Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Midnight Blizzard - suspicious rundll32exe execution of vbscript

Midnight Blizzard - suspicious rundll32exe execution of vbscript

Back
Idd82e1987-4356-4a7b-bc5e-064f29b143c0
RulenameMidnight Blizzard - suspicious rundll32.exe execution of vbscript
DescriptionThis query idenifies when rundll32.exe executes a specific set of inline VBScript commands

References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
SeverityMedium
TacticsPersistence
TechniquesT1547
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml
Version1.1.6
Arm templated82e1987-4356-4a7b-bc5e-064f29b143c0.json
Deploy To Azure
(union isfuzzy=true 
(SecurityEvent
| where EventID == 4688
| where Process =~ 'rundll32.exe' 
| where CommandLine has_all ('Execute','RegRead','window.close')
| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
),
(WindowsEvent
| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process =~ 'rundll32.exe' 
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_all ('Execute','RegRead','window.close')
| extend SubjectAccount =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend ParentProcessName = tostring(EventData.ParentProcessName)  
| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex

description: |
  'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
   References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'  
entityMappings:
- fieldMappings:
  - columnName: SubjectAccount
    identifier: FullName
  - columnName: SubjectUserName
    identifier: Name
  - columnName: SubjectDomainName
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: SubjectUserSid
    identifier: Sid
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
  entityType: Host
query: |
  (union isfuzzy=true 
  (SecurityEvent
  | where EventID == 4688
  | where Process =~ 'rundll32.exe' 
  | where CommandLine has_all ('Execute','RegRead','window.close')
  | project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  ),
  (WindowsEvent
  | where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | where Process =~ 'rundll32.exe' 
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has_all ('Execute','RegRead','window.close')
  | extend SubjectAccount =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
  | extend ParentProcessName = tostring(EventData.ParentProcessName)  
  | project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  )
  )
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex  
tactics:
- Persistence
severity: Medium
triggerThreshold: 0
queryFrequency: 1d
queryPeriod: 1d
relevantTechniques:
- T1547
tags:
- Midnight Blizzard
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
kind: Scheduled
triggerOperator: gt
version: 1.1.6
metadata:
  author:
    name: Microsoft Security Research
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents