Merge pull request #3588 from Azure/ashwin/ti-blognov2021

TI blog related queries - Nov2021 and bugfixes 

The TI blog post is supposed to go out today. Hence, approving and manually merging these even though some of the validations are failing and have errors. A lot of these validations error is due to NPM authentication that the content acceleration team is working on to fix currently.

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -88,5 +88,35 @@
     "id": "87210ca1-49a4-4a7d-bb4a-4988752f978c",
     "templateName": "AzurePortalSigninfromanotherAzureTenant.yaml",
     "validationFailReason": "ipv4_lookup not recognized as a function."
+  },
+  {
+    "id": "9122a9cb-916b-4d98-a199-1b7b0af8d598",
+    "templateName": "NICKELIOCsNov2021.yaml",
+    "validationFailReason": "The name 'imDns' does not refer to any known function."
+  },
+  {
+    "id": "42436753-9944-4d70-801c-daaa4d19ddd2",
+    "templateName": "UnusualUAPowershell.yaml",
+    "validationFailReason": "The name 'imWebSession' does not refer to any known function"
+  },
+  {
+    "id": "8cbc3215-fa58-4bd6-aaaa-f0029c351730",
+    "templateName": "UnusualUACryptoMiners.yaml",
+    "validationFailReason": "The name 'imWebSession' does not refer to any known function"
+  },
+  {
+    "id": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
+    "templateName": "PotentiallyHarmfulFileTypes.yaml",
+    "validationFailReason": "The name 'imWebSession' does not refer to any known function"
+  },
+  {
+    "id": "4902eddb-34f7-44a8-ac94-8486366e9494",
+    "templateName": "ExcessiveDenyFromSource.yaml",
+    "validationFailReason": "The name 'imWebSession' does not refer to any known function"
+  },
+  {
+    "id": "3f0c20d5-6228-48ef-92f3-9ff7822c1954",
+    "templateName": "UnusualUAHackTool.yaml",
+    "validationFailReason": "The name 'imWebSession' does not refer to any known function"
   }
 ]

Detections/MultipleDataSources/GalliumIOCs.yaml

@@ -52,7 +52,7 @@ query: |
   | where DNSName has_any (DomainNames)
   | extend IPAddress = ClientIP
   ),
-  ( imDns (domain_has_any=DomainNames)
+  ( imDns(domain_has_any=DomainNames)
   | extend DNSName = DnsQuery
   | extend IPAddress = SrcIpAddr
   ),
@@ -74,7 +74,10 @@ query: |
   | extend Account = UserName
   ),
   (SecurityAlert
-  | where Entities has_any (SigNames)
+  | where ProductName == "Microsoft Defender Advanced Threat Protection"
+  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
+  | where isnotempty(ThreatName)
+  | where ThreatName has_any (SigNames)
   | extend Computer = tostring(parse_json(Entities)[0].HostName)
   ),
   (AzureDiagnostics
@@ -109,5 +112,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.3.0
+version: 1.4.0
 kind: Scheduled

Detections/MultipleDataSources/NICKELIOCsNov2021.yaml

@@ -0,0 +1,217 @@
+id: 9122a9cb-916b-4d98-a199-1b7b0af8d598
+name: Known NICKEL domains and hashes
+description: |
+  'IOC domains and hash values for tools and malware used by NICKEL. 
+   Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.'
+severity: High
+tags:
+  - Schema: ASIMDns
+    SchemaVersion: 0.1.1
+requiredDataConnectors:
+  - connectorId: DNS
+    dataTypes:
+      - DnsEvents
+  - connectorId: AzureMonitor(VMInsights) 
+    dataTypes:
+      - VMConnection
+  - connectorId: CiscoASA
+    dataTypes:
+      - CommonSecurityLog
+  - connectorId: PaloAltoNetworks
+    dataTypes:
+      - CommonSecurityLog
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceFileEvents
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceNetworkEvents
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+  - connectorId: AzureFirewall
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+  - T1071
+query: |
+  let DomainNames = dynamic(["beesweiserdog.com", 
+                            "bluehostfit.com", 
+                            "business-toys.com", 
+                            "cleanskycloud.com", 
+                            "cumberbat.com", 
+                            "czreadsecurity.com", 
+                            "dgtresorgouv.com", 
+                            "dimediamikedask.com", 
+                            "diresitioscon.com", 
+                            "elcolectador.com", 
+                            "elperuanos.org", 
+                            "eprotectioneu.com", 
+                            "fheacor.com", 
+                            "followthewaterdata.com", 
+                            "francevrteepress.com", 
+                            "futtuhy.com", 
+                            "gardienweb.com", 
+                            "heimflugaustr.com", 
+                            "ivpsers.com", 
+                            "jkeducation.org", 
+                            "micrlmb.com", 
+                            "muthesck.com", 
+                            "netscalertech.com", 
+                            "newgoldbalmap.com", 
+                            "news-laestrella.com", 
+                            "noticialif.com", 
+                            "opentanzanfoundation.com", 
+                            "optonlinepress.com", 
+                            "palazzochigi.com", 
+                            "pandemicacre.com", 
+                            "papa-ser.com", 
+                            "pekematclouds.com", 
+                            "pipcake.com", 
+                            "popularservicenter.com", 
+                            "projectsyndic.com", 
+                            "qsadtv.com", 
+                            "sankreal.com", 
+                            "scielope.com", 
+                            "seoamdcopywriting.com", 
+                            "slidenshare.com", 
+                            "somoswake.com", 
+                            "squarespacenow.com", 
+                            "subapostilla.com", 
+                            "suzukicycles.net", 
+                            "tatanotakeeps.com", 
+                            "tijuanazxc.com", 
+                            "transactioninfo.net", 
+                            "eurolabspro.com", 
+                            "adelluminate.com", 
+                            "headhunterblue.com", 
+                            "primenuesty.com" 
+                            ]);
+  let SHA256Hashes = dynamic (["02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2", 
+                              "0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c", 
+                              "0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c", 
+                              "10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95", 
+                              "12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21", 
+                              "1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49", 
+                              "22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844", 
+                              "259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef", 
+                              "26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822", 
+                              "35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2", 
+                              "3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838", 
+                              "3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65", 
+                              "3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6", 
+                              "3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1", 
+                              "3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90", 
+                              "6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b", 
+                              "6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce", 
+                              "7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0", 
+                              "926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c", 
+                              "95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a", 
+                              "a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b", 
+                              "afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a", 
+                              "b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124", 
+                              "c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa", 
+                              "c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda", 
+                              "ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94", 
+                              "ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6", 
+                              "d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce", 
+                              "d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6", 
+                              "e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba"
+                              ]);
+  let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
+  (union isfuzzy=true
+  (CommonSecurityLog 
+  | parse Message with * '(' DNSName ')' * 
+  | where isnotempty(FileHash)
+  | where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)
+  | extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
+  ),
+  (DnsEvents 
+  | extend DNSName = Name
+  | where isnotempty(DNSName)
+  | where DNSName has_any (DomainNames)
+  | extend IPAddress = ClientIP
+  ),
+  (imDns(domain_has_any = DomainNames)
+  | extend DNSName = DnsQuery
+  | extend IPAddress = SrcIpAddr
+  ),
+  (VMConnection 
+  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
+  | where isnotempty(DNSName)
+  | where DNSName in~ (DomainNames)
+  | extend IPAddress = RemoteIp
+  ),
+  (Event
+  //This query uses sysmon data depending on table name used this may need updataing
+  | where Source == "Microsoft-Windows-Sysmon"
+  | extend EvData = parse_xml(EventData)
+  | extend EventDetail = EvData.DataItem.EventData.Data
+  | extend Hashes = EventDetail.[16].["#text"]
+  | parse Hashes with * 'SHA256=' SHA256 ',' * 
+  | where isnotempty(Hashes)
+  | where Hashes in (SHA256Hashes) 
+  | extend Account = UserName
+  ),
+  (DeviceFileEvents
+  | where SHA256 in~ (SHA256Hashes)
+  | extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
+  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
+  ),
+  (imFileEvent
+  | where TargetFileSHA256 in~ (SHA256Hashes)
+  | extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
+  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
+  ),
+  (DeviceNetworkEvents
+  | where RemoteUrl in~ (DomainNames)
+  | extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
+  | project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
+  ),
+  (SecurityAlert
+  | where ProductName == "Microsoft Defender Advanced Threat Protection"
+  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
+  | where isnotempty(ThreatName)
+  | where ThreatName has_any (SigNames)
+  | extend Computer = tostring(parse_json(Entities)[0].HostName)
+  ),
+  (AzureDiagnostics
+  | where ResourceType == "AZUREFIREWALLS"
+  | where Category == "AzureFirewallDnsProxy"
+  | parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
+  | where Request_Name has_any (DomainNames)  
+  | extend DNSName = Request_Name
+  | extend IPAddress = ClientIP 
+  ),
+  (AzureDiagnostics 
+  | where ResourceType == "AZUREFIREWALLS"
+  | where Category == "AzureFirewallApplicationRule"
+  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
+  | where isnotempty(DestinationHost)
+  | where DestinationHost has_any (DomainNames)  
+  | extend DNSName = DestinationHost 
+  | extend IPAddress = SourceHost
+  )
+  )
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Detections/MultipleDataSources/ZincJan272021IOCs.yaml

@@ -104,7 +104,10 @@ query: |
   | project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
   ),
   (SecurityAlert
-  | where Entities has_any (SigNames)
+  | where ProductName == "Microsoft Defender Advanced Threat Protection"
+  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
+  | where isnotempty(ThreatName)
+  | where ThreatName has_any (SigNames)
   | extend Computer = tostring(parse_json(Entities)[0].HostName) 
   | project Type, TimeGenerated, Computer
   ),
@@ -151,5 +154,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.3.0
+version: 1.4.0
 kind: Scheduled

Hunting Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml

@@ -0,0 +1,62 @@
+id: bb30abbc-9af6-4a37-9536-e9207e023989
+name: NICKEL Command Line Activity November 2021
+description: |
+   'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL.
+   It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.'
+requiredDataConnectors:
+  - connectorId: MicrosoftDefenderAdvancedThreatProtection
+    dataTypes:
+      - SecurityAlert (MDATP)
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Collection
+relevantTechniques:
+  - T1074.001
+query: |
+    let xcopy_tokens = dynamic(["xcopy", "\\windows\\temp\\wmi", "/S/Y/C"]);
+    let archive_tokens = dynamic(["\\windows\\temp\\wmi", ".rar", ".7zip"]);
+    let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
+    (union isfuzzy=true
+    (DeviceProcessEvents  
+    | where ProcessCommandLine has_all(xcopy_tokens) or (ProcessCommandLine has_all (archive_tokens)) 
+    | join kind=leftouter (
+    SecurityAlert
+    | where ProductName == "Microsoft Defender Advanced Threat Protection"
+    | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
+    | where isnotempty(ThreatName)
+    | extend AlertRiskScore =iif(ThreatName has_any (SigNames), 1.0, 0.5)) on DeviceId
+    | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0 , AlertRiskScore)
+    | project-reorder  TimeGenerated, DeviceName, DeviceId, ProcessCommandLine, AccountName
+    | extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName,  ProcessCustomEntity = InitiatingProcessFileName
+    ),
+    (imProcessCreate
+    | where (CommandLine has_all (xcopy_tokens)) or (CommandLine has_all (archive_tokens))
+    | extend timestamp = TimeGenerated, HostCustomEntity = DvcHostname , AccountCustomEntity = ActorUsername, ProcessCustomEntity = TargetProcessFilePath
+    ),
+    (SecurityEvent
+    | where EventID == '4688'
+    | where (CommandLine has_all (xcopy_tokens)) or (CommandLine has_all (archive_tokens))
+    | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
+    | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
+    )
+    )
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: Process
+    fieldMappings:
+      - identifier: ProcessId
+        columnName: ProcessCustomEntity
+      - identifier: CommandLine
+        columnName: CommandLineCustomEntity

Hunting Queries/MultipleDataSources/NickelRegIOCPatterns.yaml

@@ -0,0 +1,64 @@
+id: f090f8f4a-b986-42d2-b536-e0795c723e25
+name: Known NICKEL Registry modifications patterns
+description: |
+   'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceRegistryEvents
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1546.012
+query: |
+  let reg_paths = dynamic(["HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", 
+                          "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery", 
+                          "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy", 
+                          "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"
+                          ]);
+  let reg_keys = dynamic(["Start Page", "DisableFirstRunCustomize", "RunOnceComplete", "RunOnceHasShown", "Check_Associations", "AutoRecover", "ClearBrowsingHistoryOnExit", "Completed", "IEHarden"]);
+  (union isfuzzy=true
+  (
+  SecurityEvent
+  | where EventID == 4657
+  | where ObjectName has_any (reg_paths) and ObjectValueName has_any (reg_keys)
+  | summarize Count=count() by Computer, Account, ObjectName
+  | extend AccountCustomEntity = Account, HostCustomEntity = Computer
+  ),
+  (
+  Event
+  | where Source == "Microsoft-Windows-Sysmon"
+  | where EventID in (12, 13)
+  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
+  | mv-expand bagexpansion=array EventData
+  | evaluate bag_unpack(EventData)
+  | extend Key=tostring(['@Name']), Value=['#text']
+  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
+  | where TargetObject has_any (reg_paths) and TargetObject has_any (reg_keys)
+  | summarize Count=count() by Computer, UserName, tostring(TargetObject)
+  | extend AccountCustomEntity = UserName, HostCustomEntity = Computer
+  ),
+  (
+  imRegistry
+  | where RegistryKey has_any (reg_paths) and RegistryValue has_any (reg_keys)
+  | summarize Count=count() by Dvc, Username, RegistryKey
+  | extend AccountCustomEntity = Username, HostCustomEntity = Dvc
+  )
+  )
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity