Adversaries may be using compromised Azure resources to exfiltrate sensitive data from government or non-profit organizations. SOC teams should proactively hunt for this behavior to identify and mitigate potential data breaches in their Azure Sentinel environment.
KQL Query
// Query 4: Malicious domain in default browser commandline
DeviceProcessEvents
| where Timestamp > ago(10d)
| where ProcessCommandLine contains
"https://www.jmj.com/personal/nauerthn_state_gov"
id: 5c9c8f5c-01cf-4670-9beb-ee90e0a4ec58
name: detect-cyzfc-activity (3)
description: |
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs.
As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers, there was a very large spear-phishing campaign launched in November 2019.
The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive.
Once established on a target's device, the attackers used a malicious DLL named cyzfc.dat to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, rundll32.exe, to connect directly to their command-and-control (C2) servers.
The following queries detect activity associated with the malicious DLL, cyzfc.dat., used in this campaign.
Reference - https://docs.microsoft.com/windows-server/administration/windows-commands/rundll32
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
// Query 4: Malicious domain in default browser commandline
DeviceProcessEvents
| where Timestamp > ago(10d)
| where ProcessCommandLine contains
"https://www.jmj.com/personal/nauerthn_state_gov"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Using task scheduler
Description: A legitimate system maintenance task, such as updating software or patching systems, may trigger the rule due to similar query patterns.
Filter/Exclusion: process.parent_process_name == "task scheduler" or process.name == "schtasks.exe"
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An administrator may use PowerShell scripts to configure system settings, which could resemble malicious activity due to similar command structures.
Filter/Exclusion: process.name == "powershell.exe" AND process.parent_process_name == "explorer.exe" or process.command_line contains "Configure-System"
Scenario: Database Backup Job Using SQL Server Agent
Description: A scheduled SQL Server Agent job performing a database backup may trigger the rule due to similar query patterns.
Filter/Exclusion: process.name == "sqlagent.exe" or process.parent_process_name == "sqlservr.exe"
Scenario: Log File Analysis Using LogParser
Description: A security analyst may use LogParser to analyze log files for compliance or troubleshooting, which could match the rule’s detection logic.
Filter/Exclusion: process.name == "logparser.exe" or process.command_line contains "LogParser"
Scenario: User-Initiated File Search Using Windows Search
Description: A user performing a search for files using Windows Search may trigger the rule if the search query matches suspicious patterns.
Filter/Exclusion: process.name == "SearchUI.exe" or process.command_line contains "search" and process.user == "legitimate_user_account"