Detection rules › Kusto Query Language
Deimos Component Execution
Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
| Collection | T1005 Data from Local System |
| Exfiltration | T1020 Automated Exfiltration |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Defender-DeviceEvents | 9007003 | AMSI script content captured |
Stages and Predicates
Stage 1: source
DeviceEvents
Stage 2: where
InitiatingProcessFileName eq "powershell.exe"
Stage 3: where
ActionType eq "AmsiScriptContent"
Stage 4: where
AdditionalFields ends_with "[mArS.deiMos]::inteRaCt()\"}"
Stage 5: project
Stage 6: extend
Stage 7: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
AdditionalFields | ends_with |
|
InitiatingProcessFileName | eq |
|