This commit is contained in:
v-vdixit 2023-05-08 18:52:09 +05:30 коммит произвёл GitHub
Родитель 30bdd35e39
Коммит 3fab76c6ad
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
37 изменённых файлов: 108 добавлений и 107 удалений

Просмотреть файл

@ -1,5 +1,5 @@
id: bdf04f58-242b-4729-b376-577c4bdf5d3a id: bdf04f58-242b-4729-b376-577c4bdf5d3a
name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events) name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
description: | description: |
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands 'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
@ -19,7 +19,7 @@ tags:
version: 1.0.0 version: 1.0.0
- Schema: ASIMProcessEvent - Schema: ASIMProcessEvent
SchemaVersion: 0.1.0 SchemaVersion: 0.1.0
- NOBELIUM - Midnight Blizzard
query: | query: |
imProcessCreate imProcessCreate
@ -36,5 +36,5 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: FullName - identifier: FullName
columnName: HostCustomEntity columnName: HostCustomEntity
version: 1.1.1 version: 1.1.2
kind: Scheduled kind: Scheduled

Просмотреть файл

@ -1,5 +1,5 @@
id: 38f9d721-70a9-4570-9aff-1471eae7c844 id: 38f9d721-70a9-4570-9aff-1471eae7c844
name: ACTINIUM Actor IOCs - Feb 2022 name: Aqua Blizzard Actor IOCs - Feb 2022
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ActiniumFeb2022.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/AquaBlizzardFeb2022.yaml'
version: 1.1.2 version: 1.1.3

Просмотреть файл

@ -1,5 +1,5 @@
id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393 id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393
name: DEV-0586 Actor IOC - January 2022 name: Cadet Blizzard Actor IOC - January 2022
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Dev-0586_Jan2022_IOC.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CadetBlizzard_Jan2022_IOC.yaml'
version: 1.0.3 version: 1.0.4

Просмотреть файл

@ -1,5 +1,5 @@
id: 2b68903a-cb95-4e31-a2db-4a0a15803761 id: 2b68903a-cb95-4e31-a2db-4a0a15803761
name: SOURGUM Actor IOC - July 2021 name: Caramel Tsunami Actor IOC - July 2021
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SOURGUM_IOC.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CaramelTsunami_IOC.yaml'
version: 1.2.1 version: 1.2.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 69fe6e85-8867-4872-a707-f589d3554375 id: 69fe6e85-8867-4872-a707-f589d3554375
name: KNOTWEED AV Detection name: Denim Tsunami AV Detection
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDAVDetection.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiAVDetection.yaml'
version: 1.0.1 version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8 id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8
name: KNOTWEED C2 Domains July 2022 name: Denim Tsunami C2 Domains July 2022
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDC2DomainsJuly2022.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiC2DomainsJuly2022.yaml'
version: 1.0.1 version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61 id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61
name: KNOTWEED File Hashes July 2022 name: Denim Tsunami File Hashes July 2022
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDFileHashesJuly2022.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiFileHashesJuly2022.yaml'
version: 1.0.1 version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0 id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0
name: Known ZINC Comebacker and Klackring malware hashes name: Known Diamond Sleet Comebacker and Klackring malware hashes
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincJan272021IOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetJan272021IOCs.yaml'
version: 1.7.1 version: 1.7.2

Просмотреть файл

@ -1,5 +1,5 @@
id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9 id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9
name: Known ZINC related maldoc hash name: Known Diamond Sleet related maldoc hash
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincOct292020IOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetOct292020IOCs.yaml'
version: 1.0.2 version: 1.0.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 993b32e3-f097-4fcb-b555-3078a4af63be id: 993b32e3-f097-4fcb-b555-3078a4af63be
name: THALLIUM domains included in DCU takedown name: Emerald Sleet domains included in DCU takedown
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ThalliumIOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/EmeraldSleetIOCs.yaml'
version: 1.5.1 version: 1.5.2

Просмотреть файл

@ -1,7 +1,7 @@
id: 074ce265-f684-41cd-af07-613c5f3e6d0d id: 074ce265-f684-41cd-af07-613c5f3e6d0d
name: Known STRONTIUM group domains - July 2019 name: Known Forest Blizzard group domains - July 2019
description: | description: |
'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. 'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.'
severity: High severity: High
tags: tags:
@ -116,7 +116,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.5.1 version: 1.5.2
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886 id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886
name: Possible STRONTIUM attempted credential harvesting - Oct 2020 name: Possible Forest Blizzard attempted credential harvesting - Oct 2020
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/STRONTIUMOct292020IOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ForestBlizzardOct292020IOCs.yaml'
version: 1.0.1 version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 00f44734-35a9-4103-b6b9-fd7752e70385 id: 00f44734-35a9-4103-b6b9-fd7752e70385
name: Known GALLIUM domains and hashes name: Known Granite Typhoon domains and hashes
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GraniteTyphoonIOCs.yaml'
version: 1.6.1 version: 1.6.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 1bcfc5db-042d-4009-9989-45c3abd61352 id: 1bcfc5db-042d-4009-9989-45c3abd61352
name: Known PHOSPHORUS group domains/IP - October 2020 name: Known Mint Sandstorm group domains/IP - October 2020
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownMintSandstormDomainsIP-October2020.yaml'
version: 1.1.1 version: 1.1.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 943923cb-1b6d-4a44-aeee-b0cf393748b3 id: 943923cb-1b6d-4a44-aeee-b0cf393748b3
name: NOBELIUM - Domain and IP IOCs - March 2021 name: Midnight Blizzard - Domain and IP IOCs - March 2021
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_DomainIOCsMarch2021.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml'
version: 1.4.2 version: 1.4.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 18119187-a22f-4042-8941-ffcaf62b730f id: 18119187-a22f-4042-8941-ffcaf62b730f
name: NOBELIUM IOCs related to FoggyWeb backdoor name: Midnight Blizzard IOCs related to FoggyWeb backdoor
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Nobelium_FoggyWeb.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_FoggyWeb.yaml'
version: 2.1.3 version: 2.1.4

Просмотреть файл

@ -1,5 +1,5 @@
id: 173be96f-c41a-4f83-a8c0-0bd2609cda14 id: 173be96f-c41a-4f83-a8c0-0bd2609cda14
name: NOBELIUM - Domain, Hash and IP IOCs - May 2021 name: Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_IOCsMay2021.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_IOCsMay2021.yaml'
version: 1.6.2 version: 1.6.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
name: Known NICKEL domains and hashes name: Known Nylon Typhoon domains and hashes
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NICKELIOCsNov2021.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NylonTyphoonIOCsNov2021.yaml'
version: 1.3.2 version: 1.3.3

Просмотреть файл

@ -1,5 +1,5 @@
id: a514564b-b010-4c0b-bd71-20e0ce814c66 id: a514564b-b010-4c0b-bd71-20e0ce814c66
name: Known POLONIUM IP name: Known Plaid Rain IP
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/POLONIUMIPIoC.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/PlaidRainIPIoC.yaml'
version: 1.1.1 version: 1.1.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 50bf97ef-43f9-470a-a3cd-de15a9204050 id: 50bf97ef-43f9-470a-a3cd-de15a9204050
name: Known CERIUM domains and hashes name: Known Ruby Sleet domains and hashes
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CERIUMOct292020IOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/RubySleetOct292020IOCs.yaml'
version: 1.3.1 version: 1.3.2

Просмотреть файл

@ -1,5 +1,5 @@
id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8 id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8
name: Known IRIDIUM IP name: Known Seashell Blizzard IP
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/IridiumIOCs.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SeashellBlizzardIOCs.yaml'
version: 1.5.1 version: 1.5.2

Просмотреть файл

@ -1,5 +1,5 @@
id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7 id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7
name: HAFNIUM UM Service writing suspicious file name: Silk Typhoon UM Service writing suspicious file
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/HAFNIUMUmServiceSuspiciousFile.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SilkTyphoonUmServiceSuspiciousFile.yaml'
version: 1.2.3 version: 1.2.4

Просмотреть файл

@ -1,7 +1,7 @@
id: 2149d9bb-8298-444c-8f99-f7bf0274dd05 id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
name: SEABORGIUM C2 Domains August 2022 name: Star Blizzard C2 Domains August 2022
description: | description: |
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as SEABORGIUM.' 'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
severity: High severity: High
requiredDataConnectors: requiredDataConnectors:
- connectorId: AzureMonitor(VMInsights) - connectorId: AzureMonitor(VMInsights)
@ -30,7 +30,7 @@ tactics:
relevantTechniques: relevantTechniques:
- T1566 - T1566
tags: tags:
- SEABORGIUM - Star Blizzard
- Schema: ASIMDns - Schema: ASIMDns
SchemaVersion: 0.1.1 SchemaVersion: 0.1.1
query: | query: |
@ -91,7 +91,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.0.1 version: 1.0.2
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,7 +1,7 @@
id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1 id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
name: Identify MERCURY powershell commands name: Identify Mango Sandstorm powershell commands
description: | description: |
'The query below identifies powershell commands used by the threat actor Mercury. 'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/' Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
severity: High severity: High
requiredDataConnectors: requiredDataConnectors:
@ -20,7 +20,7 @@ tactics:
relevantTechniques: relevantTechniques:
- T1570 - T1570
tags: tags:
- Mercury - Mango Sandstorm
- Schema: ASIMFileEvent - Schema: ASIMFileEvent
SchemaVersion: 0.1.0 SchemaVersion: 0.1.0
query: | query: |
@ -55,7 +55,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: ProcessId - identifier: ProcessId
columnName: ProcessCustomEntity columnName: ProcessCustomEntity
version: 1.0.1 version: 1.0.2
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,5 +1,5 @@
id: ad6882a8-7749-471e-b7d6-6c7e42a8eca3 id: ad6882a8-7749-471e-b7d6-6c7e42a8eca3
name: Possible STRONTIUM attempted credential harvesting - Sept 2020 name: Possible Forest Blizzard attempted credential harvesting - Sept 2020
description: | description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/StrontiumCredHarvesting.yaml' 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/ForestBlizzardCredHarvesting.yaml'
version: 1.0.1 version: 1.0.2

Просмотреть файл

@ -1,4 +1,5 @@
id: 96c8f92e-a617-4158-94ea-dea51557b40e id: 96c8f92e-a617-4158-94ea-dea51557b40e
name: ACTINIUM AV hits - Feb 2022 name: Aqua Blizzard AV hits - Feb 2022
description: | description: |
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/ActiniumAVHits.yaml' 'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/AquaBlizzardAVHits.yaml'
version: 1.1.4

Просмотреть файл

@ -1,5 +1,5 @@
id: d82e1987-4356-4a7b-bc5e-064f29b143c0 id: d82e1987-4356-4a7b-bc5e-064f29b143c0
name: NOBELIUM - suspicious rundll32.exe execution of vbscript name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
description: | description: |
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands 'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
@ -26,7 +26,7 @@ tactics:
relevantTechniques: relevantTechniques:
- T1547 - T1547
tags: tags:
- NOBELIUM - Midnight Blizzard
query: | query: |
(union isfuzzy=true (union isfuzzy=true
(SecurityEvent (SecurityEvent
@ -58,7 +58,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: FullName - identifier: FullName
columnName: HostCustomEntity columnName: HostCustomEntity
version: 1.1.2 version: 1.1.3
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 00cb180c-08a8-4e55-a276-63fb1442d5b5 id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
name: NOBELIUM - Script payload stored in Registry name: Midnight Blizzard - Script payload stored in Registry
description: | description: |
'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script 'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
@ -26,7 +26,7 @@ tactics:
relevantTechniques: relevantTechniques:
- T1059 - T1059
tags: tags:
- NOBELIUM - Midnight Blizzard
query: | query: |
let cmdTokens0 = dynamic(['vbscript','jscript']); let cmdTokens0 = dynamic(['vbscript','jscript']);
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']); let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
@ -70,7 +70,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: FullName - identifier: FullName
columnName: HostCustomEntity columnName: HostCustomEntity
version: 1.1.2 version: 1.1.3
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 95a15f39-d9cc-4667-8cdd-58f3113691c9 id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
name: HAFNIUM New UM Service Child Process name: Silk Typhoon New UM Service Child Process
description: | description: |
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. 'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@ -72,7 +72,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.1.2 version: 1.1.3
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 0625fcce-6d52-491e-8c68-1d9b801d25b9 id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
name: HAFNIUM Suspicious UM Service Error name: Silk Typhoon Suspicious UM Service Error
description: | description: |
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. 'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@ -26,7 +26,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: FullName - identifier: FullName
columnName: HostCustomEntity columnName: HostCustomEntity
version: 1.0.1 version: 1.0.2
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,7 +1,7 @@
id: 23005e87-2d3a-482b-b03d-edbebd1ae151 id: 23005e87-2d3a-482b-b03d-edbebd1ae151
name: HAFNIUM Suspicious Exchange Request name: Silk Typhoon Suspicious Exchange Request
description: | description: |
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors. 'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.
The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers. The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
severity: Medium severity: Medium
@ -42,7 +42,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.0.1 version: 1.0.2
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 5c798a48-df20-4cc0-8b56-1e0878be29b0 id: 5c798a48-df20-4cc0-8b56-1e0878be29b0
name: SOURGUM Actor IOC - July 2021 name: Caramel Tsunami Actor IOC - July 2021
description: | description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/SOURGUM_IOC_WindowsEvent.yaml' 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/CaramelTsunami_IOC_WindowsEvent.yaml'
version: 1.0.2 version: 1.0.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
name: HAFNIUM Suspicious File Downloads. name: Silk Typhoon Suspicious File Downloads.
description: | description: |
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@ -28,7 +28,7 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: FullName - identifier: FullName
columnName: HostCustomEntity columnName: HostCustomEntity
version: 1.0.1 version: 1.0.2
kind: Scheduled kind: Scheduled
metadata: metadata:
source: source:

Просмотреть файл

@ -1,7 +1,7 @@
id: 4b14590a-a1f0-4756-9f3d-baafa696e051 id: 4b14590a-a1f0-4756-9f3d-baafa696e051
name: SEABORGIUM-Domain IOCs name: Star Blizzard-Domain IOCs
description: | description: |
'This query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint device network connections' 'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
severity: High severity: High
requiredDataConnectors: requiredDataConnectors:
- connectorId: MicrosoftThreatProtection - connectorId: MicrosoftThreatProtection

Просмотреть файл

@ -1,4 +1,4 @@
id: 68f31c3e-2d0c-4984-9700-2fc0b9feed7b id: 68f31c3e-2d0c-4984-9700-2fc0b9feed7b
name: Retrospective hunt for STRONTIUM IP IOCs name: Retrospective hunt for Forest Blizzard IP IOCs
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/STRONTIUM_IOC_RetroHunt.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/ForestBlizzard_IOC_RetroHunt.yaml'

Просмотреть файл

@ -1,4 +1,4 @@
id: b05a2ccb-b683-4462-9a87-d878c36e3c28 id: b05a2ccb-b683-4462-9a87-d878c36e3c28
name: NICKEL Command Line Activity November 2021 name: Nylon Typhoon Command Line Activity November 2021
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NICKELCommandLineActivity-Nov2021.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml'

Просмотреть файл

@ -1,4 +1,4 @@
id: 0516dd04-5944-4ff0-b61f-d80666e433e4 id: 0516dd04-5944-4ff0-b61f-d80666e433e4
name: Known NICKEL Registry modifications patterns name: Known Nylon Typhoon Registry modifications patterns
description: | description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NickelRegIOCPatterns.yaml' 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonRegIOCPatterns.yaml'