Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dev-0530 IOC - July 2022

Back
Ida172107d-794c-48c0-bc26-d3349fe10b4d
RulenameDev-0530 IOC - July 2022
DescriptionIdentifies a IOC match related to Dev-0530 actor across various data sources.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsAWS
AzureActiveDirectory
AzureActivity
AzureFirewall
AzureMonitor(IIS)
CiscoASA
MicrosoftThreatProtection
Office365
PaloAltoNetworks
SecurityEvents
KindScheduled
Query frequency12h
Query period12h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Dev-0530_July2022.yaml
Version1.1.2
Arm templatea172107d-794c-48c0-bc26-d3349fe10b4d.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
let IPList = (iocs | where Type =~ "ip"| project IoC);
(union isfuzzy=true 
(DeviceProcessEvents
| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') 
and InitiatingProcessCommandLine has ('sc minute /mo 1 /F /ru system'))
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256
| extend Account = AccountName, Computer = DeviceName,  CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), "InitiatingProcessSHA256", SHA256 in (sha256Hashes), "SHA256", "No Match")
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == "InitiatingProcessSHA256", InitiatingProcessSHA256, FileHash == "SHA256", SHA256, "No Match")
),
( SecurityEvent
| where EventID == 4688
| where ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system'))
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
),
( imFileEvent
| where Hash in~ (sha256Hashes) or  ( ActingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and ActingProcessCommandLine has ('/sc minute /mo 1 /F /ru system'))
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Image = EventDetail.[4].["#text"],  CommandLine = EventDetail.[10].["#text"], Hashes = tostring(EventDetail.[17].["#text"])
| extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), Hashes)
| extend Hashes = column_ifexists("Hashes", ""), CommandLine = column_ifexists("CommandLine", "")
| extend Hashes = todynamic(Hashes) | mv-expand Hashes
| where Hashes[0] =~ "SHA256"
| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system')) 
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image
| extend Type = strcat(Type, ": ", Source)
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])
),
(DeviceFileEvents
| where SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = InitiatingProcessSHA256,  CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath
),
(EmailEvents
| where SenderFromAddress == 'H0lyGh0st@mail2tor.com'
| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress 
),
(CommonSecurityLog 
| where isnotempty(SourceIP) or isnotempty(DestinationIP) 
| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message")  
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), FileHashCustomEntity = FileHash
), 
(OfficeActivity 
|extend SourceIPAddress = ClientIP, Account = UserId 
| where  SourceIPAddress in (IPList) 
| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account 
),
(SigninLogs 
| where isnotempty(IPAddress) 
| where IPAddress in (IPList) 
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
),
(AADNonInteractiveUserSignInLogs 
| where isnotempty(IPAddress) 
| where IPAddress in (IPList) 
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
), 
(W3CIISLog  
| where isnotempty(cIP) 
| where cIP in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName 
), 
(AzureActivity  
| where isnotempty(CallerIpAddress) 
| where CallerIpAddress in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
), 
( 
AWSCloudTrail 
| where isnotempty(SourceIpAddress) 
| where SourceIpAddress in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
), 
( 
DeviceNetworkEvents 
| where isnotempty(RemoteIP)  
| where RemoteIP in (IPList)  
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
),
(
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (IPList)  
| extend DestinationIP = DestinationHost 
| extend IPCustomEntity = SourceHost
),
(
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (IPList)  
| extend DestinationIP = DestinationHost 
| extend IPCustomEntity = SourceHost
),
(
AZFWApplicationRule
| where Fqdn has_any (IPList)
| extend IPCustomEntity = SourceIp
),
(
AZFWNetworkRule
| where DestinationIp has_any (IPList)
| extend IPCustomEntity = SourceIp
)
)
version: 1.1.2
status: Available
queryFrequency: 12h
requiredDataConnectors:
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
  - DeviceProcessEvents
  - DeviceNetworkEvents
  - EmailEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: Office365
  dataTypes:
  - OfficeActivity
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: AzureActiveDirectory
  dataTypes:
  - AADNonInteractiveUserSignInLogs
- connectorId: AzureMonitor(IIS)
  dataTypes:
  - W3CIISLog
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWNetworkRule
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AlgorithmCustomEntity
    identifier: Algorithm
  - columnName: FileHashCustomEntity
    identifier: Value
  entityType: FileHash
- fieldMappings:
  - columnName: ProcessCustomEntity
    identifier: ProcessId
  entityType: Process
kind: Scheduled
queryPeriod: 12h
severity: High
query: |
  let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv"] with (format="csv", ignoreFirstRecord=True);
  let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
  let IPList = (iocs | where Type =~ "ip"| project IoC);
  (union isfuzzy=true 
  (DeviceProcessEvents
  | where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') 
  and InitiatingProcessCommandLine has ('sc minute /mo 1 /F /ru system'))
  | project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256
  | extend Account = AccountName, Computer = DeviceName,  CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), "InitiatingProcessSHA256", SHA256 in (sha256Hashes), "SHA256", "No Match")
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == "InitiatingProcessSHA256", InitiatingProcessSHA256, FileHash == "SHA256", SHA256, "No Match")
  ),
  ( SecurityEvent
  | where EventID == 4688
  | where ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system'))
  | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
  ),
  ( imFileEvent
  | where Hash in~ (sha256Hashes) or  ( ActingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and ActingProcessCommandLine has ('/sc minute /mo 1 /F /ru system'))
  | extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend Image = EventDetail.[4].["#text"],  CommandLine = EventDetail.[10].["#text"], Hashes = tostring(EventDetail.[17].["#text"])
  | extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), Hashes)
  | extend Hashes = column_ifexists("Hashes", ""), CommandLine = column_ifexists("CommandLine", "")
  | extend Hashes = todynamic(Hashes) | mv-expand Hashes
  | where Hashes[0] =~ "SHA256"
  | where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system')) 
  | project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image
  | extend Type = strcat(Type, ": ", Source)
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])
  ),
  (DeviceFileEvents
  | where SHA256 has_any (sha256Hashes)
  | project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
  | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = InitiatingProcessSHA256,  CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath
  ),
  (EmailEvents
  | where SenderFromAddress == 'H0lyGh0st@mail2tor.com'
  | extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress 
  ),
  (CommonSecurityLog 
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) 
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message")  
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field"), FileHashCustomEntity = FileHash
  ), 
  (OfficeActivity 
  |extend SourceIPAddress = ClientIP, Account = UserId 
  | where  SourceIPAddress in (IPList) 
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account 
  ),
  (SigninLogs 
  | where isnotempty(IPAddress) 
  | where IPAddress in (IPList) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
  ),
  (AADNonInteractiveUserSignInLogs 
  | where isnotempty(IPAddress) 
  | where IPAddress in (IPList) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
  ), 
  (W3CIISLog  
  | where isnotempty(cIP) 
  | where cIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName 
  ), 
  (AzureActivity  
  | where isnotempty(CallerIpAddress) 
  | where CallerIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
  ), 
  ( 
  AWSCloudTrail 
  | where isnotempty(SourceIpAddress) 
  | where SourceIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
  ), 
  ( 
  DeviceNetworkEvents 
  | where isnotempty(RemoteIP)  
  | where RemoteIP in (IPList)  
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
  ),
  (
  AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (IPList)  
  | extend DestinationIP = DestinationHost 
  | extend IPCustomEntity = SourceHost
  ),
  (
  AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallNetworkRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (IPList)  
  | extend DestinationIP = DestinationHost 
  | extend IPCustomEntity = SourceHost
  ),
  (
  AZFWApplicationRule
  | where Fqdn has_any (IPList)
  | extend IPCustomEntity = SourceIp
  ),
  (
  AZFWNetworkRule
  | where DestinationIp has_any (IPList)
  | extend IPCustomEntity = SourceIp
  )
  )  
tags:
- Dev-0530
- SchemaVersion: 0.1.0
  Schema: ASIMFileEvent
triggerOperator: gt
id: a172107d-794c-48c0-bc26-d3349fe10b4d
description: |
    'Identifies a IOC match related to Dev-0530 actor across various data sources.'
triggerThreshold: 0
name: Dev-0530 IOC - July 2022
relevantTechniques:
- T1486
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Dev-0530_July2022.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a172107d-794c-48c0-bc26-d3349fe10b4d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a172107d-794c-48c0-bc26-d3349fe10b4d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Dev-0530 IOC - July 2022",
        "description": "'Identifies a IOC match related to Dev-0530 actor across various data sources.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\n(union isfuzzy=true \n(DeviceProcessEvents\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') \nand InitiatingProcessCommandLine has ('sc minute /mo 1 /F /ru system'))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName,  InitiatingProcessSHA256, Type, AccountName, SHA256\n| extend Account = AccountName, Computer = DeviceName,  CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \"InitiatingProcessSHA256\", SHA256 in (sha256Hashes), \"SHA256\", \"No Match\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \"InitiatingProcessSHA256\", InitiatingProcessSHA256, FileHash == \"SHA256\", SHA256, \"No Match\")\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system'))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n( imFileEvent\n| where Hash in~ (sha256Hashes) or  ( ActingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and ActingProcessCommandLine has ('/sc minute /mo 1 /F /ru system'))\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"],  CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P<key>\\w+)=(?P<value>[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where Hashes[0] =~ \"SHA256\"\n| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system')) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\n),\n(DeviceFileEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256,  CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(EmailEvents\n| where SenderFromAddress == 'H0lyGh0st@mail2tor.com'\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \n),\n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\")  \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\"), FileHashCustomEntity = FileHash\n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where  SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog  \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity  \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP)  \n| where RemoteIP in (IPList)  \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)  \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)  \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAZFWApplicationRule\n| where Fqdn has_any (IPList)\n| extend IPCustomEntity = SourceIp\n),\n(\nAZFWNetworkRule\n| where DestinationIp has_any (IPList)\n| extend IPCustomEntity = SourceIp\n)\n)\n",
        "queryFrequency": "PT12H",
        "queryPeriod": "PT12H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "alertRuleTemplateName": "a172107d-794c-48c0-bc26-d3349fe10b4d",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "identifier": "Algorithm",
                "columnName": "AlgorithmCustomEntity"
              },
              {
                "identifier": "Value",
                "columnName": "FileHashCustomEntity"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "ProcessId",
                "columnName": "ProcessCustomEntity"
              }
            ]
          }
        ],
        "tags": [
          "Dev-0530",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Dev-0530_July2022.yaml",
        "templateVersion": "1.1.2"
      }
    }
  ]
}