apt unidentified nov 18 | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be using custom PowerShell scripts to execute arbitrary code and establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT activity that evades traditional detection methods.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where ProcessCommandLine endswith "cyzfc.dat, PointFunctionCall" 
| top 100 by Timestamp desc

Analytic Rule Definition

id: 04990281-436c-4dff-aff9-bcd4417d0937
name: apt unidentified nov 18
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where ProcessCommandLine endswith "cyzfc.dat, PointFunctionCall" 
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/apt unidentified nov 18.yaml)

False Positive Guidance

Scenario: Scheduled System Backup Using Veeam
Description: A backup job using Veeam may generate network traffic to a remote backup server, which could be mistaken for C2 activity.
Filter/Exclusion: process.name != "veeam" or destination_ip not in known_backup_servers
Scenario: Windows Update Task via Task Scheduler
Description: A legitimate Windows Update task may execute PowerShell scripts or use wuauclt.exe, triggering the rule due to process behavior.
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "powershell.exe" when running scheduled tasks
Scenario: Admin Performing Remote PowerShell Management
Description: An administrator using PowerShell to manage remote systems (e.g., using Invoke-Command) may trigger the rule due to remote execution patterns.
Filter/Exclusion: process.name != "powershell.exe" or user != "admin_account" (e.g., user != "Administrator")
Scenario: Log Collection via Splunk Forwarder
Description: A Splunk Universal Forwarder may send logs to a central server, which could be flagged as suspicious network traffic.
Filter/Exclusion: process.name != "splunkforwarder" or destination_ip not in splunk_servers
Scenario: Database Replication Using SQL Server Agent Job
Description: A SQL Server Agent job may initiate network communication with a replica server, which could be misclassified as C2 activity.
Filter/Exclusion: process.name != "sqlservr.exe" or destination_ip not in db_replica_servers