-
Notifications
You must be signed in to change notification settings - Fork 0
/
Malware related to Daxin activity
59 lines (58 loc) · 3.29 KB
/
Malware related to Daxin activity
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# AzureSentinel-
Analytic Rules
//Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
//As described in more detail below, Daxin comes in the form of a Windows kernel driver,
//a relatively rare format for malware nowadays. It implements advanced communications functionality,
//which both provides a high degree of stealth and permits the attackers to communicate
//with infected computers on highly secured networks, where direct internet connectivity is not available.
//These features are reminiscent of Regin, an advanced espionage tool discovered by Symantec in 2014 that others have linked to Western intelligence services.
let SHA256Hash = "1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"
"81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1"
"06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4"
"0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555"
"3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4"
"447c3c5ac9679be0a85b3df46ec5ee924f4fbd8d53093125fd21de0bff1d2aad"
"49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530"
"5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae"
"5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a"
"6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f"
"7867ba973234b99875a9f5138a074798b8d5c65290e365e09981cceb06385c54"
"7a08d1417ca056da3a656f0b7c9cf6cd863f9b1005996d083a0fc38d292b52e9"
"8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce"
"b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427"
"b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3"
"cf00e7cc04af3f7c95f2b35a6f3432bef990238e1fa6f312faf64a50d495630a"
"e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e"
"ea3d773438c04274545d26cc19a33f9f1dbbff2a518e4302addc1279f9950cef"
"08dc602721c17d58a4bc0c74f64a7920086f776965e7866f68d1676eb5e7951f"
"53d23faf8da5791578c2f5e236e79969289a7bba04eee2db25f9791b33209631"
"7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376"
"8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e"
"96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc"
"9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51"
"c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c"
"e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217";
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in (SHA256Hash)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA265 ',' *
| where isnotempty(Hashes)
| where Hashes in (SHA256Hash)
| extend Account = UserName
)
)
| extend
timestamp = TimeGenerated,
AccountCustomEntity = Account,
HostCustomEntity = Computer,
IPCustomEntity = IPAddress