[Deprecated] - Solorigate Domains Found in VM Insights
| Id | ab4b6944-a20d-42ab-8b63-238426525801 |
| Rulename | [Deprecated] - Solorigate Domains Found in VM Insights |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | CommandAndControl |
| Techniques | T1102 |
| Required data connectors | AzureMonitor(VMInsights) |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml |
| Version | 2.0.0 |
| Arm template | ab4b6944-a20d-42ab-8b63-238426525801.json |
let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);
let timeframe = 1h;
let connections = VMConnection
| where TimeGenerated >= ago(timeframe)
| extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))
| mv-expand DNSName
| where isnotempty(DNSName)
| where DNSName has_any (domains)
| extend IPCustomEntity = RemoteIp
| summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;
let processes = VMProcess
| where TimeGenerated >= ago(timeframe)
| project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid
| extend exePathArr = split(ExecutablePath, "\\")
| extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), "\\")
| extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), "\\")
| project-away exePathArr;
let computers = VMComputer
| where TimeGenerated >= ago(timeframe)
| project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;
connections | join kind = inner (processes) on AgentId, Machine, Process
| join kind = inner (computers) on AgentId, Machine
relevantTechniques:
- T1102
name: '[Deprecated] - Solorigate Domains Found in VM Insights'
requiredDataConnectors:
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- VMProcess
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- VMComputer
connectorId: AzureMonitor(VMInsights)
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
- fieldMappings:
- identifier: DomainName
columnName: DNSName
entityType: DNS
- fieldMappings:
- identifier: ProcessId
columnName: FirstPid
- identifier: CommandLine
columnName: CommandLine
entityType: Process
- fieldMappings:
- identifier: Directory
columnName: DirectoryName
- identifier: Name
columnName: Filename
entityType: File
triggerThreshold: 0
id: ab4b6944-a20d-42ab-8b63-238426525801
tactics:
- CommandAndControl
version: 2.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml
queryPeriod: 1h
kind: Scheduled
tags:
- Solorigate
- NOBELIUM
queryFrequency: 1h
severity: High
status: Available
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n"
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab4b6944-a20d-42ab-8b63-238426525801')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab4b6944-a20d-42ab-8b63-238426525801')]",
"properties": {
"alertRuleTemplateName": "ab4b6944-a20d-42ab-8b63-238426525801",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Solorigate Domains Found in VM Insights",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "HostName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSName",
"identifier": "DomainName"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "FirstPid",
"identifier": "ProcessId"
},
{
"columnName": "CommandLine",
"identifier": "CommandLine"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "DirectoryName",
"identifier": "Directory"
},
{
"columnName": "Filename",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml",
"query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
"Solorigate",
"NOBELIUM"
],
"techniques": [
"T1102"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}