NOBELIUM IOCs related to FoggyWeb backdoor
| Id | c37711a4-5f44-4472-8afc-0679bc0ef966 |
| Rulename | NOBELIUM IOCs related to FoggyWeb backdoor |
| Description | Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. Reference: https://aka.ms/nobelium-foggy-web |
| Severity | High |
| Tactics | Collection |
| Techniques | T1005 |
| Required data connectors | AzureMonitor(IIS) CEF CheckPoint CiscoASA F5 Fortinet MicrosoftThreatProtection PaloAltoNetworks SecurityEvents WindowsForwardedEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Nobelium_FoggyWeb.yaml |
| Version | 2.1.2 |
| Arm template | c37711a4-5f44-4472-8afc-0679bc0ef966.json |
let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256Hashes = (iocs | where Type == "sha256" | project IoC);
let FilePaths = (iocs | where Type =~ "FilePath" | project IoC);
let POST_URI = (iocs | where Type =~ "URI1" | project IoC);
let GET_URI = (iocs | where Type =~ "URI2" | project IoC);
//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.
let ADFS_Servers1 = datatable(Computer:string)
[ "<ADFS01>.<DOMAIN>.<COM>",
"<ADFS02>.<DOMAIN>.<COM>"
];
// Automatically identify potential ADFS services in your environment by searching process event telemetry for "Microsoft.IdentityServer.ServiceHost.exe".
let ADFS_Servers2 =
(union isfuzzy=true
(SecurityEvent
| where EventID == 4688 and SubjectLogonId != "0x3e4"
| where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
),
( WindowsEvent
| where EventID == 4688 and EventData has "Microsoft.IdentityServer.ServiceHost.exe"// and not(EventData has "0x3e4")
| extend ProcessName = tostring(EventData.ProcessName)
| where ProcessName == "Microsoft.IdentityServer.ServiceHost.exe"
| extend SubjectLogonId = tostring(EventData.SubjectLogonId)
| where SubjectLogonId != "0x3e4"
| distinct Computer
),
(DeviceProcessEvents
| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'
| extend Computer = DeviceName
| distinct Computer
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend process = split(Image, '\\', -1)[-1]
| where process =~ "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
)
);
let ADFS_Servers =
ADFS_Servers1
| union (ADFS_Servers2 | distinct Computer);
(union isfuzzy=true
(DeviceNetworkEvents
| where DeviceName in (ADFS_Servers)
| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)
| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == '7'
| where Computer in (ADFS_Servers)
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend ImageLoaded = EventDetail.[5].["#text"], Hashes = EventDetail.[11].["#text"]
| parse Hashes with * 'SHA256=' SHA256 '",' *
| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes)
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID
| extend Type = strcat(Type,":",EventID, ": ", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].["#text"]
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(CommonSecurityLog
| where FileHash in (sha256Hashes)
| project TimeGenerated, Message, SourceUserID, FileHash, Type
| extend timestamp = TimeGenerated, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(DeviceEvents
| where DeviceName in (ADFS_Servers)
| extend FilePath = strcat(FolderPath, '\\', FileName)
| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(DeviceFileEvents
| where DeviceName in (ADFS_Servers)
| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(DeviceImageLoadEvents
| where DeviceName in (ADFS_Servers)
| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where Computer in (ADFS_Servers)
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| where EventDetail has_any (sha256Hashes)
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].["#text"]
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(W3CIISLog
| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count()
by cIP, cIP_MethodCountType = "Count of repeated entries, this is to reduce rowsets returned", csMethod,
csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer
| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName
),
(imFileEvent
| where DvcHostname in (ADFS_Servers)
| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
)
)
tags:
- NOBELIUM
- FoggyWeb
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
queryPeriod: 6h
version: 2.1.2
relevantTechniques:
- T1005
queryFrequency: 6h
kind: Scheduled
name: NOBELIUM IOCs related to FoggyWeb backdoor
id: c37711a4-5f44-4472-8afc-0679bc0ef966
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
- fieldMappings:
- columnName: AlgorithmCustomEntity
identifier: Algorithm
- columnName: FileHashCustomEntity
identifier: Value
entityType: FileHash
- fieldMappings:
- columnName: ProcessCustomEntity
identifier: ProcessId
entityType: Process
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Nobelium_FoggyWeb.yaml
severity: High
query: |
let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256Hashes = (iocs | where Type == "sha256" | project IoC);
let FilePaths = (iocs | where Type =~ "FilePath" | project IoC);
let POST_URI = (iocs | where Type =~ "URI1" | project IoC);
let GET_URI = (iocs | where Type =~ "URI2" | project IoC);
//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.
let ADFS_Servers1 = datatable(Computer:string)
[ "<ADFS01>.<DOMAIN>.<COM>",
"<ADFS02>.<DOMAIN>.<COM>"
];
// Automatically identify potential ADFS services in your environment by searching process event telemetry for "Microsoft.IdentityServer.ServiceHost.exe".
let ADFS_Servers2 =
(union isfuzzy=true
(SecurityEvent
| where EventID == 4688 and SubjectLogonId != "0x3e4"
| where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
),
( WindowsEvent
| where EventID == 4688 and EventData has "Microsoft.IdentityServer.ServiceHost.exe"// and not(EventData has "0x3e4")
| extend ProcessName = tostring(EventData.ProcessName)
| where ProcessName == "Microsoft.IdentityServer.ServiceHost.exe"
| extend SubjectLogonId = tostring(EventData.SubjectLogonId)
| where SubjectLogonId != "0x3e4"
| distinct Computer
),
(DeviceProcessEvents
| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'
| extend Computer = DeviceName
| distinct Computer
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend process = split(Image, '\\', -1)[-1]
| where process =~ "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
)
);
let ADFS_Servers =
ADFS_Servers1
| union (ADFS_Servers2 | distinct Computer);
(union isfuzzy=true
(DeviceNetworkEvents
| where DeviceName in (ADFS_Servers)
| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)
| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == '7'
| where Computer in (ADFS_Servers)
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend ImageLoaded = EventDetail.[5].["#text"], Hashes = EventDetail.[11].["#text"]
| parse Hashes with * 'SHA256=' SHA256 '",' *
| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes)
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID
| extend Type = strcat(Type,":",EventID, ": ", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].["#text"]
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(CommonSecurityLog
| where FileHash in (sha256Hashes)
| project TimeGenerated, Message, SourceUserID, FileHash, Type
| extend timestamp = TimeGenerated, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(DeviceEvents
| where DeviceName in (ADFS_Servers)
| extend FilePath = strcat(FolderPath, '\\', FileName)
| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(DeviceFileEvents
| where DeviceName in (ADFS_Servers)
| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(DeviceImageLoadEvents
| where DeviceName in (ADFS_Servers)
| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where Computer in (ADFS_Servers)
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| where EventDetail has_any (sha256Hashes)
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].["#text"]
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = FileHash
),
(W3CIISLog
| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count()
by cIP, cIP_MethodCountType = "Count of repeated entries, this is to reduce rowsets returned", csMethod,
csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer
| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName
),
(imFileEvent
| where DvcHostname in (ADFS_Servers)
| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
)
)
tactics:
- Collection
description: |
'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.
FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.
It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.
Reference: https://aka.ms/nobelium-foggy-web'
requiredDataConnectors:
- connectorId: F5
dataTypes:
- CommonSecurityLog
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: CEF
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceFileEvents
- DeviceEvents
- DeviceImageLoadEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvents
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
status: Available
triggerThreshold: 0
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c37711a4-5f44-4472-8afc-0679bc0ef966')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c37711a4-5f44-4472-8afc-0679bc0ef966')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "NOBELIUM IOCs related to FoggyWeb backdoor",
"description": "'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\n Reference: https://aka.ms/nobelium-foggy-web'\n",
"severity": "High",
"enabled": true,
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type == \"sha256\" | project IoC);\nlet FilePaths = (iocs | where Type =~ \"FilePath\" | project IoC);\nlet POST_URI = (iocs | where Type =~ \"URI1\" | project IoC);\nlet GET_URI = (iocs | where Type =~ \"URI2\" | project IoC);\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\nlet ADFS_Servers1 = datatable(Computer:string)\n[ \"<ADFS01>.<DOMAIN>.<COM>\",\n\"<ADFS02>.<DOMAIN>.<COM>\"\n];\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \"Microsoft.IdentityServer.ServiceHost.exe\".\nlet ADFS_Servers2 = \n(union isfuzzy=true\n(SecurityEvent\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n( WindowsEvent\n| where EventID == 4688 and EventData has \"Microsoft.IdentityServer.ServiceHost.exe\"// and not(EventData has \"0x3e4\")\n| extend ProcessName = tostring(EventData.ProcessName)\n| where ProcessName == \"Microsoft.IdentityServer.ServiceHost.exe\"\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\n| where SubjectLogonId != \"0x3e4\"\n| distinct Computer\n),\n(DeviceProcessEvents\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\n| extend Computer = DeviceName\n| distinct Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n);\nlet ADFS_Servers =\nADFS_Servers1\n| union (ADFS_Servers2 | distinct Computer);\n(union isfuzzy=true\n(DeviceNetworkEvents\n| where DeviceName in (ADFS_Servers)\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\" and EventID == '7'\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ImageLoaded = EventDetail.[5].[\"#text\"], Hashes = EventDetail.[11].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 '\",' *\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\n| extend Type = strcat(Type,\":\",EventID, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where DeviceName in (ADFS_Servers)\n| extend FilePath = strcat(FolderPath, '\\\\', FileName)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceImageLoadEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| where EventDetail has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(W3CIISLog \n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \nby cIP, cIP_MethodCountType = \"Count of repeated entries, this is to reduce rowsets returned\", csMethod, \ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\n),\n(imFileEvent\n| where DvcHostname in (ADFS_Servers)\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n)\n)\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection"
],
"techniques": [
"T1005"
],
"alertRuleTemplateName": "c37711a4-5f44-4472-8afc-0679bc0ef966",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "AlgorithmCustomEntity"
},
{
"identifier": "Value",
"columnName": "FileHashCustomEntity"
}
],
"entityType": "FileHash"
},
{
"fieldMappings": [
{
"identifier": "ProcessId",
"columnName": "ProcessCustomEntity"
}
],
"entityType": "Process"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Nobelium_FoggyWeb.yaml",
"templateVersion": "2.1.2",
"status": "Available",
"tags": [
"NOBELIUM",
"FoggyWeb",
{
"Schema": "ASIMFileEvent",
"SchemaVersion": "0.1.0"
}
]
}
}
]
}