The hypothesis is that the detection rule identifies potential Snip3 remote access trojan activity through suspicious email targeting behavior, which is a common initial vector for adversaries to establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts by Snip3 variants before they escalate.
KQL Query
let SubjectTerms =
pack_array("Cargo Charter","Airbus Meeting","WorldWide Symposium","Airbus Family","Flight Request",
"Advice from NetJets","May/ACMI","AIRCRAFT PRESENTATION","Airworthiness", "Air Quote", "RFQ #9B17811");
EmailEvents
| where SenderDisplayName has_any(SubjectTerms)
// Optional Sender restriction for organizations with high FP
// where SenderIpv4 == "192.145.239.18"
| where EmailDirection == "Inbound"
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
| where Url has_any("drive.google.com","1drv.ms","onedrive.live.com")
| take 100
id: cfffcab3-d4c7-4aad-b80d-5f415ef5ac66
name: snip3-aviation-targeting-emails
description: |
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
The following query looks for keywords observed in emails involved in a Snip3-associated campaign in April and May of 2021. The emails often have an aviation theme, and the campaign primarily targets organizations involved in travel or aviation. Note that keywords may change overtime. These emails were used to send malicious legitimate hosting provider links that redirected to VBS documents hosting loaders. The loaders initiate RevengeRAT or AsyncRAT downloads that eventually establish persistence on targets and exfiltrate data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
query: |
let SubjectTerms =
pack_array("Cargo Charter","Airbus Meeting","WorldWide Symposium","Airbus Family","Flight Request",
"Advice from NetJets","May/ACMI","AIRCRAFT PRESENTATION","Airworthiness", "Air Quote", "RFQ #9B17811");
EmailEvents
| where SenderDisplayName has_any(SubjectTerms)
// Optional Sender restriction for organizations with high FP
// where SenderIpv4 == "192.145.239.18"
| where EmailDirection == "Inbound"
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
| where Url has_any("drive.google.com","1drv.ms","onedrive.live.com")
| take 100
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate Snip3-like tool usage by IT administrators
Description: An IT administrator uses a tool named “Snip3” (a legitimate system monitoring or log analysis tool) to collect system logs for troubleshooting.
Filter/Exclusion: process.name != "Snip3" or process.name contains "syslog" or "log" or "monitor"
Scenario: Scheduled backup job using Snip3-like script
Description: A scheduled backup job runs a script named “Snip3_backup.sh” that copies files to a remote server for archival purposes.
Filter/Exclusion: process.name contains "backup" or "archive" or "snapshot" or process.parent_process contains "crontab" or "schtasks"
Scenario: Admin task involving Snip3-like command-line tool
Description: A system administrator uses a command-line tool named “Snip3” to perform network diagnostics or system health checks.
Filter/Exclusion: process.name contains "diag" or "health" or "network" or "ping" or "tracert"
Scenario: False positive from a third-party application using similar name
Description: A third-party application (e.g., “Snip3 Analytics”) is used for data visualization and mistakenly triggers the rule due to a similar name.
Filter/Exclusion: process.name contains "Analytics" or "Visualization" or "Data" or "Report"
Scenario: Legitimate remote access tool with similar behavior
Description: A legitimate remote access tool like “LogMeIn” or “TeamViewer” is used by an admin to access a remote system, and its behavior matches the rule’s detection logic.
Filter/Exclusion: `process.name contains “LogMeIn” or “TeamViewer” or