Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Deimos Component Execution

Deimos Component Execution

Back
Idc25a8cd4-5b4a-45a8-9ba0-3b753a652f6b
RulenameDeimos Component Execution
DescriptionJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
SeverityHigh
TacticsExecution
Collection
Exfiltration
TechniquesT1059
T1005
T1020
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml
Version1.0.0
Arm templatec25a8cd4-5b4a-45a8-9ba0-3b753a652f6b.json
Deploy To Azure
DeviceEvents   
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "AmsiScriptContent"
| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

description: |
    Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
query: |
  DeviceEvents   
  | where InitiatingProcessFileName =~ "powershell.exe"
  | where ActionType == "AmsiScriptContent"
  | where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
  | project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields, DeviceName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
tactics:
- Execution
- Collection
- Exfiltration
severity: High
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
relevantTechniques:
- T1059
- T1005
- T1020
tags:
- SolarMarker
- Jupyter
- Ransomware
id: c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b
name: Deimos Component Execution
kind: Scheduled
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection