Snip3 malware may attempt to execute sandbox detection functions to evade analysis environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Snip3 infections and prevent lateral movement and data exfiltration.
KQL Query
DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields == "{\"Command\":\"DetectSandboxie\"}"
id: 32664c67-34d7-4c7a-88cd-c48b55b7ef91
name: snip3-detectsanboxie-function-call
description: |
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
The following query looks for a function call to a method named DetectSandboxie. This method is used in RevengeRAT and AsyncRAT instances involved in a campaign targeting the aviation industry, first observed in 2021. It has also been associated in the past other malware, such as WannaCry and QuasarRAT. Individual PowerShell functions can be detected in the same way in some instances, though care should be taken to ensure that the command name is unique -- otherwise, this query may return many false positives.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
tactics:
- Execution
- Defense evasion
query: |
DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields == "{\"Command\":\"DetectSandboxie\"}"
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Snip3 (a legitimate tool) for network monitoring and analysis.
Filter/Exclusion: Exclude processes where the executable path contains C:\Program Files\Snip3\ or C:\Windows\System32\Snip3.exe.
Scenario: A scheduled job runs PowerShell scripts that invoke functions similar to those used by Snip3 for system diagnostics.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes -Command with a script path in a known trusted directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: An IT team is performing remote management tasks using Microsoft Endpoint Manager (MEM), which may trigger function calls similar to Snip3.
Filter/Exclusion: Exclude events where the process is microsoftendpointmanager.exe or msiexec.exe and the command line includes known MEM management commands.
Scenario: A Windows Task Scheduler job is configured to run a script that interacts with system APIs, which may resemble Snip3 behavior.
Filter/Exclusion: Exclude events where the process is schtasks.exe and the task is associated with a known enterprise-scheduled job (e.g., DailySystemCheck or PatchManagement).
Scenario: A third-party security tool (e.g., CrowdStrike or Microsoft Defender) is performing a deep system scan and triggers function calls that match Snip3’s behavior.
Filter/Exclusion: Exclude events where the process is mpsvc.exe or MsMpEng.exe and the command line includes a known scan or update command.