Adversaries may be using compromised Azure resources to exfiltrate sensitive data from government or non-profit organizations. SOC teams should proactively hunt for this behavior to identify and mitigate potential data breaches in their Azure Sentinel environment.
KQL Query
// Query 5: Events involving the ZIP
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where Timestamp > ago(10d)
id: aad219ab-fed4-4360-bef1-a3166e2a2214
name: detect-cyzfc-activity (4)
description: |
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs.
As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers, there was a very large spear-phishing campaign launched in November 2019.
The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive.
Once established on a target's device, the attackers used a malicious DLL named cyzfc.dat to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, rundll32.exe, to connect directly to their command-and-control (C2) servers.
The following queries detect activity associated with the malicious DLL, cyzfc.dat., used in this campaign.
Reference - https://docs.microsoft.com/windows-server/administration/windows-commands/rundll32
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
- DeviceEvents
- DeviceRegistryEvents
- DeviceNetworkEvents
- DeviceImageLoadEvents
tactics:
- Execution
query: |
// Query 5: Events involving the ZIP
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where Timestamp > ago(10d)
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance or Patching
Description: A system administrator runs a scheduled maintenance task that involves querying the file system or registry for configuration changes.
Filter/Exclusion: Exclude processes associated with known maintenance tools like schtasks.exe, task scheduler, or Windows Update (e.g., wuauclt.exe). Filter by process name or parent process.
Scenario: Legitimate File Integrity Monitoring (FIM) Tool Activity
Description: A FIM tool like Tripwire or SolarWinds LCE is performing a baseline scan or integrity check, which may trigger file system queries similar to malicious activity.
Filter/Exclusion: Exclude processes associated with FIM tools by process name or by checking the command line for keywords like baseline, scan, or integrity.
Scenario: User-Initiated File Search or Backup Job
Description: A user or automated backup job (e.g., Veeam, Acronis, or Robocopy) is searching for or copying files, which may resemble suspicious activity.
Filter/Exclusion: Exclude processes related to backup tools by process name or by checking the command line for backup-related keywords like backup, copy, or sync.
Scenario: Admin Task for Log Analysis or Compliance
Description: An admin is using a tool like PowerShell or Splunk to analyze logs or generate compliance reports, which may involve querying system files or directories.
Filter/Exclusion: Exclude PowerShell scripts or processes with known admin tools by checking the command line or using process parentage to identify legitimate admin tasks.
Scenario: Antivirus or Endpoint Protection Scanning
Description: Antivirus software like Kaspersky, Bitdefender, or Microsoft Defender performs full system