Adversaries are leveraging compromised Azure resources to exfiltrate sensitive data from government and non-profit organizations. SOC teams should proactively hunt for this behavior to identify and mitigate potential data breaches in their Azure Sentinel environment.
KQL Query
// Query 1: Events involving the DLL container
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where Timestamp > ago(10d)
id: 43ca7ed8-a655-4e64-8a2a-ef7a56975560
name: detect-cyzfc-activity
description: |
These queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs.
As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers, there was a very large spear-phishing campaign launched in November 2019.
The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive.
Once established on a target's device, the attackers used a malicious DLL named cyzfc.dat to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, rundll32.exe, to connect directly to their command-and-control (C2) servers.
The following queries detect activity associated with the malicious DLL, cyzfc.dat., used in this campaign.
Reference - https://docs.microsoft.com/windows-server/administration/windows-commands/rundll32
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
- DeviceEvents
- DeviceRegistryEvents
- DeviceNetworkEvents
- DeviceImageLoadEvents
tactics:
- Execution
query: |
// Query 1: Events involving the DLL container
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where Timestamp > ago(10d)
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is running a system cleanup or disk defragmentation process.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a scheduled trigger or with a command line containing cleanmgr.exe or defrag.exe.
Scenario: Admin User Performing Log Analysis
Description: A system administrator is using eventvwr.exe to review security logs for compliance or troubleshooting purposes.
Filter/Exclusion: Exclude processes initiated by admin users with a command line containing eventvwr.exe or wevtutil.exe and occurring during known maintenance windows.
Scenario: Database Backup Job
Description: A database backup job is executed via SQL Server Agent using sqlcmd.exe or sqlagent.exe, which may trigger similar network activity as malicious scripts.
Filter/Exclusion: Exclude processes initiated by SQL Server services or with command lines containing sqlcmd.exe, sqlagent.exe, or backup in the command line.
Scenario: PowerShell Script for Compliance Reporting
Description: A PowerShell script is run by a compliance officer to gather system information for audit purposes, using powershell.exe with Get-EventLog or Get-Service.
Filter/Exclusion: Exclude processes with powershell.exe where the script path contains audit, report, or compliance in the command line.
Scenario: Antivirus or EDR Scan
Description: A security tool like Microsoft Defender (mpcmdrun.exe) or CrowdStrike (falcon.exe) is performing a full system scan, which may involve querying system processes and services.
Filter/Exclusion: Exclude processes initiated by mpcmdrun.exe, falcon.exe, or `