Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Midnight Blizzard - suspicious rundll32exe execution of vbscript

Midnight Blizzard - suspicious rundll32exe execution of vbscript

Back
Idd82e1987-4356-4a7b-bc5e-064f29b143c0
RulenameMidnight Blizzard - suspicious rundll32.exe execution of vbscript
DescriptionThis query idenifies when rundll32.exe executes a specific set of inline VBScript commands

References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
SeverityMedium
TacticsPersistence
TechniquesT1547
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml
Version1.1.6
Arm templated82e1987-4356-4a7b-bc5e-064f29b143c0.json
Deploy To Azure
(union isfuzzy=true 
(SecurityEvent
| where EventID == 4688
| where Process =~ 'rundll32.exe' 
| where CommandLine has_all ('Execute','RegRead','window.close')
| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
),
(WindowsEvent
| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process =~ 'rundll32.exe' 
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_all ('Execute','RegRead','window.close')
| extend SubjectAccount =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend ParentProcessName = tostring(EventData.ParentProcessName)  
| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml
tags:
- Midnight Blizzard
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: SubjectAccount
  - identifier: Name
    columnName: SubjectUserName
  - identifier: NTDomain
    columnName: SubjectDomainName
  entityType: Account
- fieldMappings:
  - identifier: Sid
    columnName: SubjectUserSid
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
version: 1.1.6
queryFrequency: 1d
triggerOperator: gt
kind: Scheduled
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
tactics:
- Persistence
query: |
  (union isfuzzy=true 
  (SecurityEvent
  | where EventID == 4688
  | where Process =~ 'rundll32.exe' 
  | where CommandLine has_all ('Execute','RegRead','window.close')
  | project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  ),
  (WindowsEvent
  | where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | where Process =~ 'rundll32.exe' 
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has_all ('Execute','RegRead','window.close')
  | extend SubjectAccount =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
  | extend ParentProcessName = tostring(EventData.ParentProcessName)  
  | project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  )
  )
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex  
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
triggerThreshold: 0
description: |
  'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
   References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'  
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
severity: Medium
relevantTechniques:
- T1547
metadata:
  source:
    kind: Community
  support:
    tier: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Intelligence