Adversaries may be using compromised Azure resources to exfiltrate sensitive data from government or non-profit organizations. SOC teams should proactively hunt for this behavior to identify and mitigate potential data breaches in their Azure Sentinel environment.
KQL Query
// Query 2: C2 connection
DeviceNetworkEvents
| where Timestamp > ago(10d)
| where RemoteUrl == "pandorasong.com"
id: c28b23e0-0d6d-45a1-ab81-8268fdff0272
name: detect-cyzfc-activity (1)
description: |
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs.
As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers, there was a very large spear-phishing campaign launched in November 2019.
The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive.
Once established on a target's device, the attackers used a malicious DLL named cyzfc.dat to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, rundll32.exe, to connect directly to their command-and-control (C2) servers.
The following queries detect activity associated with the malicious DLL, cyzfc.dat., used in this campaign.
Reference - https://docs.microsoft.com/windows-server/administration/windows-commands/rundll32
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Execution
query: |
// Query 2: C2 connection
DeviceNetworkEvents
| where Timestamp > ago(10d)
| where RemoteUrl == "pandorasong.com"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is running a script to update system configurations or perform disk cleanup.
Filter/Exclusion: Check for ProcessName = schtasks.exe and CommandLine containing schtasks /create or schtasks /run, and filter out tasks with known maintenance names (e.g., DiskCleanup, SystemUpdate).
Scenario: Admin User Performing Configuration Backup
Description: An admin user is using PowerShell to back up configuration files or registry settings as part of routine maintenance.
Filter/Exclusion: Filter for ProcessName = powershell.exe and check for command-line arguments like -Command "Get-ChildItem", -Path "C:\Windows\System32\config", or -Command "Export-RegistryKey".
Scenario: Database Maintenance Job
Description: A database maintenance job using SQL Server Agent is running to clean up old logs or perform index optimization.
Filter/Exclusion: Filter for ProcessName = sqlservr.exe and check for CommandLine containing SQLAgent -Job "Database Maintenance" or similar job names.
Scenario: User Running Malware Scan with Antivirus Tool
Description: A user is running a full system scan using Malwarebytes or Windows Defender to detect and remove malicious files.
Filter/Exclusion: Filter for ProcessName = mbam.exe or ProcessName = MsMpEng.exe and check for command-line arguments like /fullscan or /quickscan.
Scenario: Log File Rotation or Archiving Task
Description: A system or application is using logrotate or a custom script to rotate and archive log files, which may involve file system operations