Azure-Sentinel/Detections/SecurityEvent/MidnightBlizzard_Suspicious...

id: d82e1987-4356-4a7b-bc5e-064f29b143c0
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
description: |
  'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
   References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
severity: Medium
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes: 
      - SecurityEvents
  - connectorId: WindowsForwardedEvents
    dataTypes: 
      - WindowsEvent 
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1547
tags:
  - Midnight Blizzard
query: |
  (union isfuzzy=true 
  (SecurityEvent
  | where EventID == 4688
  | where Process =~ 'rundll32.exe' 
  | where CommandLine has_all ('Execute','RegRead','window.close')
  | project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  ),
  (WindowsEvent
  | where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | where Process =~ 'rundll32.exe' 
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has_all ('Execute','RegRead','window.close')
  | extend SubjectAccount =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
  | extend ParentProcessName = tostring(EventData.ParentProcessName)  
  | project TimeGenerated, Computer, SubjectAccount, SubjectUserName = EventData.SubjectUserName, SubjectDomainName = EventData.SubjectDomainName, SubjectUserSid = EventData.SubjectUserSid, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  )
  )
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SubjectAccount
      - identifier: Name
        columnName: SubjectUserName
      - identifier: NTDomain
        columnName: SubjectDomainName
  - entityType: Account
    fieldMappings:
      - identifier: Sid
        columnName: SubjectUserSid
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: HostNameDomain
version: 1.1.5
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Microsoft Security Research
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Intelligence" ]
Initial queries 2021-03-03 20:56:18 +03:00			`id: d82e1987-4356-4a7b-bc5e-064f29b143c0`
Standalone Content Renaming (#7981) 2023-05-08 16:22:09 +03:00			`name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript`
Initial queries 2021-03-03 20:56:18 +03:00			`description: \|`
adding in URL and tag 2021-03-04 19:46:58 +03:00			`'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands`
			`References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'`
Initial queries 2021-03-03 20:56:18 +03:00			`severity: Medium`
			`requiredDataConnectors:`
			`- connectorId: SecurityEvents`
			`dataTypes:`
			`- SecurityEvent`
add wse to security_event 2021-05-27 12:49:22 +03:00			`- connectorId: WindowsSecurityEvents`
			`dataTypes:`
			`- SecurityEvent`
connectorId name change 2022-02-07 19:03:01 +03:00			`- connectorId: WindowsSecurityEvents`
			`dataTypes:`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`- SecurityEvents`
replaced connectorID 2022-03-10 18:00:42 +03:00			`- connectorId: WindowsForwardedEvents`
			`dataTypes:`
			`- WindowsEvent`
Initial queries 2021-03-03 20:56:18 +03:00			`queryFrequency: 1d`
			`queryPeriod: 1d`
			`triggerOperator: gt`
			`triggerThreshold: 0`
			`tactics:`
updating tactic 2021-03-03 20:59:01 +03:00			`- Persistence`
Initial queries 2021-03-03 20:56:18 +03:00			`relevantTechniques:`
updating tactic 2021-03-03 20:59:01 +03:00			`- T1547`
adding in URL and tag 2021-03-04 19:46:58 +03:00			`tags:`
Standalone Content Renaming (#7981) 2023-05-08 16:22:09 +03:00			`- Midnight Blizzard`
Initial queries 2021-03-03 20:56:18 +03:00			`query: \|`
Yaml File Syntax fix 2022-02-02 17:32:12 +03:00			`(union isfuzzy=true`
NOBELIUM_SuspiciousRundll32Exec 2022-02-01 15:40:32 +03:00			`(SecurityEvent`
Initial queries 2021-03-03 20:56:18 +03:00			`\| where EventID == 4688`
			`\| where Process =~ 'rundll32.exe'`
			`\| where CommandLine has_all ('Execute','RegRead','window.close')`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`\| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId`
NOBELIUM_SuspiciousRundll32Exec 2022-02-01 15:40:32 +03:00			`),`
			`(WindowsEvent`
			`\| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')`
			`\| extend NewProcessName = tostring(EventData.NewProcessName)`
			`\| extend Process=tostring(split(NewProcessName, '\\')[-1])`
			`\| where Process =~ 'rundll32.exe'`
			`\| extend CommandLine = tostring(EventData.CommandLine)`
			`\| where CommandLine has_all ('Execute','RegRead','window.close')`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`\| extend SubjectAccount = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)`
NOBELIUM_SuspiciousRundll32Exec 2022-02-01 15:40:32 +03:00			`\| extend ParentProcessName = tostring(EventData.ParentProcessName)`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`\| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = EventData.SubjectUserName, SubjectDomainName = EventData.SubjectDomainName, SubjectUserSid = EventData.SubjectUserSid, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId`
			`)`
			`)`
			`\| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))`
			`\| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)`
			`\| project-away DomainIndex`
Initial queries 2021-03-03 20:56:18 +03:00			`entityMappings:`
			`- entityType: Account`
			`fieldMappings:`
Adding FullName 2023-12-15 07:47:06 +03:00			`- identifier: FullName`
			`columnName: SubjectAccount`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`- identifier: Name`
			`columnName: SubjectUserName`
			`- identifier: NTDomain`
			`columnName: SubjectDomainName`
Adjusting identifier count per entity type 2023-12-15 09:41:39 +03:00			`- entityType: Account`
			`fieldMappings:`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`- identifier: Sid`
			`columnName: SubjectUserSid`
Initial queries 2021-03-03 20:56:18 +03:00			`- entityType: Host`
			`fieldMappings:`
Adding FullName 2023-12-15 07:47:06 +03:00			`- identifier: FullName`
			`columnName: Computer`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`- identifier: HostName`
			`columnName: HostName`
			`- identifier: DnsDomain`
			`columnName: HostNameDomain`
Adding FullName 2023-12-15 07:47:06 +03:00			`version: 1.1.5`
Update NOBELIUM_SuspiciousRundll32Exec.yaml 2022-03-10 18:38:05 +03:00			`kind: Scheduled`
MetaData tagged for remaining analytics 2022-10-31 15:37:11 +03:00			`metadata:`
			`source:`
			`kind: Community`
			`author:`
Updating Entity Mapping 2023-12-09 00:46:31 +03:00			`name: Microsoft Security Research`
MetaData tagged for remaining analytics 2022-10-31 15:37:11 +03:00			`support:`
			`tier: Community`
			`categories:`
			`domains: [ "Security - Threat Intelligence" ]`