Standalone Content Renaming (#7981)
This commit is contained in:
Родитель
30bdd35e39
Коммит
3fab76c6ad
|
@ -1,5 +1,5 @@
|
||||||
id: bdf04f58-242b-4729-b376-577c4bdf5d3a
|
id: bdf04f58-242b-4729-b376-577c4bdf5d3a
|
||||||
name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
|
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
|
||||||
description: |
|
description: |
|
||||||
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
|
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
|
||||||
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
|
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
|
||||||
|
@ -19,7 +19,7 @@ tags:
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
- Schema: ASIMProcessEvent
|
- Schema: ASIMProcessEvent
|
||||||
SchemaVersion: 0.1.0
|
SchemaVersion: 0.1.0
|
||||||
- NOBELIUM
|
- Midnight Blizzard
|
||||||
|
|
||||||
query: |
|
query: |
|
||||||
imProcessCreate
|
imProcessCreate
|
||||||
|
@ -36,5 +36,5 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: FullName
|
- identifier: FullName
|
||||||
columnName: HostCustomEntity
|
columnName: HostCustomEntity
|
||||||
version: 1.1.1
|
version: 1.1.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
|
@ -1,5 +1,5 @@
|
||||||
id: 38f9d721-70a9-4570-9aff-1471eae7c844
|
id: 38f9d721-70a9-4570-9aff-1471eae7c844
|
||||||
name: ACTINIUM Actor IOCs - Feb 2022
|
name: Aqua Blizzard Actor IOCs - Feb 2022
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ActiniumFeb2022.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/AquaBlizzardFeb2022.yaml'
|
||||||
version: 1.1.2
|
version: 1.1.3
|
|
@ -1,5 +1,5 @@
|
||||||
id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393
|
id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393
|
||||||
name: DEV-0586 Actor IOC - January 2022
|
name: Cadet Blizzard Actor IOC - January 2022
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Dev-0586_Jan2022_IOC.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CadetBlizzard_Jan2022_IOC.yaml'
|
||||||
version: 1.0.3
|
version: 1.0.4
|
|
@ -1,5 +1,5 @@
|
||||||
id: 2b68903a-cb95-4e31-a2db-4a0a15803761
|
id: 2b68903a-cb95-4e31-a2db-4a0a15803761
|
||||||
name: SOURGUM Actor IOC - July 2021
|
name: Caramel Tsunami Actor IOC - July 2021
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SOURGUM_IOC.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CaramelTsunami_IOC.yaml'
|
||||||
version: 1.2.1
|
version: 1.2.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 69fe6e85-8867-4872-a707-f589d3554375
|
id: 69fe6e85-8867-4872-a707-f589d3554375
|
||||||
name: KNOTWEED AV Detection
|
name: Denim Tsunami AV Detection
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDAVDetection.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiAVDetection.yaml'
|
||||||
version: 1.0.1
|
version: 1.0.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8
|
id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8
|
||||||
name: KNOTWEED C2 Domains July 2022
|
name: Denim Tsunami C2 Domains July 2022
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDC2DomainsJuly2022.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiC2DomainsJuly2022.yaml'
|
||||||
version: 1.0.1
|
version: 1.0.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61
|
id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61
|
||||||
name: KNOTWEED File Hashes July 2022
|
name: Denim Tsunami File Hashes July 2022
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDFileHashesJuly2022.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiFileHashesJuly2022.yaml'
|
||||||
version: 1.0.1
|
version: 1.0.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0
|
id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0
|
||||||
name: Known ZINC Comebacker and Klackring malware hashes
|
name: Known Diamond Sleet Comebacker and Klackring malware hashes
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincJan272021IOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetJan272021IOCs.yaml'
|
||||||
version: 1.7.1
|
version: 1.7.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9
|
id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9
|
||||||
name: Known ZINC related maldoc hash
|
name: Known Diamond Sleet related maldoc hash
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincOct292020IOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetOct292020IOCs.yaml'
|
||||||
version: 1.0.2
|
version: 1.0.3
|
|
@ -1,5 +1,5 @@
|
||||||
id: 993b32e3-f097-4fcb-b555-3078a4af63be
|
id: 993b32e3-f097-4fcb-b555-3078a4af63be
|
||||||
name: THALLIUM domains included in DCU takedown
|
name: Emerald Sleet domains included in DCU takedown
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ThalliumIOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/EmeraldSleetIOCs.yaml'
|
||||||
version: 1.5.1
|
version: 1.5.2
|
|
@ -1,7 +1,7 @@
|
||||||
id: 074ce265-f684-41cd-af07-613c5f3e6d0d
|
id: 074ce265-f684-41cd-af07-613c5f3e6d0d
|
||||||
name: Known STRONTIUM group domains - July 2019
|
name: Known Forest Blizzard group domains - July 2019
|
||||||
description: |
|
description: |
|
||||||
'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
|
'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
|
||||||
References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.'
|
References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.'
|
||||||
severity: High
|
severity: High
|
||||||
tags:
|
tags:
|
||||||
|
@ -116,7 +116,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: Address
|
- identifier: Address
|
||||||
columnName: IPCustomEntity
|
columnName: IPCustomEntity
|
||||||
version: 1.5.1
|
version: 1.5.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,5 +1,5 @@
|
||||||
id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886
|
id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886
|
||||||
name: Possible STRONTIUM attempted credential harvesting - Oct 2020
|
name: Possible Forest Blizzard attempted credential harvesting - Oct 2020
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/STRONTIUMOct292020IOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ForestBlizzardOct292020IOCs.yaml'
|
||||||
version: 1.0.1
|
version: 1.0.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 00f44734-35a9-4103-b6b9-fd7752e70385
|
id: 00f44734-35a9-4103-b6b9-fd7752e70385
|
||||||
name: Known GALLIUM domains and hashes
|
name: Known Granite Typhoon domains and hashes
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GraniteTyphoonIOCs.yaml'
|
||||||
version: 1.6.1
|
version: 1.6.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 1bcfc5db-042d-4009-9989-45c3abd61352
|
id: 1bcfc5db-042d-4009-9989-45c3abd61352
|
||||||
name: Known PHOSPHORUS group domains/IP - October 2020
|
name: Known Mint Sandstorm group domains/IP - October 2020
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownMintSandstormDomainsIP-October2020.yaml'
|
||||||
version: 1.1.1
|
version: 1.1.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 943923cb-1b6d-4a44-aeee-b0cf393748b3
|
id: 943923cb-1b6d-4a44-aeee-b0cf393748b3
|
||||||
name: NOBELIUM - Domain and IP IOCs - March 2021
|
name: Midnight Blizzard - Domain and IP IOCs - March 2021
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_DomainIOCsMarch2021.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml'
|
||||||
version: 1.4.2
|
version: 1.4.3
|
|
@ -1,5 +1,5 @@
|
||||||
id: 18119187-a22f-4042-8941-ffcaf62b730f
|
id: 18119187-a22f-4042-8941-ffcaf62b730f
|
||||||
name: NOBELIUM IOCs related to FoggyWeb backdoor
|
name: Midnight Blizzard IOCs related to FoggyWeb backdoor
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Nobelium_FoggyWeb.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_FoggyWeb.yaml'
|
||||||
version: 2.1.3
|
version: 2.1.4
|
|
@ -1,5 +1,5 @@
|
||||||
id: 173be96f-c41a-4f83-a8c0-0bd2609cda14
|
id: 173be96f-c41a-4f83-a8c0-0bd2609cda14
|
||||||
name: NOBELIUM - Domain, Hash and IP IOCs - May 2021
|
name: Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_IOCsMay2021.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_IOCsMay2021.yaml'
|
||||||
version: 1.6.2
|
version: 1.6.3
|
|
@ -1,5 +1,5 @@
|
||||||
id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
|
id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
|
||||||
name: Known NICKEL domains and hashes
|
name: Known Nylon Typhoon domains and hashes
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NICKELIOCsNov2021.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NylonTyphoonIOCsNov2021.yaml'
|
||||||
version: 1.3.2
|
version: 1.3.3
|
|
@ -1,5 +1,5 @@
|
||||||
id: a514564b-b010-4c0b-bd71-20e0ce814c66
|
id: a514564b-b010-4c0b-bd71-20e0ce814c66
|
||||||
name: Known POLONIUM IP
|
name: Known Plaid Rain IP
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/POLONIUMIPIoC.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/PlaidRainIPIoC.yaml'
|
||||||
version: 1.1.1
|
version: 1.1.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: 50bf97ef-43f9-470a-a3cd-de15a9204050
|
id: 50bf97ef-43f9-470a-a3cd-de15a9204050
|
||||||
name: Known CERIUM domains and hashes
|
name: Known Ruby Sleet domains and hashes
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CERIUMOct292020IOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/RubySleetOct292020IOCs.yaml'
|
||||||
version: 1.3.1
|
version: 1.3.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8
|
id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8
|
||||||
name: Known IRIDIUM IP
|
name: Known Seashell Blizzard IP
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/IridiumIOCs.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SeashellBlizzardIOCs.yaml'
|
||||||
version: 1.5.1
|
version: 1.5.2
|
|
@ -1,5 +1,5 @@
|
||||||
id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7
|
id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7
|
||||||
name: HAFNIUM UM Service writing suspicious file
|
name: Silk Typhoon UM Service writing suspicious file
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/HAFNIUMUmServiceSuspiciousFile.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SilkTyphoonUmServiceSuspiciousFile.yaml'
|
||||||
version: 1.2.3
|
version: 1.2.4
|
|
@ -1,7 +1,7 @@
|
||||||
id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
|
id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
|
||||||
name: SEABORGIUM C2 Domains August 2022
|
name: Star Blizzard C2 Domains August 2022
|
||||||
description: |
|
description: |
|
||||||
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as SEABORGIUM.'
|
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
|
||||||
severity: High
|
severity: High
|
||||||
requiredDataConnectors:
|
requiredDataConnectors:
|
||||||
- connectorId: AzureMonitor(VMInsights)
|
- connectorId: AzureMonitor(VMInsights)
|
||||||
|
@ -30,7 +30,7 @@ tactics:
|
||||||
relevantTechniques:
|
relevantTechniques:
|
||||||
- T1566
|
- T1566
|
||||||
tags:
|
tags:
|
||||||
- SEABORGIUM
|
- Star Blizzard
|
||||||
- Schema: ASIMDns
|
- Schema: ASIMDns
|
||||||
SchemaVersion: 0.1.1
|
SchemaVersion: 0.1.1
|
||||||
query: |
|
query: |
|
||||||
|
@ -91,7 +91,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: Address
|
- identifier: Address
|
||||||
columnName: IPCustomEntity
|
columnName: IPCustomEntity
|
||||||
version: 1.0.1
|
version: 1.0.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,7 +1,7 @@
|
||||||
id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
|
id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
|
||||||
name: Identify MERCURY powershell commands
|
name: Identify Mango Sandstorm powershell commands
|
||||||
description: |
|
description: |
|
||||||
'The query below identifies powershell commands used by the threat actor Mercury.
|
'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
|
||||||
Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
|
Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
|
||||||
severity: High
|
severity: High
|
||||||
requiredDataConnectors:
|
requiredDataConnectors:
|
||||||
|
@ -20,7 +20,7 @@ tactics:
|
||||||
relevantTechniques:
|
relevantTechniques:
|
||||||
- T1570
|
- T1570
|
||||||
tags:
|
tags:
|
||||||
- Mercury
|
- Mango Sandstorm
|
||||||
- Schema: ASIMFileEvent
|
- Schema: ASIMFileEvent
|
||||||
SchemaVersion: 0.1.0
|
SchemaVersion: 0.1.0
|
||||||
query: |
|
query: |
|
||||||
|
@ -55,7 +55,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: ProcessId
|
- identifier: ProcessId
|
||||||
columnName: ProcessCustomEntity
|
columnName: ProcessCustomEntity
|
||||||
version: 1.0.1
|
version: 1.0.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,5 +1,5 @@
|
||||||
id: ad6882a8-7749-471e-b7d6-6c7e42a8eca3
|
id: ad6882a8-7749-471e-b7d6-6c7e42a8eca3
|
||||||
name: Possible STRONTIUM attempted credential harvesting - Sept 2020
|
name: Possible Forest Blizzard attempted credential harvesting - Sept 2020
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/StrontiumCredHarvesting.yaml'
|
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/ForestBlizzardCredHarvesting.yaml'
|
||||||
version: 1.0.1
|
version: 1.0.2
|
|
@ -1,4 +1,5 @@
|
||||||
id: 96c8f92e-a617-4158-94ea-dea51557b40e
|
id: 96c8f92e-a617-4158-94ea-dea51557b40e
|
||||||
name: ACTINIUM AV hits - Feb 2022
|
name: Aqua Blizzard AV hits - Feb 2022
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/ActiniumAVHits.yaml'
|
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/AquaBlizzardAVHits.yaml'
|
||||||
|
version: 1.1.4
|
|
@ -1,5 +1,5 @@
|
||||||
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
|
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
|
||||||
name: NOBELIUM - suspicious rundll32.exe execution of vbscript
|
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
|
||||||
description: |
|
description: |
|
||||||
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
|
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
|
||||||
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
|
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
|
||||||
|
@ -26,7 +26,7 @@ tactics:
|
||||||
relevantTechniques:
|
relevantTechniques:
|
||||||
- T1547
|
- T1547
|
||||||
tags:
|
tags:
|
||||||
- NOBELIUM
|
- Midnight Blizzard
|
||||||
query: |
|
query: |
|
||||||
(union isfuzzy=true
|
(union isfuzzy=true
|
||||||
(SecurityEvent
|
(SecurityEvent
|
||||||
|
@ -58,7 +58,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: FullName
|
- identifier: FullName
|
||||||
columnName: HostCustomEntity
|
columnName: HostCustomEntity
|
||||||
version: 1.1.2
|
version: 1.1.3
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,5 +1,5 @@
|
||||||
id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
|
id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
|
||||||
name: NOBELIUM - Script payload stored in Registry
|
name: Midnight Blizzard - Script payload stored in Registry
|
||||||
description: |
|
description: |
|
||||||
'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script
|
'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script
|
||||||
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
|
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
|
||||||
|
@ -26,7 +26,7 @@ tactics:
|
||||||
relevantTechniques:
|
relevantTechniques:
|
||||||
- T1059
|
- T1059
|
||||||
tags:
|
tags:
|
||||||
- NOBELIUM
|
- Midnight Blizzard
|
||||||
query: |
|
query: |
|
||||||
let cmdTokens0 = dynamic(['vbscript','jscript']);
|
let cmdTokens0 = dynamic(['vbscript','jscript']);
|
||||||
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
|
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
|
||||||
|
@ -70,7 +70,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: FullName
|
- identifier: FullName
|
||||||
columnName: HostCustomEntity
|
columnName: HostCustomEntity
|
||||||
version: 1.1.2
|
version: 1.1.3
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,5 +1,5 @@
|
||||||
id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
|
id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
|
||||||
name: HAFNIUM New UM Service Child Process
|
name: Silk Typhoon New UM Service Child Process
|
||||||
description: |
|
description: |
|
||||||
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before.
|
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before.
|
||||||
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
||||||
|
@ -72,7 +72,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: Address
|
- identifier: Address
|
||||||
columnName: IPCustomEntity
|
columnName: IPCustomEntity
|
||||||
version: 1.1.2
|
version: 1.1.3
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,5 +1,5 @@
|
||||||
id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
|
id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
|
||||||
name: HAFNIUM Suspicious UM Service Error
|
name: Silk Typhoon Suspicious UM Service Error
|
||||||
description: |
|
description: |
|
||||||
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service.
|
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service.
|
||||||
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
||||||
|
@ -26,7 +26,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: FullName
|
- identifier: FullName
|
||||||
columnName: HostCustomEntity
|
columnName: HostCustomEntity
|
||||||
version: 1.0.1
|
version: 1.0.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,7 +1,7 @@
|
||||||
id: 23005e87-2d3a-482b-b03d-edbebd1ae151
|
id: 23005e87-2d3a-482b-b03d-edbebd1ae151
|
||||||
name: HAFNIUM Suspicious Exchange Request
|
name: Silk Typhoon Suspicious Exchange Request
|
||||||
description: |
|
description: |
|
||||||
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.
|
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.
|
||||||
The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
|
The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
|
||||||
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
||||||
severity: Medium
|
severity: Medium
|
||||||
|
@ -42,7 +42,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: Address
|
- identifier: Address
|
||||||
columnName: IPCustomEntity
|
columnName: IPCustomEntity
|
||||||
version: 1.0.1
|
version: 1.0.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,5 +1,5 @@
|
||||||
id: 5c798a48-df20-4cc0-8b56-1e0878be29b0
|
id: 5c798a48-df20-4cc0-8b56-1e0878be29b0
|
||||||
name: SOURGUM Actor IOC - July 2021
|
name: Caramel Tsunami Actor IOC - July 2021
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/SOURGUM_IOC_WindowsEvent.yaml'
|
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/CaramelTsunami_IOC_WindowsEvent.yaml'
|
||||||
version: 1.0.2
|
version: 1.0.3
|
|
@ -1,5 +1,5 @@
|
||||||
id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
|
id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
|
||||||
name: HAFNIUM Suspicious File Downloads.
|
name: Silk Typhoon Suspicious File Downloads.
|
||||||
description: |
|
description: |
|
||||||
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
|
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
|
||||||
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
|
||||||
|
@ -28,7 +28,7 @@ entityMappings:
|
||||||
fieldMappings:
|
fieldMappings:
|
||||||
- identifier: FullName
|
- identifier: FullName
|
||||||
columnName: HostCustomEntity
|
columnName: HostCustomEntity
|
||||||
version: 1.0.1
|
version: 1.0.2
|
||||||
kind: Scheduled
|
kind: Scheduled
|
||||||
metadata:
|
metadata:
|
||||||
source:
|
source:
|
|
@ -1,7 +1,7 @@
|
||||||
id: 4b14590a-a1f0-4756-9f3d-baafa696e051
|
id: 4b14590a-a1f0-4756-9f3d-baafa696e051
|
||||||
name: SEABORGIUM-Domain IOCs
|
name: Star Blizzard-Domain IOCs
|
||||||
description: |
|
description: |
|
||||||
'This query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint device network connections'
|
'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
|
||||||
severity: High
|
severity: High
|
||||||
requiredDataConnectors:
|
requiredDataConnectors:
|
||||||
- connectorId: MicrosoftThreatProtection
|
- connectorId: MicrosoftThreatProtection
|
|
@ -1,4 +1,4 @@
|
||||||
id: 68f31c3e-2d0c-4984-9700-2fc0b9feed7b
|
id: 68f31c3e-2d0c-4984-9700-2fc0b9feed7b
|
||||||
name: Retrospective hunt for STRONTIUM IP IOCs
|
name: Retrospective hunt for Forest Blizzard IP IOCs
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/STRONTIUM_IOC_RetroHunt.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/ForestBlizzard_IOC_RetroHunt.yaml'
|
|
@ -1,4 +1,4 @@
|
||||||
id: b05a2ccb-b683-4462-9a87-d878c36e3c28
|
id: b05a2ccb-b683-4462-9a87-d878c36e3c28
|
||||||
name: NICKEL Command Line Activity November 2021
|
name: Nylon Typhoon Command Line Activity November 2021
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NICKELCommandLineActivity-Nov2021.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml'
|
|
@ -1,4 +1,4 @@
|
||||||
id: 0516dd04-5944-4ff0-b61f-d80666e433e4
|
id: 0516dd04-5944-4ff0-b61f-d80666e433e4
|
||||||
name: Known NICKEL Registry modifications patterns
|
name: Known Nylon Typhoon Registry modifications patterns
|
||||||
description: |
|
description: |
|
||||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NickelRegIOCPatterns.yaml'
|
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonRegIOCPatterns.yaml'
|
Загрузка…
Ссылка в новой задаче