Merge pull request #264014 from vhorne/fw-malware

add detect malware

Author: v-dirichards

articles/firewall/detect-malware-with-sentinel.md

@@ -0,0 +1,138 @@
+---
+title: Detect malware with Microsoft Sentinel for Azure Firewall
+description: This article shows you how you can detect malware with the Azure Firewall solution for Microsoft Sentinel.
+author: vhorne
+ms.author: victorh
+ms.service: firewall
+ms.topic: how-to
+ms.date: 01/23/2024
+---
+
+# Detect malware with Microsoft Sentinel for Azure Firewall
+
+Malware is any software that is designed to cause damage, disruption, or compromise the security and functionality of computer systems, networks, or devices. It includes diverse types of threats, such as viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Malware can have various negative impacts, such as stealing sensitive data, encrypting, or deleting files, displaying unwanted ads, slowing down performance, or even taking control of the device.
+
+It's important to identify and eliminate malware from a system or network, which you can do by employing various detection techniques, such as signature-based, behavior-based, heuristic-based, or machine learning-based techniques. Malware detection is vital for protecting the security and privacy of users, as well as the integrity and availability of systems and networks.
+
+The Azure Firewall IDPS feature automatically detects and denies malware by default and can prevent the cloud workloads from being infected. You can further enhance this capability by employing automated detection and response using prebuilt detection queries and Microsoft Sentinel. In this article, you explore how to detect some common malware found in Azure Firewall logs such as `Coinminer`, `Cl0p` and `Sunburst` using predefined KQL detection queries for Azure Firewall.
+
+These detections enable security teams to receive Sentinel alerts when machines on the internal network request connections to domain names or IP addresses on the Internet that are linked to known Indicators of Compromise (IOCs), as defined in the detection rule query. True positive detections should be regarded as Indicators of Compromise (IOCs). Then, security incident response teams can initiate a response and implement appropriate custom remediation actions based on these detection signals.
+
+
+
+For instructions to deploy the analytic rules using the following queries, see [Detect new threats using Microsoft Sentinel with Azure Web Application Firewall](../web-application-firewall/waf-new-threat-detection.md).
+
+## Common malware exploits
+
+The following malware exploits are common on today's networks.
+
+### `Coinminer`
+
+Due to the recent surge in cryptocurrency mining, there's an increasing need for high-performance network processing units. Distributed computing is expanding and the widespread availability of mining software, both in legal and illegal contexts. 
+
+`Coinminer` represents a type of malware that uses the hardware resources of an unwitting victim's computer for cryptocurrency mining. The graphics processing unit (GPU) of the unsuspecting user's PC is used to run various scripts aimed at mining cryptocurrencies and calculating transaction block hashes. 
+
+To mitigate the risk of these threats, proactive measures should be implemented at the typical entry points. This includes ensuring that Jupyter software is deployed with proper authentication, configuring, and updating web applications to minimize vulnerabilities, controlling external access to Docker, and following extra Zero Trust principles.
+
+The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.
+
+```
+// Coinminer Detection Rule
+// Detects suspicious traffic patterns associated with coinmining activity in Azure Firewall logs for Sentinel
+
+let coinminerPorts = dynamic(["2375", "2376", "2377", "4243", "4244"]); // List of known coinminer ports  
+//Assign the known domains to a variable
+let coinminerdomains = dynamic(["teamtnt.red", "kaiserfranz.cc", "45.9.148.123"]); // List of known coinminer domains  
+
+(union isfuzzy=true 
+
+(AzureDiagnostics  
+| where ResourceType == "AZUREFIREWALLS"  
+| where Category == "AzureFirewallApplicationRule" 
+| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action 
+| extend action_s = column_ifexists("action_s", ""), transactionId_g = column_ifexists("transactionId_g", "")  
+| where DestinationPort in (coinminerPorts) // Filter traffic on known coinminer ports  
+| summarize CoinminerAttempts = count() by DestinationHost, DestinationPort  
+| where CoinminerAttempts > 10 // Adjust threshold as needed  
+), 
+
+(AZFWIdpsSignature 
+| where DestinationPort in (coinminerPorts) 
+| summarize CoinminerAttempts = count() by DestinationIp, DestinationPort 
+| where CoinminerAttempts > 10 // Adjust threshold as needed   
+
+), 
+
+(AzureDiagnostics  
+| where ResourceType == "AZUREFIREWALLS"  
+| where Category == "AzureFirewallDnsProxy"  
+| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Response_Code " " Response_Flags " " Response_Size " " Response_Duration  
+| where Request_Name has_any(coinminerdomains)  
+| extend DNSName = Request_Name  
+| extend IPCustomEntity = ClientIP  
+
+),  
+
+(AzureDiagnostics  
+| where ResourceType == "AZUREFIREWALLS"  
+| where Category == "AzureFirewallApplicationRule"  
+| parse msg_s with Protocol ' request from ' SourceHost ':' SourcePort 'to' DestinationHost ':' DestinationPort '. Action:' Action  
+| where isnotempty(DestinationHost)  
+| where DestinationHost has_any(coinminerdomains)  
+| extend DNSName = DestinationHost  
+| extend IPCustomEntity = SourceHost), 
+
+(AZFWApplicationRule 
+| where isnotempty(Fqdn) 
+| where Fqdn has_any (coinminerdomains)   
+| extend DNSName = Fqdn  
+| extend IPCustomEntity = SourceIp), 
+
+(AZFWDnsQuery 
+| where isnotempty(QueryName) 
+| where QueryName has_any (coinminerdomains) 
+| extend DNSName = QueryName 
+| extend IPCustomEntity = SourceIp 
+
+), 
+
+(AZFWIdpsSignature 
+| where DestinationIp has_any (coinminerdomains) 
+| extend DNSName = DestinationIp 
+| extend IPCustomEntity = SourceIp 
+
+), 
+
+(AZFWIdpsSignature 
+| where Description contains "coinminer" 
+| extend DNSName = DestinationIp 
+| extend IPCustomEntity = SourceIp 
+) 
+
+)
+```
+
+### `Cl0p`
+
+`Cl0p` is a ransomware that operates by applying distinctive encryption keys to the victim's files and then requesting a ransom for the files' decryption. It uses a vulnerability in the data transfer software MOVEit and sends spear phishing emails to numerous employees in the hope to deliver `cl0p`. Then it uses tools like `truebot` and `dewmode` to move laterally within the network and exfiltrate data. The ransomware encrypts files using the AES-256 encryption algorithm.
+
+ `Cl0p` vulnerabilities include CVE-2023-35036, CVE-2023-34362 and CVE-2023-35708. In June 2023, the FBI and CISA published a press release about this exploitation. The effects of `cl0p` ransomware are registered across several universities in the US Midwest and government organizations. Airlines, TV networks, and UK based retail stores are the latest victims of the `cl0p` ransomware gang.
+
+The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.
+
+Detection Query for `Cl0p`: [Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Cl0p.json](https://github.com/Azure/Azure-Network-Security/blob/master/Azure%20Firewall/Playbook%20-%20Firewall%20Malware%20Detections%20for%20Sentinel/Detection%20-%20Analytic%20rule%20query%20for%20Cl0p.json)
+
+## `Sunburst`
+
+This malware targets victims by using domain generation algorithm (DGA) strings to evade detection and establish a command-and-control backdoor attack. The DGA strings are often difficult for security tools to identify the domains used by the malware due to the pattern used in the syntax and their constant changing of the domain information.
+
+The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.
+
+Detection Query for `Sunburst` Malware: [Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Sunburst.json](https://github.com/Azure/Azure-Network-Security/blob/master/Azure%20Firewall/Playbook%20-%20Firewall%20Malware%20Detections%20for%20Sentinel/Detection%20-%20Analytic%20rule%20query%20for%20Sunburst.json)
+
+## Related content
+
+- [Azure Firewall with Microsoft Sentinel overview](firewall-sentinel-overview.md)
+- [Detect new threats using Microsoft Sentinel with Azure Web Application Firewall](../web-application-firewall/waf-new-threat-detection.md)
+- [Learn more about Microsoft Sentinel](../sentinel/overview.md)
+- [Azure network security documentation](../networking/security/index.yml)

articles/firewall/toc.yml

@@ -173,6 +173,8 @@ items:
       href: protect-azure-kubernetes-service.md
     - name: Protect Office 365
       href: protect-office-365.md
+    - name: Detect malware with Microsoft Sentinel
+      href: detect-malware-with-sentinel.md
   - name: Migrate
     items:
     - name: Migrate to Azure Firewall Premium