[Deprecated] - Silk Typhoon UM Service writing suspicious file
| Id | 7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e |
| Rulename | [Deprecated] - Silk Typhoon UM Service writing suspicious file |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 |
| Required data connectors | MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml |
| Version | 2.0.0 |
| Arm template | 7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e.json |
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where Process has_any ("umworkerprocess.exe", "UMService.exe")
| where ObjectName has_any (scriptExtensions)
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
),
(WindowsEvent
| where EventID == 4663 and EventData has_any ("umworkerprocess.exe", "UMService.exe") and EventData has_any (scriptExtensions)
| where EventData has_any ('0x2','0x100', '0x10', '0x4')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process has_any ("umworkerprocess.exe", "UMService.exe")
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName has_any (scriptExtensions)
| extend AccessMask = tostring(EventData.AccessMask)
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend IpAddress = tostring(EventData.IpAddress)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
),
(imFileEvent
| where EventType == "FileCreated"
| where ActingProcessName has_any ("umworkerprocess.exe", "UMService.exe")
and
TargetFileName has_any (scriptExtensions)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where ActionType =~ "FileCreated"
| where InitiatingProcessFileName has_any ("umworkerprocess.exe", "UMService.exe")
| where FileName has_any(scriptExtensions)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml
status: Available
id: 7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e
query: |
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where Process has_any ("umworkerprocess.exe", "UMService.exe")
| where ObjectName has_any (scriptExtensions)
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
),
(WindowsEvent
| where EventID == 4663 and EventData has_any ("umworkerprocess.exe", "UMService.exe") and EventData has_any (scriptExtensions)
| where EventData has_any ('0x2','0x100', '0x10', '0x4')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process has_any ("umworkerprocess.exe", "UMService.exe")
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName has_any (scriptExtensions)
| extend AccessMask = tostring(EventData.AccessMask)
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend IpAddress = tostring(EventData.IpAddress)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
),
(imFileEvent
| where EventType == "FileCreated"
| where ActingProcessName has_any ("umworkerprocess.exe", "UMService.exe")
and
TargetFileName has_any (scriptExtensions)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where ActionType =~ "FileCreated"
| where InitiatingProcessFileName has_any ("umworkerprocess.exe", "UMService.exe")
| where FileName has_any(scriptExtensions)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)
tags:
- SchemaVersion: 0.1.0
Schema: ASIMFileEvent
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
name: '[Deprecated] - Silk Typhoon UM Service writing suspicious file'
relevantTechniques:
- T1190
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingProcessAccountUpn
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
- dataTypes:
- DeviceFileEvents
connectorId: MicrosoftThreatProtection
- dataTypes:
- SecurityEvents
connectorId: WindowsSecurityEvents
- dataTypes:
- WindowsEvent
connectorId: WindowsForwardedEvents
queryFrequency: 1d
queryPeriod: 1d
version: 2.0.0
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e')]",
"properties": {
"alertRuleTemplateName": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Silk Typhoon UM Service writing suspicious file",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingProcessAccountUpn",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml",
"query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n (WindowsEvent\n| where EventID == 4663 and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\") and EventData has_any (scriptExtensions) \n| where EventData has_any ('0x2','0x100', '0x10', '0x4')\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ObjectName = tostring(EventData.ObjectName)\n| where ObjectName has_any (scriptExtensions)\n| extend AccessMask = tostring(EventData.AccessMask)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend IpAddress = tostring(EventData.IpAddress)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n and\n TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
{
"Schema": "ASIMFileEvent",
"SchemaVersion": "0.1.0"
}
],
"techniques": [
"T1190"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}