Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ACTINIUM Actor IOCs - Feb 2022

Back
Id825991eb-ea39-4590-9de2-ee97ef42eb93
RulenameACTINIUM Actor IOCs - Feb 2022
DescriptionIdentifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.
SeverityHigh
TacticsPersistence
TechniquesT1137
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CEF
CheckPoint
CiscoASA
DNS
F5
Fortinet
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ActiniumFeb2022.yaml
Version1.1.3
Arm template825991eb-ea39-4590-9de2-ee97ef42eb93.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let domains = (iocs | where Type =~ "domainname"| project IoC);
let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
(union isfuzzy=true
(DeviceProcessEvents
| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or  (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ProcessCommandLine has ('/tr "wscript.exe') and ProcessCommandLine has ('"%PUBLIC%\\Pictures\\') and ProcessCommandLine has ('//e:VBScript //b" /F')) or (ProcessCommandLine has ('wscript.exe C:\\Users\\') and ProcessCommandLine has ('.wav') and  ProcessCommandLine has ('//e:VBScript //b') 
or (ProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256, FileName
| extend Account = AccountName, Computer = DeviceName,  FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), "InitiatingProcessSHA256", SHA256 in (sha256Hashes), "SHA256", "No Match")
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == "InitiatingProcessSHA256", InitiatingProcessSHA256, FileHash == "SHA256", SHA256, "No Match"), AlgorithmCustomEntity = "SHA256"
),
( SecurityEvent
| where EventID == 4688
| where (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr "wscript.exe') and CommandLine has ('"%PUBLIC%\\Pictures\\') and CommandLine has ('//e:VBScript //b" /F')) or (CommandLine has ('wscript.exe C:\\Users\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b'))
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
),
( CommonSecurityLog
| where FileHash in (sha256Hashes)
| project TimeGenerated, Message, SourceUserID, FileHash, Type
| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = "SHA256"
),
( imFileEvent
| where Hash in~ (sha256Hashes) or  (ActingProcessCommandLine  has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ActingProcessCommandLine  has ('/tr "wscript.exe') and ActingProcessCommandLine  has ('"%PUBLIC%\\Pictures\\') and ActingProcessCommandLine  has ('//e:VBScript //b" /F')) or (ActingProcessCommandLine  has ('wscript.exe C:\\Users\\') and ActingProcessCommandLine  has ('.wav') and  ActingProcessCommandLine  has ('//e:VBScript //b') 
 or (ActingProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = "SHA256"
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Image = EventDetail.[4].["#text"],  CommandLine = EventDetail.[10].["#text"], Hashes = tostring(EventDetail.[17].["#text"])
| extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), Hashes)
| extend Hashes = column_ifexists("Hashes", ""), CommandLine = column_ifexists("CommandLine", "")
| extend Hashes = todynamic(Hashes) | mv-expand Hashes
| where (Hashes[0] =~ "SHA256" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr "wscript.exe') and CommandLine has ('"%PUBLIC%\\Pictures\\') and CommandLine has ('//e:VBScript //b" /F')) or (CommandLine has ('wscript.exe C:\\Users\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b') or (CommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image
| extend Type = strcat(Type, ": ", Source)
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = "SHA256"
),
(DnsEvents
| where Name in~ (domains)  
| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer 
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress
),
(VMConnection
| where RemoteDnsCanonicalNames has_any (domains)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName
),
(AzureDiagnostics 
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (domains)  
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where  Request_Name  has_any (domains)
| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (domains)  
| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (domains)
| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp
),
(DeviceNetworkEvents 
| where isnotempty(RemoteUrl) 
| where RemoteUrl  in~ (domains)  
| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName
| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP
)
)
version: 1.1.3
status: Available
queryFrequency: 6h
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: F5
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
  - DeviceProcessEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AlgorithmCustomEntity
    identifier: Algorithm
  - columnName: FileHashCustomEntity
    identifier: Value
  entityType: FileHash
- fieldMappings:
  - columnName: ProcessCustomEntity
    identifier: ProcessId
  entityType: Process
kind: Scheduled
queryPeriod: 6h
severity: High
query: |
  let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv"] with (format="csv", ignoreFirstRecord=True);
  let domains = (iocs | where Type =~ "domainname"| project IoC);
  let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
  (union isfuzzy=true
  (DeviceProcessEvents
  | where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or  (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ProcessCommandLine has ('/tr "wscript.exe') and ProcessCommandLine has ('"%PUBLIC%\\Pictures\\') and ProcessCommandLine has ('//e:VBScript //b" /F')) or (ProcessCommandLine has ('wscript.exe C:\\Users\\') and ProcessCommandLine has ('.wav') and  ProcessCommandLine has ('//e:VBScript //b') 
  or (ProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
  | project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256, FileName
  | extend Account = AccountName, Computer = DeviceName,  FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), "InitiatingProcessSHA256", SHA256 in (sha256Hashes), "SHA256", "No Match")
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == "InitiatingProcessSHA256", InitiatingProcessSHA256, FileHash == "SHA256", SHA256, "No Match"), AlgorithmCustomEntity = "SHA256"
  ),
  ( SecurityEvent
  | where EventID == 4688
  | where (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr "wscript.exe') and CommandLine has ('"%PUBLIC%\\Pictures\\') and CommandLine has ('//e:VBScript //b" /F')) or (CommandLine has ('wscript.exe C:\\Users\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b'))
  | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
  ),
  ( CommonSecurityLog
  | where FileHash in (sha256Hashes)
  | project TimeGenerated, Message, SourceUserID, FileHash, Type
  | extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = "SHA256"
  ),
  ( imFileEvent
  | where Hash in~ (sha256Hashes) or  (ActingProcessCommandLine  has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ActingProcessCommandLine  has ('/tr "wscript.exe') and ActingProcessCommandLine  has ('"%PUBLIC%\\Pictures\\') and ActingProcessCommandLine  has ('//e:VBScript //b" /F')) or (ActingProcessCommandLine  has ('wscript.exe C:\\Users\\') and ActingProcessCommandLine  has ('.wav') and  ActingProcessCommandLine  has ('//e:VBScript //b') 
   or (ActingProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
  | extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash
  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = "SHA256"
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend Image = EventDetail.[4].["#text"],  CommandLine = EventDetail.[10].["#text"], Hashes = tostring(EventDetail.[17].["#text"])
  | extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), Hashes)
  | extend Hashes = column_ifexists("Hashes", ""), CommandLine = column_ifexists("CommandLine", "")
  | extend Hashes = todynamic(Hashes) | mv-expand Hashes
  | where (Hashes[0] =~ "SHA256" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr "wscript.exe') and CommandLine has ('"%PUBLIC%\\Pictures\\') and CommandLine has ('//e:VBScript //b" /F')) or (CommandLine has ('wscript.exe C:\\Users\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b') or (CommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")))
  | project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image
  | extend Type = strcat(Type, ": ", Source)
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = "SHA256"
  ),
  (DnsEvents
  | where Name in~ (domains)  
  | project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type
  | extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer 
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress
  ),
  (VMConnection
  | where RemoteDnsCanonicalNames has_any (domains)
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName
  ),
  (AzureDiagnostics 
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | project TimeGenerated,Resource, msg_s, Type
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (domains)  
  | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallDnsProxy"
  | project TimeGenerated,Resource, msg_s, Type
  | parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
  | where  Request_Name  has_any (domains)
  | extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP
  ),
  (AZFWApplicationRule
  | where isnotempty(Fqdn)
  | where Fqdn has_any (domains)  
  | extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp
  ),
  (AZFWDnsQuery
  | where isnotempty(QueryName)
  | where QueryName has_any (domains)
  | extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp
  ),
  (DeviceNetworkEvents 
  | where isnotempty(RemoteUrl) 
  | where RemoteUrl  in~ (domains)  
  | project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName
  | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP
  )
  )  
tags:
- ACTINIUM
- SchemaVersion: 0.1.0
  Schema: ASIMFileEvent
triggerOperator: gt
id: 825991eb-ea39-4590-9de2-ee97ef42eb93
description: |
    'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.'
triggerThreshold: 0
name: ACTINIUM Actor IOCs - Feb 2022
relevantTechniques:
- T1137
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ActiniumFeb2022.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/825991eb-ea39-4590-9de2-ee97ef42eb93')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/825991eb-ea39-4590-9de2-ee97ef42eb93')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "ACTINIUM Actor IOCs - Feb 2022",
        "description": "'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\n(union isfuzzy=true\n(DeviceProcessEvents\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or  (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ProcessCommandLine has ('/tr \"wscript.exe') and ProcessCommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and ProcessCommandLine has ('//e:VBScript //b\" /F')) or (ProcessCommandLine has ('wscript.exe C:\\\\Users\\\\') and ProcessCommandLine has ('.wav') and  ProcessCommandLine has ('//e:VBScript //b') \nor (ProcessCommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\n| extend Account = AccountName, Computer = DeviceName,  FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \"InitiatingProcessSHA256\", SHA256 in (sha256Hashes), \"SHA256\", \"No Match\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \"InitiatingProcessSHA256\", InitiatingProcessSHA256, FileHash == \"SHA256\", SHA256, \"No Match\"), AlgorithmCustomEntity = \"SHA256\"\n),\n( SecurityEvent\n| where EventID == 4688\n| where (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr \"wscript.exe') and CommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and CommandLine has ('//e:VBScript //b\" /F')) or (CommandLine has ('wscript.exe C:\\\\Users\\\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b'))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n( CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \"SHA256\"\n),\n( imFileEvent\n| where Hash in~ (sha256Hashes) or  (ActingProcessCommandLine  has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and ActingProcessCommandLine  has ('/tr \"wscript.exe') and ActingProcessCommandLine  has ('\"%PUBLIC%\\\\Pictures\\\\') and ActingProcessCommandLine  has ('//e:VBScript //b\" /F')) or (ActingProcessCommandLine  has ('wscript.exe C:\\\\Users\\\\') and ActingProcessCommandLine  has ('.wav') and  ActingProcessCommandLine  has ('//e:VBScript //b') \n or (ActingProcessCommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")))\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \"SHA256\"\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"],  CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where (Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn')  and CommandLine has ('/tr \"wscript.exe') and CommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and CommandLine has ('//e:VBScript //b\" /F')) or (CommandLine has ('wscript.exe C:\\\\Users\\\\') and CommandLine has ('.wav') and  CommandLine has ('//e:VBScript //b') or (CommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")))\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \"SHA256\"\n),\n(DnsEvents\n| where Name in~ (domains)  \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains)  \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where  Request_Name  has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (domains)  \n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\n),\n(DeviceNetworkEvents \n| where isnotempty(RemoteUrl) \n| where RemoteUrl  in~ (domains)  \n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\n)\n)\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1137"
        ],
        "alertRuleTemplateName": "825991eb-ea39-4590-9de2-ee97ef42eb93",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "identifier": "Algorithm",
                "columnName": "AlgorithmCustomEntity"
              },
              {
                "identifier": "Value",
                "columnName": "FileHashCustomEntity"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "ProcessId",
                "columnName": "ProcessCustomEntity"
              }
            ]
          }
        ],
        "tags": [
          "ACTINIUM",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ActiniumFeb2022.yaml",
        "templateVersion": "1.1.3"
      }
    }
  ]
}