Snip3 malware is establishing unauthorized network connections to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Snip3 infections before significant data loss or system compromise occurs.
KQL Query
DeviceNetworkEvents
| where InitiatingProcessFileName in ("RegSvcs.exe","RegAsm.exe", "InstallUtil.exe")
| where InitiatingProcessCommandLine in ("\"RegAsm.exe\"","\"RegSvcs.exe\"","\"InstallUtil.exe\"")
| where InitiatingProcessParentFileName endswith "Powershell.exe"
id: c65bea99-26b2-4c48-a114-02eccc2023c0
name: snip3-malicious-network-connectivity
description: |
Snip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques.
The following query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. This technique has been used in recent cases to exfiltrate data, including credentials.
The query may return additional malware or campaigns not necessarily associated with Snip3. However, Microsoft recommends triaging all non-benign results as potential malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Command and control
- Exfiltration
query: |
DeviceNetworkEvents
| where InitiatingProcessFileName in ("RegSvcs.exe","RegAsm.exe", "InstallUtil.exe")
| where InitiatingProcessCommandLine in ("\"RegAsm.exe\"","\"RegSvcs.exe\"","\"InstallUtil.exe\"")
| where InitiatingProcessParentFileName endswith "Powershell.exe"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate remote access tool usage
Description: An admin is using a legitimate remote access tool like TeamViewer or AnyDesk to support remote users.
Filter/Exclusion: Exclude connections to known remote access tool IPs or domains (e.g., teamviewer.com, anydesk.com) using a dest_ip or dest_domain filter.
Scenario: Scheduled system maintenance job
Description: A scheduled job (e.g., schtasks.exe) is connecting to a remote server to perform updates or backups.
Filter/Exclusion: Exclude connections initiated by schtasks.exe using a process_name filter or check for command_line containing schtasks.
Scenario: Software update via enterprise proxy
Description: A software update (e.g., from Microsoft Update or Patch Management) is being pulled through a corporate proxy.
Filter/Exclusion: Exclude traffic to known update servers (e.g., windowsupdate.microsoft.com) using a dest_domain filter or check for user_agent containing “Windows Update”.
Scenario: Admin using PowerShell for remote management
Description: An admin is using PowerShell (powershell.exe) to remotely manage a server, which may involve outbound connections.
Filter/Exclusion: Exclude connections initiated by powershell.exe using a process_name filter or check for command_line containing Invoke-Command or Enter-PSSession.
Scenario: Database replication or synchronization
Description: A database replication task (e.g., SQL Server Replication) is establishing a connection to a remote database server.
Filter/Exclusion: Exclude connections to known database servers (e.g., sqlserver.example.com) using a dest_ip or dest_domain