let MaliciousHashes = dynamic([
"a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9",
"8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e",
"2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924",
"77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e",
"3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad",
"9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",
"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a",
"4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906",
"831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd",
"0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",
"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8",
"e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda",
"078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5",
"b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",
"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd",
"fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a"
]);
let MaliciousIPs = dynamic([
"95.179.213.0",
"61.4.102.97",
"59.110.7.32",
"124.222.137.114"
]);
let MaliciousDomains = dynamic([
"api.skycloudcenter.com",
"api.wiresguard.com"
]);
let SuspiciousArgs = dynamic(["-nostdlib", "-run"]);
union kind=inner
(
DeviceProcessEvents
| where SHA256 in (MaliciousHashes)
or InitiatingProcessSHA256 in (MaliciousHashes)
| extend DetectionType = "Known Chrysalis Hash"
| project TimeGenerated, DetectionType, DeviceName, FileName, FolderPath,
SHA256, InitiatingProcessFileName, ProcessCommandLine,
RemoteIP = "", RemoteUrl = ""
),
(
DeviceFileEvents
| where SHA256 in (MaliciousHashes)
| extend DetectionType = "Known Chrysalis Hash (File)"
| project TimeGenerated, DetectionType, DeviceName, FileName, FolderPath,
SHA256, InitiatingProcessFileName = "", ProcessCommandLine = "",
RemoteIP = "", RemoteUrl = ""
),
(
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs)
or RemoteUrl has_any (MaliciousDomains)
| extend DetectionType = "Chrysalis C2 Network"
| project TimeGenerated, DetectionType, DeviceName,
FileName = InitiatingProcessFileName,
FolderPath = "", SHA256 = "",
InitiatingProcessFileName, ProcessCommandLine = "",
RemoteIP, RemoteUrl
),
(
DeviceProcessEvents
| where FileName =~ "svchost.exe"
| where FolderPath !startswith @"C:\Windows\System32"
| where FolderPath !startswith @"C:\Windows\SysWOW64"
| where ProcessCommandLine has_all (SuspiciousArgs)
| where ProcessCommandLine matches regex @"\.c(\s|$)"
| extend DetectionType = "Suspicious svchost Execution"
| project TimeGenerated, DetectionType, DeviceName, FileName, FolderPath,
SHA256, InitiatingProcessFileName, ProcessCommandLine,
RemoteIP = "", RemoteUrl = ""
)
| order by TimeGenerated desc
Want to Be a SOC Analyst or Threat Hunter? Part 6
🎯 New here? Make sure you check out the Intro, Part 1, Part 2 , Part 3,
