Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Deimos Component Execution

Deimos Component Execution

Back
Idc25a8cd4-5b4a-45a8-9ba0-3b753a652f6b
RulenameDeimos Component Execution
DescriptionJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
SeverityHigh
TacticsExecution
Collection
Exfiltration
TechniquesT1059
T1005
T1020
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml
Version1.0.0
Arm templatec25a8cd4-5b4a-45a8-9ba0-3b753a652f6b.json
Deploy To Azure
DeviceEvents   
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "AmsiScriptContent"
| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

kind: Scheduled
tags:
- SolarMarker
- Jupyter
- Ransomware
triggerOperator: gt
queryFrequency: 1h
id: c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b
queryPeriod: 1h
relevantTechniques:
- T1059
- T1005
- T1020
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
query: |
  DeviceEvents   
  | where InitiatingProcessFileName =~ "powershell.exe"
  | where ActionType == "AmsiScriptContent"
  | where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
  | project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
name: Deimos Component Execution
severity: High
tactics:
- Execution
- Collection
- Exfiltration
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
version: 1.0.0
status: Available
triggerThreshold: 0
description: |
    Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml