version: 2.0.0
tags:
- Solorigate
- NOBELIUM
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml
relevantTechniques:
- T1102
id: ab4b6944-a20d-42ab-8b63-238426525801
triggerThreshold: 0
queryFrequency: 1h
queryPeriod: 1h
entityMappings:
- fieldMappings:
- columnName: HostCustomEntity
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DNSName
identifier: DomainName
entityType: DNS
- fieldMappings:
- columnName: FirstPid
identifier: ProcessId
- columnName: CommandLine
identifier: CommandLine
entityType: Process
- fieldMappings:
- columnName: DirectoryName
identifier: Directory
- columnName: Filename
identifier: Name
entityType: File
triggerOperator: gt
severity: High
requiredDataConnectors:
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- VMProcess
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- VMComputer
connectorId: AzureMonitor(VMInsights)
query: "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n"
tactics:
- CommandAndControl
status: Available
name: '[Deprecated] - Solorigate Domains Found in VM Insights'
kind: Scheduled
