[Deprecated] - Known Nylon Typhoon domains and hashes
| Id | 9122a9cb-916b-4d98-a199-1b7b0af8d598 |
| Rulename | [Deprecated] - Known Nylon Typhoon domains and hashes |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS MicrosoftThreatProtection NXLogDnsLogs PaloAltoNetworks SecurityEvents SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/NylonTyphoonIOCsNov2021.yaml |
| Version | 2.0.0 |
| Arm template | 9122a9cb-916b-4d98-a199-1b7b0af8d598.json |
let DomainNames = dynamic(["beesweiserdog.com",
"bluehostfit.com",
"business-toys.com",
"cleanskycloud.com",
"cumberbat.com",
"czreadsecurity.com",
"dgtresorgouv.com",
"dimediamikedask.com",
"diresitioscon.com",
"elcolectador.com",
"elperuanos.org",
"eprotectioneu.com",
"fheacor.com",
"followthewaterdata.com",
"francevrteepress.com",
"futtuhy.com",
"gardienweb.com",
"heimflugaustr.com",
"ivpsers.com",
"jkeducation.org",
"micrlmb.com",
"muthesck.com",
"netscalertech.com",
"newgoldbalmap.com",
"news-laestrella.com",
"noticialif.com",
"opentanzanfoundation.com",
"optonlinepress.com",
"palazzochigi.com",
"pandemicacre.com",
"papa-ser.com",
"pekematclouds.com",
"pipcake.com",
"popularservicenter.com",
"projectsyndic.com",
"qsadtv.com",
"sankreal.com",
"scielope.com",
"seoamdcopywriting.com",
"slidenshare.com",
"somoswake.com",
"squarespacenow.com",
"subapostilla.com",
"suzukicycles.net",
"tatanotakeeps.com",
"tijuanazxc.com",
"transactioninfo.net",
"eurolabspro.com",
"adelluminate.com",
"headhunterblue.com",
"primenuesty.com"
]);
let SHA256Hashes = dynamic (["02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2",
"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c",
"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c",
"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95",
"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21",
"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49",
"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844",
"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef",
"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822",
"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2",
"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838",
"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65",
"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6",
"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1",
"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90",
"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b",
"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce",
"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0",
"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c",
"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a",
"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b",
"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a",
"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124",
"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa",
"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda",
"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94",
"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6",
"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce",
"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6",
"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba"
]);
let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(_Im_Dns(domain_has_any = DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
(_Im_WebSession(url_has_any = DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where isnotempty(Hashes)
| where Hashes in (SHA256Hashes)
| extend Account = UserName
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hashes)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hashes)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
relevantTechniques:
- T1071
name: '[Deprecated] - Known Nylon Typhoon domains and hashes'
requiredDataConnectors:
- dataTypes:
- SquidProxy_CL
connectorId: SquidProxy
- dataTypes:
- DnsEvents
connectorId: DNS
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- CommonSecurityLog
connectorId: CiscoASA
- dataTypes:
- CommonSecurityLog
connectorId: PaloAltoNetworks
- dataTypes:
- DeviceFileEvents
connectorId: MicrosoftThreatProtection
- dataTypes:
- DeviceNetworkEvents
connectorId: MicrosoftThreatProtection
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
- dataTypes:
- AzureDiagnostics
connectorId: AzureFirewall
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
- dataTypes:
- Syslog
connectorId: InfobloxNIOS
- dataTypes:
- GCP_DNS_CL
connectorId: GCPDNSDataConnector
- dataTypes:
- NXLog_DNS_Server_CL
connectorId: NXLogDnsLogs
- dataTypes:
- Cisco_Umbrella_dns_CL
connectorId: CiscoUmbrellaDataConnector
- dataTypes:
- Corelight_CL
connectorId: Corelight
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
triggerThreshold: 0
id: 9122a9cb-916b-4d98-a199-1b7b0af8d598
tactics:
- CommandAndControl
version: 2.0.0
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/NylonTyphoonIOCsNov2021.yaml
triggerOperator: gt
kind: Scheduled
tags:
- Schema: ASIMDns
SchemaVersion: 0.1.1
queryFrequency: 1d
severity: High
status: Available
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: |
let DomainNames = dynamic(["beesweiserdog.com",
"bluehostfit.com",
"business-toys.com",
"cleanskycloud.com",
"cumberbat.com",
"czreadsecurity.com",
"dgtresorgouv.com",
"dimediamikedask.com",
"diresitioscon.com",
"elcolectador.com",
"elperuanos.org",
"eprotectioneu.com",
"fheacor.com",
"followthewaterdata.com",
"francevrteepress.com",
"futtuhy.com",
"gardienweb.com",
"heimflugaustr.com",
"ivpsers.com",
"jkeducation.org",
"micrlmb.com",
"muthesck.com",
"netscalertech.com",
"newgoldbalmap.com",
"news-laestrella.com",
"noticialif.com",
"opentanzanfoundation.com",
"optonlinepress.com",
"palazzochigi.com",
"pandemicacre.com",
"papa-ser.com",
"pekematclouds.com",
"pipcake.com",
"popularservicenter.com",
"projectsyndic.com",
"qsadtv.com",
"sankreal.com",
"scielope.com",
"seoamdcopywriting.com",
"slidenshare.com",
"somoswake.com",
"squarespacenow.com",
"subapostilla.com",
"suzukicycles.net",
"tatanotakeeps.com",
"tijuanazxc.com",
"transactioninfo.net",
"eurolabspro.com",
"adelluminate.com",
"headhunterblue.com",
"primenuesty.com"
]);
let SHA256Hashes = dynamic (["02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2",
"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c",
"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c",
"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95",
"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21",
"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49",
"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844",
"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef",
"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822",
"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2",
"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838",
"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65",
"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6",
"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1",
"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90",
"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b",
"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce",
"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0",
"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c",
"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a",
"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b",
"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a",
"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124",
"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa",
"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda",
"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94",
"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6",
"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce",
"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6",
"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba"
]);
let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(_Im_Dns(domain_has_any = DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
(_Im_WebSession(url_has_any = DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where isnotempty(Hashes)
| where Hashes in (SHA256Hashes)
| extend Account = UserName
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hashes)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hashes)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9122a9cb-916b-4d98-a199-1b7b0af8d598')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9122a9cb-916b-4d98-a199-1b7b0af8d598')]",
"properties": {
"alertRuleTemplateName": "9122a9cb-916b-4d98-a199-1b7b0af8d598",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Known Nylon Typhoon domains and hashes",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/NylonTyphoonIOCsNov2021.yaml",
"query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(_Im_Dns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(_Im_WebSession(url_has_any = DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress = SrcIpAddr\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "ASIMDns",
"SchemaVersion": "0.1.1"
}
],
"techniques": [
"T1071"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}