84 строки
3.0 KiB
YAML
84 строки
3.0 KiB
YAML
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
|
|
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
|
|
description: |
|
|
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
|
|
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
- connectorId: WindowsSecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
- connectorId: WindowsSecurityEvents
|
|
dataTypes:
|
|
- SecurityEvents
|
|
- connectorId: WindowsForwardedEvents
|
|
dataTypes:
|
|
- WindowsEvent
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Persistence
|
|
relevantTechniques:
|
|
- T1547
|
|
tags:
|
|
- Midnight Blizzard
|
|
query: |
|
|
(union isfuzzy=true
|
|
(SecurityEvent
|
|
| where EventID == 4688
|
|
| where Process =~ 'rundll32.exe'
|
|
| where CommandLine has_all ('Execute','RegRead','window.close')
|
|
| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
|
|
),
|
|
(WindowsEvent
|
|
| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
|
|
| extend NewProcessName = tostring(EventData.NewProcessName)
|
|
| extend Process=tostring(split(NewProcessName, '\\')[-1])
|
|
| where Process =~ 'rundll32.exe'
|
|
| extend CommandLine = tostring(EventData.CommandLine)
|
|
| where CommandLine has_all ('Execute','RegRead','window.close')
|
|
| extend SubjectAccount = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
|
|
| extend ParentProcessName = tostring(EventData.ParentProcessName)
|
|
| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = EventData.SubjectUserName, SubjectDomainName = EventData.SubjectDomainName, SubjectUserSid = EventData.SubjectUserSid, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
|
|
)
|
|
)
|
|
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
|
|
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
|
|
| project-away DomainIndex
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: SubjectAccount
|
|
- identifier: Name
|
|
columnName: SubjectUserName
|
|
- identifier: NTDomain
|
|
columnName: SubjectDomainName
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: Sid
|
|
columnName: SubjectUserSid
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: Computer
|
|
- identifier: HostName
|
|
columnName: HostName
|
|
- identifier: DnsDomain
|
|
columnName: HostNameDomain
|
|
version: 1.1.5
|
|
kind: Scheduled
|
|
metadata:
|
|
source:
|
|
kind: Community
|
|
author:
|
|
name: Microsoft Security Research
|
|
support:
|
|
tier: Community
|
|
categories:
|
|
domains: [ "Security - Threat Intelligence" ] |