Fix overwrite of older PHOSPHORUS query

2020-10-23 09:13:53 -07:00 · 2020-10-23 09:13:53 -07:00 · 88971f64f1
--- a/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml
+++ b/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml
@ -1,8 +1,8 @@
-id: 7249500f-3038-4b83-8549-9cd8dfa2d498
-name: Known PHOSPHORUS group domains/IP - October 2020
+id: 155f40c6-610d-497d-85fc-3cf06ec13256
+name: Known Phosphorus group domains/IP
 description: |
-  'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.
-  References: '
+  'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.
+  References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.'
 severity: High
 requiredDataConnectors:
  - connectorId: DNS
@ -13,74 +13,70 @@ requiredDataConnectors:
      - VMConnection
  - connectorId: CiscoASA
    dataTypes:
-      - CommonSecurityLog (Cisco)
+      - CommonSecurityLog
  - connectorId: PaloAltoNetworks
    dataTypes:
-      - CommonSecurityLog (PaloAlto)
-  - connectorId: Zscaler
+      - CommonSecurityLog
+  - connectorId: Office365
    dataTypes:
-      - CommonSecurityLog (Zscaler)
-  - connectorId: Fortinet
-    dataTypes:
-      - CommonSecurityLog (Fortinet)
-  - connectorId: OfficeATP
-    dataTypes:
-      - SecurityAlert (Office 365 Security & Compliance)
-  - connectorId: AzureFirewall
-    dataTypes:
-      - AzureDiagnostics (Azure Firewall)
+      - OfficeActivity
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - CommandAndControl
-  - InitialAccess
 relevantTechniques:
  - T1043
-  - T1566
 query: |

  let timeframe = 1d;
-  let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
-  let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
+  let DomainNames = dynamic(["yahoo-verification.org","support-servics.com","verification-live.com","com-mailbox.com","com-myaccuants.com","notification-accountservice.com",
+  "accounts-web-mail.com","customer-certificate.com","session-users-activities.com","user-profile-credentials.com","verify-linke.com","support-servics.net","verify-linkedin.net", 
+  "yahoo-verification.net","yahoo-verify.net","outlook-verify.net","com-users.net","verifiy-account.net","te1egram.net","account-verifiy.net","myaccount-services.net",
+  "com-identifier-servicelog.name","microsoft-update.bid","outlook-livecom.bid","update-microsoft.bid","documentsfilesharing.cloud","com-microsoftonline.club",
+  "confirm-session-identifier.info","session-management.info","confirmation-service.info","document-share.info","broadcast-news.info","customize-identity.info","webemail.info",
+  "com-identifier-servicelog.info","documentsharing.info","notification-accountservice.info","identifier-activities.info","documentofficupdate.info","recoveryusercustomer.info",
+  "serverbroadcast.info","account-profile-users.info","account-service-management.info","accounts-manager.info","activity-confirmation-service.info","com-accountidentifier.info",
+  "com-privacy-help.info","com-sessionidentifier.info","com-useraccount.info","confirmation-users-service.info","confirm-identity.info","confirm-session-identification.info",
+  "continue-session-identifier.info","customer-recovery.info","customers-activities.info","elitemaildelivery.info","email-delivery.info","identify-user-session.info",
+  "message-serviceprovider.info","notificationapp.info","notification-manager.info","recognized-activity.info","recover-customers-service.info","recovery-session-change.info",
+  "service-recovery-session.info","service-session-continue.info","session-mail-customers.info","session-managment.info","session-verify-user.info","shop-sellwear.info",
+  "supportmailservice.info","terms-service-notification.info","user-activity-issues.info","useridentity-confirm.info","users-issue-services.info","verify-user-session.info",
+  "login-gov.info","notification-signal-agnecy.info","notifications-center.info","identifier-services-sessions.info","customers-manager.info","session-manager.info",
+  "customer-managers.info","confirmation-recovery-options.info","service-session-confirm.info","session-recovery-options.info","services-session-confirmation.info",
+  "notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
+  "sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
+  let IPList = dynamic(["51.91.200.147"]);
+  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  (union isfuzzy=true
  (CommonSecurityLog 
  | where TimeGenerated >= ago(timeframe)
  | parse Message with * '(' DNSName ')' * 
-  | where (isnotempty(DNSName) and DNSName has_any (DomainNames)) 
-    or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) 
-    or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
-  | extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
+  | extend MessageIP = extract(IPRegex, 0, Message)
+  | extend RequestURLIP = extract(IPRegex, 0, Message)
+  | where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) 
+  or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) 
+  or (isnotempty(Message) and MessageIP in (IPList))
+  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURLIP in (IPList), "RequestUrl", "NoMatch") 
+  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP,IPMatch == "Message", MessageIP,
+  IPMatch == "RequestUrl", RequestURLIP,"NoMatch"), Account = SourceUserID, Host = DeviceName
  ),
  (DnsEvents 
  | where TimeGenerated >= ago(timeframe) 
  | extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
-  | where DNSName has_any (DomainNames) 
+  | where  DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) 
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
  (VMConnection 
  | where TimeGenerated >= ago(timeframe) 
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
-  | where isnotempty(DNSName)
-  | where DNSName has_any (DomainNames)
-  | extend timestamp = TimeGenerated , HostCustomEntity = Computer),
-  (SecurityAlert
-  | where TimeGenerated >= ago(timeframe) 
-  | where ProviderName =~ 'OATP'
-  | extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, 
-                      isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
-                      isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
-                      isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
-                      isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
-                      isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
-                      isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
-                      isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
-                      isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
-                      parse_json(Entities)[9].Upn)
-  | where Entities has_any (EmailAddresses)
-  | extend timestamp = TimeGenerated, AccountCustomEntity = UPN),
-  (AzureDiagnostics
-  | where TimeGenerated >= ago(timeframe) 
-  | where ResourceType == "AZUREFIREWALLS"
-  | where msg_s has_any (DomainNames)
-  | extend timestamp = TimeGenerated))
+  | where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)
+  | where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)
+  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None") 
+  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None"), Host = Computer),
+  (OfficeActivity
+  | where TimeGenerated >= ago(timeframe)
+  | extend SourceIPAddress = ClientIP, Account = UserId
+  | where  SourceIPAddress in (IPList)
+  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )
+  )