[Deprecated] - Denim Tsunami C2 Domains July 2022
| Id | ce02935c-cc67-4b77-9b96-93d9947e119a |
| Rulename | [Deprecated] - Denim Tsunami C2 Domains July 2022 |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | AzureMonitor(VMInsights) DNS MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml |
| Version | 2.0.0 |
| Arm template | ce02935c-cc67-4b77-9b96-93d9947e119a.json |
let DomainNames = dynamic(["acrobatrelay.com", "finconsult.cc", "realmetaldns.com"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| where RemoteUrl has_any (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
status: Available
triggerOperator: gt
triggerThreshold: 0
name: '[Deprecated] - Denim Tsunami C2 Domains July 2022'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml
queryPeriod: 1d
severity: High
tags:
- Denim Tsunami
kind: Scheduled
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: HostCustomEntity
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
queryFrequency: 1d
relevantTechniques:
- T1071
requiredDataConnectors:
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- DnsEvents
connectorId: DNS
- dataTypes:
- DeviceNetworkEvents
connectorId: MicrosoftThreatProtection
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
tactics:
- CommandAndControl
query: |
let DomainNames = dynamic(["acrobatrelay.com", "finconsult.cc", "realmetaldns.com"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| where RemoteUrl has_any (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
id: ce02935c-cc67-4b77-9b96-93d9947e119a
version: 2.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce02935c-cc67-4b77-9b96-93d9947e119a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce02935c-cc67-4b77-9b96-93d9947e119a')]",
"properties": {
"alertRuleTemplateName": "ce02935c-cc67-4b77-9b96-93d9947e119a",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Denim Tsunami C2 Domains July 2022",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "HostName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml",
"query": "let DomainNames = dynamic([\"acrobatrelay.com\", \"finconsult.cc\", \"realmetaldns.com\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where DNSName in~ (DomainNames) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n), \n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery \n| extend IPAddress = SrcIpAddr, Computer = Dvc\n), \n(_Im_WebSession (url_has_any=DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress = SrcIpAddr, Computer = Dvc\n), \n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n| where isnotempty(DNSName) \n| where DNSName in~ (DomainNames) \n| extend IPAddress = RemoteIp \n), \n( \n DeviceNetworkEvents \n| where isnotempty(RemoteUrl) \n| where RemoteUrl has_any (DomainNames) \n| extend IPAddress = RemoteIP \n| extend Computer = DeviceName \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n) \n) \n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
"Denim Tsunami"
],
"techniques": [
"T1071"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}