91 строка
3.9 KiB
YAML
91 строка
3.9 KiB
YAML
id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
|
|
name: Midnight Blizzard - Script payload stored in Registry
|
|
description: |
|
|
'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script
|
|
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
- connectorId: WindowsSecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
- connectorId: WindowsSecurityEvents
|
|
dataTypes:
|
|
- SecurityEvents
|
|
- connectorId: WindowsForwardedEvents
|
|
dataTypes:
|
|
- WindowsEvent
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Execution
|
|
relevantTechniques:
|
|
- T1059
|
|
tags:
|
|
- Midnight Blizzard
|
|
query: |
|
|
let cmdTokens0 = dynamic(['vbscript','jscript']);
|
|
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
|
|
let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);
|
|
(union isfuzzy=true
|
|
(SecurityEvent
|
|
| where TimeGenerated >= ago(14d)
|
|
| where EventID == 4688
|
|
| where CommandLine has @'\Microsoft\Windows\CurrentVersion'
|
|
| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
|
|
// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
|
|
//| where CommandLine has_any (cmdTokens0)
|
|
//| where CommandLine has_all (cmdTokens1)
|
|
| where CommandLine has_all (cmdTokens2)
|
|
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
|
|
),
|
|
(WindowsEvent
|
|
| where TimeGenerated >= ago(14d)
|
|
| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @'\Microsoft\Windows\CurrentVersion'
|
|
| where not(EventData has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
|
|
| extend CommandLine = tostring(EventData.CommandLine)
|
|
| where CommandLine has @'\Microsoft\Windows\CurrentVersion'
|
|
| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
|
|
// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
|
|
//| where CommandLine has_any (cmdTokens0)
|
|
//| where CommandLine has_all (cmdTokens1)
|
|
| where CommandLine has_all (cmdTokens2)
|
|
| extend Account = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
|
|
| extend NewProcessName = tostring(EventData.NewProcessName)
|
|
| extend Process=tostring(split(NewProcessName, '\\')[-1])
|
|
| extend ParentProcessName = tostring(EventData.ParentProcessName)
|
|
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)
|
|
| extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])
|
|
| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), HostName = tostring(split(Computer, '.', 0)[0]))
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: Account
|
|
- identifier: Name
|
|
columnName: Name
|
|
- identifier: NTDomain
|
|
columnName: NTDomain
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: Computer
|
|
- identifier: HostName
|
|
columnName: HostName
|
|
- identifier: DnsDomain
|
|
columnName: DnsDomain
|
|
version: 1.1.5
|
|
kind: Scheduled
|
|
metadata:
|
|
source:
|
|
kind: Community
|
|
author:
|
|
name: Shain
|
|
support:
|
|
tier: Community
|
|
categories:
|
|
domains: [ "Security - Threat Intelligence" ] |