Detection rules › Kusto Query Language
Zinc Actor IOCs files - October 2022
'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546 Event Triggered Execution |
| Privilege Escalation | T1546 Event Triggered Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
| Security-Auditing | 5156 | The Windows Filtering Platform has permitted a connection. |
| Defender-DeviceNetworkEvents | 9004000 | Network activity (any) |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 6 branches