-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimProcess_NOBELIUM_SuspiciousRundll32Exec.json
42 lines (42 loc) · 1.88 KB
/
imProcess_NOBELIUM_SuspiciousRundll32Exec.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
},
"analytic-id": {
"type": "string",
"defaultValue": "c62d2a2f-1820-4030-86cc-a6dd2cdb7558",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[resourceGroup().location]",
"properties": {
"description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
"displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)",
"enabled": false,
"query": "imProcessCreate\n| where Process hassuffix 'rundll32.exe'\n| where CommandLine has_any ('Execute','RegRead','window.close')\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"tactics": [
"Persistence"
]
}
}
]
}