NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)

Back


Id	bdf04f58-242b-4729-b376-577c4bdf5d3a
Rulename	NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
Description	This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	Persistence
Techniques	T1547
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml
Version	1.1.1
Arm template	bdf04f58-242b-4729-b376-577c4bdf5d3a.json

KQL

imProcessCreate
| where Process hassuffix 'rundll32.exe'
| where CommandLine  has_any ('Execute','RegRead','window.close')
| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User

YAML

id: bdf04f58-242b-4729-b376-577c4bdf5d3a
queryFrequency: 1d
version: 1.1.1
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
kind: Scheduled
queryPeriod: 1d
severity: Medium
query: |
  imProcessCreate
  | where Process hassuffix 'rundll32.exe'
  | where CommandLine  has_any ('Execute','RegRead','window.close')
  | project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User  
triggerOperator: gt
tags:
- Id: d82e1987-4356-4a7b-bc5e-064f29b143c0
  version: 1.0.0
- SchemaVersion: 0.1.0
  Schema: ASIMProcessEvent
- NOBELIUM
description: |
  'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
  References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
triggerThreshold: 0
name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
relevantTechniques:
- T1547
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bdf04f58-242b-4729-b376-577c4bdf5d3a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bdf04f58-242b-4729-b376-577c4bdf5d3a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)",
        "description": "'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "imProcessCreate\n| where Process hassuffix 'rundll32.exe'\n| where CommandLine  has_any ('Execute','RegRead','window.close')\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1547"
        ],
        "alertRuleTemplateName": "bdf04f58-242b-4729-b376-577c4bdf5d3a",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          }
        ],
        "tags": [
          {
            "Id": "d82e1987-4356-4a7b-bc5e-064f29b143c0",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          },
          "NOBELIUM"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml",
        "templateVersion": "1.1.1"
      }
    }
  ]
}