apt unidentified nov 18 (1)

Hunt Hypothesis

Adversaries may be using unknown tactics to exfiltrate data from Azure environments, leveraging unconventional methods to avoid detection. SOC teams should proactively hunt for this behavior to identify potential advanced persistent threats that evade traditional detection mechanisms.

KQL Query

DeviceFileEvents  
| where Timestamp  > ago(7d)
| where FolderPath has "ds7002.lnk"
| top 100 by Timestamp desc

Analytic Rule Definition

id: 9bff1151-227c-4581-946d-643266c346a6
name: apt unidentified nov 18 (1)
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
query: |
  DeviceFileEvents  
  | where Timestamp  > ago(7d)
  | where FolderPath has "ds7002.lnk"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/apt unidentified nov 18 (1).yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses powershell.exe to perform system updates or maintenance.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\\Windows\\System32\\taskschd.exe"
Scenario: Admin Performing PowerShell Script for Log Analysis
Description: An admin uses PowerShell to analyze logs or perform forensic analysis, which may involve cmd.exe or powershell.exe with unusual command lines.
Filter/Exclusion: process.user:"DOMAIN\\AdminUser" or process.command_line:"-Command"
Scenario: Antivirus or EDR Tool Performing File Scanning
Description: A security tool like Kaspersky or CrowdStrike runs a scan that involves executing commands via cmd.exe or powershell.exe.
Filter/Exclusion: process.name:"kavsvc.exe" or process.name:"fx.exe"
Scenario: Database Backup Job Using Command Prompt
Description: A database backup job (e.g., using SQL Server Backup Utility) is initiated via cmd.exe and involves file operations.
Filter/Exclusion: process.command_line:"sqlbackup" or process.parent_process_name:"sqlservr.exe"
Scenario: User Running a Legitimate Script for System Monitoring
Description: A user runs a custom script (e.g., using PowerShell) to monitor system performance or network activity.
Filter/Exclusion: process.user:"DOMAIN\\User" or process.command_line:"-File"