Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

[Deprecated] - Silk Typhoon UM Service writing suspicious file

Back
Id7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e
Rulename[Deprecated] - Silk Typhoon UM Service writing suspicious file
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsInitialAccess
TechniquesT1190
Required data connectorsMicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml
Version2.0.0
Arm template7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e.json
Deploy To Azure
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where Process has_any ("umworkerprocess.exe", "UMService.exe")
| where ObjectName has_any (scriptExtensions)
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
),
  (WindowsEvent
| where EventID == 4663 and EventData has_any ("umworkerprocess.exe", "UMService.exe") and EventData has_any (scriptExtensions) 
| where EventData has_any ('0x2','0x100', '0x10', '0x4')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process has_any ("umworkerprocess.exe", "UMService.exe")
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName has_any (scriptExtensions)
| extend AccessMask = tostring(EventData.AccessMask)
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend IpAddress = tostring(EventData.IpAddress)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
),
(imFileEvent
| where EventType == "FileCreated"
| where ActingProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  and
  TargetFileName has_any (scriptExtensions)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where ActionType =~ "FileCreated"
| where InitiatingProcessFileName has_any ("umworkerprocess.exe", "UMService.exe")
| where FileName has_any(scriptExtensions)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)
query: |
  let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
  union isfuzzy=true
  (SecurityEvent
  | where EventID == 4663
  | where Process has_any ("umworkerprocess.exe", "UMService.exe")
  | where ObjectName has_any (scriptExtensions)
  | where AccessMask in ('0x2','0x100', '0x10', '0x4')
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  ),
    (WindowsEvent
  | where EventID == 4663 and EventData has_any ("umworkerprocess.exe", "UMService.exe") and EventData has_any (scriptExtensions) 
  | where EventData has_any ('0x2','0x100', '0x10', '0x4')
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | where Process has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ObjectName = tostring(EventData.ObjectName)
  | where ObjectName has_any (scriptExtensions)
  | extend AccessMask = tostring(EventData.AccessMask)
  | where AccessMask in ('0x2','0x100', '0x10', '0x4')
  | extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
  | extend IpAddress = tostring(EventData.IpAddress)
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
  ),
  (imFileEvent
  | where EventType == "FileCreated"
  | where ActingProcessName has_any ("umworkerprocess.exe", "UMService.exe")
    and
    TargetFileName has_any (scriptExtensions)
  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
  ),
  (DeviceFileEvents
  | where ActionType =~ "FileCreated"
  | where InitiatingProcessFileName has_any ("umworkerprocess.exe", "UMService.exe")
  | where FileName has_any(scriptExtensions)
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)  
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
name: '[Deprecated] - Silk Typhoon UM Service writing suspicious file'
relevantTechniques:
- T1190
queryPeriod: 1d
severity: High
triggerOperator: gt
version: 2.0.0
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: InitiatingProcessAccountUpn
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
kind: Scheduled
status: Available
tags:
- Schema: ASIMFileEvent
  SchemaVersion: 0.1.0
tactics:
- InitialAccess
id: 7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e')]",
      "properties": {
        "alertRuleTemplateName": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Silk Typhoon UM Service writing suspicious file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccountUpn",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml",
        "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n  (WindowsEvent\n| where EventID == 4663 and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\") and EventData has_any (scriptExtensions) \n| where EventData has_any ('0x2','0x100', '0x10', '0x4')\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ObjectName = tostring(EventData.ObjectName)\n| where ObjectName has_any (scriptExtensions)\n| extend AccessMask = tostring(EventData.AccessMask)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend IpAddress = tostring(EventData.IpAddress)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n  and\n  TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}