|
| 1 | +# Detect activity associated with malicious DLL, cyzfc.dat |
| 2 | + |
| 3 | +These queries was originally published in the threat analytics report, *Attacks on gov't, think tanks, NGOs*. |
| 4 | + |
| 5 | +As described further in *[Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/)*, there was a very large spear-phishing campaign launched in November 2019. |
| 6 | + |
| 7 | +The attackers would gain access to a target by having the user click on a link to a compromised website and download a .zip archive. |
| 8 | + |
| 9 | +Once established on a target's device, the attackers used a malicious DLL named *cyzfc.dat* to execute additional payloads. They would call a function in the malicious DLL via the legitimate Windows process, [rundll32.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32), to connect directly to their command-and-control (C2) servers. |
| 10 | + |
| 11 | +The following queries detect activity associated with the malicious DLL, *cyzfc.dat.*, used in this campaign. |
| 12 | + |
| 13 | +## Query |
| 14 | + |
| 15 | +```Kusto |
| 16 | +// Query 1: Events involving the DLL container |
| 17 | +let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf"; |
| 18 | +find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, |
| 19 | +DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents) |
| 20 | +where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash |
| 21 | +| where Timestamp > ago(10d) |
| 22 | +
|
| 23 | +// Query 2: C2 connection |
| 24 | +DeviceNetworkEvents |
| 25 | +| where Timestamp > ago(10d) |
| 26 | +| where RemoteUrl == "pandorasong.com" |
| 27 | +
|
| 28 | +// Query 3: Malicious PowerShell |
| 29 | +DeviceProcessEvents |
| 30 | +| where Timestamp > ago(10d) |
| 31 | +| where ProcessCommandLine contains |
| 32 | +"-noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJ" |
| 33 | +
|
| 34 | +// Query 4: Malicious domain in default browser commandline |
| 35 | +DeviceProcessEvents |
| 36 | +| where Timestamp > ago(10d) |
| 37 | +| where ProcessCommandLine contains |
| 38 | +"https://www.jmj.com/personal/nauerthn_state_gov" |
| 39 | +
|
| 40 | +// Query 5: Events involving the ZIP |
| 41 | +let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1"; |
| 42 | +find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, |
| 43 | +DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents) |
| 44 | +where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash |
| 45 | +| where Timestamp > ago(10d) |
| 46 | +``` |
| 47 | + |
| 48 | +## Category |
| 49 | + |
| 50 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 51 | + |
| 52 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 53 | +|-|-|-| |
| 54 | +| Initial access | | | |
| 55 | +| Execution | v | | |
| 56 | +| Persistence | | | |
| 57 | +| Privilege escalation | | | |
| 58 | +| Defense evasion | | | |
| 59 | +| Credential Access | | | |
| 60 | +| Discovery | | | |
| 61 | +| Lateral movement | | | |
| 62 | +| Collection | | | |
| 63 | +| Command and control | | | |
| 64 | +| Exfiltration | | | |
| 65 | +| Impact | | | |
| 66 | +| Vulnerability | | | |
| 67 | +| Misconfiguration | | | |
| 68 | +| Malware, component | | | |
| 69 | + |
| 70 | +## Contributor info |
| 71 | + |
| 72 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments