The hypothesis is that the detection rule identifies potential C2 exfiltration activity associated with the Snip3 family of ransomware, where adversaries may be transmitting stolen data or command and control signals through suspicious network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage ransomware operations before significant data loss or system compromise occurs.
KQL Query
DeviceNetworkEvents
| where RemoteUrl in ("mail.alamdarhardware.com","kexa600200.ddns.net","h0pe1759.ddns.net","n0ahark2021.ddns.net"," kimjoy007.dyndns.org"," kimjoy.ddns.net"," asin8988.ddns.net"," asin8989.ddns.net", "asin8990.ddns.net")
id: 8e169e62-be43-4f30-9f25-e003b2cd9c6e
name: snip3-revengerat-c2-exfiltration
description: |
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
The following query looks for network connections using any protocols associated with recent RevengeRAT, AsyncRAT, and other malware campaigns targeting the aviation industry.
This activity is often followed by connections to copy-and-paste sites such as pastebin.com, stikked.ch, academia.edu, and archive.org. Many of these connections will occur on non-standard ports.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Command and control
- Exfiltration
query: |
DeviceNetworkEvents
| where RemoteUrl in ("mail.alamdarhardware.com","kexa600200.ddns.net","h0pe1759.ddns.net","n0ahark2021.ddns.net"," kimjoy007.dyndns.org"," kimjoy.ddns.net"," asin8988.ddns.net"," asin8989.ddns.net", "asin8990.ddns.net")
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using snip3 as a tool name in a script
Description: A system administrator uses a script named snip3.sh to automate a backup process, which includes legitimate network communication.
Filter/Exclusion: process.name != "snip3.sh" OR process.parent.name == "bash" AND process.name contains "backup"
Scenario: Admin using snip3 as a custom tool for internal monitoring
Description: A security team deploys a custom tool named snip3 to monitor internal network traffic, which includes outbound connections to a central logging server.
Filter/Exclusion: process.name contains "monitoring" OR destination.ip == "10.0.0.100" (internal logging server)
Scenario: Legitimate use of snip3 as part of a CI/CD pipeline
Description: A DevOps team uses a tool named snip3 in a CI/CD pipeline to fetch code from a private repository, which involves outbound HTTP requests.
Filter/Exclusion: process.name contains "ci_cd" OR process.parent.name == "jenkins" AND destination.url contains "github.com"
Scenario: System update or patching using a tool named snip3
Description: A patching tool named snip3 is used to apply updates to a system, which includes outbound connections to a software repository.
Filter/Exclusion: process.name contains "patch" OR process.parent.name == "update_manager" AND destination.url contains "software-repo.com"
Scenario: Legitimate use of snip3 as a log aggregation tool
Description: A log aggregation tool named snip3 is used to collect