Detection rules › Kusto

Midnight Blizzard - Script payload stored in Registry

Severity
medium
Time window
1d
Author
Shain
Source
github.com/Azure/Azure-Sentinel

This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

MITRE ATT&CK coverage

Event coverage

Rule body kusto

id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
name: Midnight Blizzard - Script payload stored in Registry
description: |
  'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script
   References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
severity: Medium
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes: 
      - SecurityEvents 
  - connectorId: WindowsForwardedEvents
    dataTypes: 
      - WindowsEvent 
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
relevantTechniques:
  - T1059
tags:
  - Midnight Blizzard
query: |
  let cmdTokens0 = dynamic(['vbscript','jscript']);
  let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
  let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);
  (union isfuzzy=true 
  (SecurityEvent
  | where TimeGenerated >= ago(14d)
  | where EventID == 4688
  | where CommandLine has @'\Microsoft\Windows\CurrentVersion'
  | where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
  // If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
  //| where CommandLine has_any (cmdTokens0)
  //| where CommandLine has_all (cmdTokens1)
  | where CommandLine has_all (cmdTokens2)
  | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
  ),
  (WindowsEvent
  | where TimeGenerated >= ago(14d)
  | where EventID == 4688 and EventData has_all(cmdTokens2) and  EventData has @'\Microsoft\Windows\CurrentVersion'
  | where not(EventData has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has @'\Microsoft\Windows\CurrentVersion'
  | where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
  // If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches
  //| where CommandLine has_any (cmdTokens0)
  //| where CommandLine has_all (cmdTokens1)
  | where CommandLine has_all (cmdTokens2)
  | extend Account =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Process=tostring(split(NewProcessName, '\\')[-1])
  | extend ParentProcessName = tostring(EventData.ParentProcessName)  
  | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)
  | extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])
  | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), HostName = tostring(split(Computer, '.', 0)[0]))
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Account
      - identifier: Name
        columnName: Name
      - identifier: NTDomain
        columnName: NTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: DnsDomain
version: 1.1.5
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Shain
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Intelligence" ]

Stages and Predicates

Stage 0: let

let cmdTokens0 = dynamic(['vbscript','jscript']);
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);

Stage 1: union

union isfuzzy=true

Stage 2: source

SecurityEvent

Stage 3: where time_window=1209600s

| where TimeGenerated >= ago(14d)

Stage 4: where

| where EventID == 4688

Stage 5: where

| where CommandLine has @'\Microsoft\Windows\CurrentVersion'

Stage 6: where

| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))

Stage 7: where

| where CommandLine has_all (cmdTokens2)

Stage 8: project

| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId

Stage 9: source

WindowsEvent

Stage 10: where time_window=1209600s

| where TimeGenerated >= ago(14d)

Stage 11: where

| where EventID == 4688 and EventData has_all(cmdTokens2) and  EventData has @'\Microsoft\Windows\CurrentVersion'

Stage 12: where

| where not(EventData has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))

Stage 13: extend

| extend CommandLine = tostring(EventData.CommandLine)

Stage 14: where

| where CommandLine has @'\Microsoft\Windows\CurrentVersion'

Stage 15: where

| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))

Stage 16: where

| where CommandLine has_all (cmdTokens2)

Stage 17: extend

| extend Account =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)

Stage 18: extend

| extend NewProcessName = tostring(EventData.NewProcessName)

Stage 19: extend

| extend Process=tostring(split(NewProcessName, '\\')[-1])

Stage 20: extend

| extend ParentProcessName = tostring(EventData.ParentProcessName)

Stage 21: project

| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId

Stage 22: extend

extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0])

Stage 23: extend

| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), HostName = tostring(split(Computer, '.', 0)[0])

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
6CommandLinematch\Software\Microsoft\Windows\CurrentVersion\Run, \Software\Microsoft\Windows\CurrentVersion\RunOnce
12EventDatamatch\Software\Microsoft\Windows\CurrentVersion\Run, \Software\Microsoft\Windows\CurrentVersion\RunOnce
15CommandLinematch\Software\Microsoft\Windows\CurrentVersion\Run, \Software\Microsoft\Windows\CurrentVersion\RunOnce

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • CreateObject corpus 3 (sigma 2, kusto 1)
  • Execute corpus 5 (kusto 3, sigma 2)
  • RegRead corpus 5 (kusto 3, sigma 2)
  • \Microsoft\Windows\CurrentVersion corpus 2 (sigma 1, kusto 1)
  • window.close corpus 5 (kusto 3, sigma 2)
EventDatamatch
  • CreateObject
  • Execute corpus 2 (kusto 2)
  • RegRead corpus 2 (kusto 2)
  • \Microsoft\Windows\CurrentVersion
  • window.close corpus 2 (kusto 2)
EventIDeq
  • 4688 transforms: cased corpus 312 (splunk 283, kusto 29)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Accountproject
CommandLineproject
Computerproject
NewProcessNameproject
ParentProcessNameproject
Processproject
TimeGeneratedproject
_ResourceIdproject
NTDomainextend
Nameextend
DnsDomainextend
HostNameextend