Known NICKEL domains and hashes
| Id | 9122a9cb-916b-4d98-a199-1b7b0af8d598 |
| Rulename | Known NICKEL domains and hashes |
| Description | IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. |
| Severity | High |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS MicrosoftThreatProtection NXLogDnsLogs PaloAltoNetworks SecurityEvents SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/NICKELIOCsNov2021.yaml |
| Version | 1.2.2 |
| Arm template | 9122a9cb-916b-4d98-a199-1b7b0af8d598.json |
let DomainNames = dynamic(["beesweiserdog.com",
"bluehostfit.com",
"business-toys.com",
"cleanskycloud.com",
"cumberbat.com",
"czreadsecurity.com",
"dgtresorgouv.com",
"dimediamikedask.com",
"diresitioscon.com",
"elcolectador.com",
"elperuanos.org",
"eprotectioneu.com",
"fheacor.com",
"followthewaterdata.com",
"francevrteepress.com",
"futtuhy.com",
"gardienweb.com",
"heimflugaustr.com",
"ivpsers.com",
"jkeducation.org",
"micrlmb.com",
"muthesck.com",
"netscalertech.com",
"newgoldbalmap.com",
"news-laestrella.com",
"noticialif.com",
"opentanzanfoundation.com",
"optonlinepress.com",
"palazzochigi.com",
"pandemicacre.com",
"papa-ser.com",
"pekematclouds.com",
"pipcake.com",
"popularservicenter.com",
"projectsyndic.com",
"qsadtv.com",
"sankreal.com",
"scielope.com",
"seoamdcopywriting.com",
"slidenshare.com",
"somoswake.com",
"squarespacenow.com",
"subapostilla.com",
"suzukicycles.net",
"tatanotakeeps.com",
"tijuanazxc.com",
"transactioninfo.net",
"eurolabspro.com",
"adelluminate.com",
"headhunterblue.com",
"primenuesty.com"
]);
let SHA256Hashes = dynamic (["02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2",
"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c",
"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c",
"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95",
"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21",
"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49",
"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844",
"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef",
"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822",
"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2",
"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838",
"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65",
"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6",
"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1",
"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90",
"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b",
"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce",
"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0",
"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c",
"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a",
"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b",
"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a",
"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124",
"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa",
"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda",
"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94",
"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6",
"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce",
"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6",
"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba"
]);
let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(_Im_Dns(domain_has_any = DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
(_Im_WebSession(url_has_any = DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where isnotempty(Hashes)
| where Hashes in (SHA256Hashes)
| extend Account = UserName
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hashes)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hashes)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
tactics:
- CommandAndControl
severity: High
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
triggerOperator: gt
query: |
let DomainNames = dynamic(["beesweiserdog.com",
"bluehostfit.com",
"business-toys.com",
"cleanskycloud.com",
"cumberbat.com",
"czreadsecurity.com",
"dgtresorgouv.com",
"dimediamikedask.com",
"diresitioscon.com",
"elcolectador.com",
"elperuanos.org",
"eprotectioneu.com",
"fheacor.com",
"followthewaterdata.com",
"francevrteepress.com",
"futtuhy.com",
"gardienweb.com",
"heimflugaustr.com",
"ivpsers.com",
"jkeducation.org",
"micrlmb.com",
"muthesck.com",
"netscalertech.com",
"newgoldbalmap.com",
"news-laestrella.com",
"noticialif.com",
"opentanzanfoundation.com",
"optonlinepress.com",
"palazzochigi.com",
"pandemicacre.com",
"papa-ser.com",
"pekematclouds.com",
"pipcake.com",
"popularservicenter.com",
"projectsyndic.com",
"qsadtv.com",
"sankreal.com",
"scielope.com",
"seoamdcopywriting.com",
"slidenshare.com",
"somoswake.com",
"squarespacenow.com",
"subapostilla.com",
"suzukicycles.net",
"tatanotakeeps.com",
"tijuanazxc.com",
"transactioninfo.net",
"eurolabspro.com",
"adelluminate.com",
"headhunterblue.com",
"primenuesty.com"
]);
let SHA256Hashes = dynamic (["02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2",
"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c",
"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c",
"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95",
"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21",
"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49",
"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844",
"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef",
"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822",
"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2",
"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838",
"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65",
"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6",
"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1",
"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90",
"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b",
"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce",
"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0",
"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c",
"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a",
"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b",
"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a",
"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124",
"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa",
"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda",
"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94",
"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6",
"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce",
"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6",
"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba"
]);
let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(_Im_Dns(domain_has_any = DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
(_Im_WebSession(url_has_any = DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where isnotempty(Hashes)
| where Hashes in (SHA256Hashes)
| extend Account = UserName
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hashes)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hashes)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
triggerThreshold: 0
name: Known NICKEL domains and hashes
kind: Scheduled
version: 1.2.2
description: |
'IOC domains and hash values for tools and malware used by NICKEL.
Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.'
relevantTechniques:
- T1071
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/NICKELIOCsNov2021.yaml
tags:
- Schema: ASIMDns
SchemaVersion: 0.1.1
status: Available
queryFrequency: 1d
queryPeriod: 1d
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
id: 9122a9cb-916b-4d98-a199-1b7b0af8d598
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9122a9cb-916b-4d98-a199-1b7b0af8d598')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9122a9cb-916b-4d98-a199-1b7b0af8d598')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Known NICKEL domains and hashes",
"description": "'IOC domains and hash values for tools and malware used by NICKEL. \n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.'\n",
"severity": "High",
"enabled": true,
"query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(_Im_Dns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(_Im_WebSession(url_has_any = DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress = SrcIpAddr\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071"
],
"alertRuleTemplateName": "9122a9cb-916b-4d98-a199-1b7b0af8d598",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/NICKELIOCsNov2021.yaml",
"templateVersion": "1.2.2",
"tags": [
{
"Schema": "ASIMDns",
"SchemaVersion": "0.1.1"
}
],
"status": "Available"
}
}
]
}