Adversaries may be exfiltrating sensitive data using cloud storage services to avoid detection in Azure environments. SOC teams should proactively hunt for this behavior to identify potential data breaches and mitigate lateral movement in cloud infrastructure.
KQL Query
// Query 3: Malicious PowerShell
DeviceProcessEvents
| where Timestamp > ago(10d)
| where ProcessCommandLine contains
"-noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJ"
id: cbfd03f0-34c7-4e03-af37-50eae2892b38
name: detect-cyzfc-activity (2)
description: |
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs.
As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers, there was a very large spear-phishing campaign launched in November 2019.
The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive.
Once established on a target's device, the attackers used a malicious DLL named cyzfc.dat to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, rundll32.exe, to connect directly to their command-and-control (C2) servers.
The following queries detect activity associated with the malicious DLL, cyzfc.dat., used in this campaign.
Reference - https://docs.microsoft.com/windows-server/administration/windows-commands/rundll32
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
// Query 3: Malicious PowerShell
DeviceProcessEvents
| where Timestamp > ago(10d)
| where ProcessCommandLine contains
"-noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJ"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Using task scheduler
Description: A system administrator schedules a maintenance task using Windows Task Scheduler to update software or clean up logs.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: Log Rotation Using logrotate on Linux
Description: A DevOps engineer runs logrotate to manage and rotate log files, which may involve renaming or moving files.
Filter/Exclusion: process.name == "logrotate" or process.command_line contains "logrotate"
Scenario: Database Backup Using mysqldump
Description: A DBA performs a routine database backup using mysqldump, which may involve exporting large datasets.
Filter/Exclusion: process.name == "mysqldump" or process.command_line contains "mysqldump"
Scenario: User Profile Synchronization Using rsync
Description: An IT admin uses rsync to synchronize user profiles across multiple servers, which may involve copying files between systems.
Filter/Exclusion: process.name == "rsync" or process.command_line contains "rsync"
Scenario: Software Update Using msiexec
Description: A system update is deployed via an MSI package using msiexec, which may involve file copying or registry changes.
Filter/Exclusion: process.name == "msiexec" or process.command_line contains "msiexec"