcessName
));
ProcessCreationEvents 
| where FileName in~ (procList)
| where CommandLine has_any (recycle_bin_paths)
| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')

YAML

tactics:
- DefenseEvasion
relevantTechniques:
- T1564
id: 75bf9902-0789-47c1-a5d8-f57046aa72df
severity: Medium
status: Available
name: Malware in the recycle bin
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
query: |
  let procList = externaldata(Process:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv"] with (format="csv", ignoreFirstRecord=True);
  let recycle_bin_paths = dynamic([@":\RECYCLER", @":\$RECYCLE.BIN"]);
  let ProcessCreationEvents=(union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where isnotempty(CommandLine)
  | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,
  FileName = Process, CommandLine,  ParentProcessName
  ),
  (WindowsEvent
  | where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)
  | extend CommandLine = tostring(EventData.CommandLine)
  | where isnotempty(CommandLine)
  | extend SubjectUserName = tostring(EventData.SubjectUserName)
  | extend SubjectDomainName = tostring(EventData.SubjectDomainName) 
  | extend NewProcessName = tostring(EventData.NewProcessName)  
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,
  FileName = Process, CommandLine,  ParentProcessName
  ));
  ProcessCreationEvents 
  | where FileName in~ (procList)
  | where CommandLine has_any (recycle_bin_paths)
  | project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName
  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')  
queryPeriod: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Account
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
triggerOperator: gt
triggerThreshold: 0
description: |
  'The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin.
  The list of these binaries is sourced from https://lolbas-project.github.io/
  References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.'  
version: 1.1.5
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/malware_in_recyclebin.yaml
queryFrequency: 1d
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75bf9902-0789-47c1-a5d8-f57046aa72df')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75bf9902-0789-47c1-a5d8-f57046aa72df')]",
      "properties": {
        "alertRuleTemplateName": "75bf9902-0789-47c1-a5d8-f57046aa72df",
        "customDetails": null,
        "description": "'The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin.\nThe list of these binaries is sourced from https://lolbas-project.github.io/\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.'\n",
        "displayName": "Malware in the recycle bin",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/malware_in_recyclebin.yaml",
        "query": "let procList = externaldata(Process:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet recycle_bin_paths = dynamic([@\":\\RECYCLER\", @\":\\$RECYCLE.BIN\"]);\nlet ProcessCreationEvents=(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine,  ParentProcessName\n),\n(WindowsEvent\n| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)\n| extend CommandLine = tostring(EventData.CommandLine)\n| where isnotempty(CommandLine)\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \n| extend NewProcessName = tostring(EventData.NewProcessName)  \n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine,  ParentProcessName\n));\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine has_any (recycle_bin_paths)\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1564"
        ],
        "templateVersion": "1.1.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}