Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Commit 78bd638

Browse files
tali-ashtali-ash
authored
Update detect-cyzfc-activity.md
1 parent 1841446 commit 78bd638

File tree

1 file changed

+17
-13
lines changed

1 file changed

+17
-13
lines changed

Campaigns/detect-cyzfc-activity.md

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -15,30 +15,34 @@ The following queries detect activity associated with the malicious DLL, *cyzfc.
1515
```Kusto
1616
​// Query 1: Events involving the DLL container
1717
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
18-
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents,
19-
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
18+
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
19+
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
2020
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
21-
| where EventTime > ago(10d)
21+
| where Timestamp > ago(10d)
22+
2223
// Query 2: C2 connection
23-
NetworkCommunicationEvents
24-
| where EventTime > ago(10d)
24+
DeviceNetworkEvents
25+
| where Timestamp > ago(10d)
2526
| where RemoteUrl == "pandorasong.com"
27+
2628
// Query 3: Malicious PowerShell
27-
ProcessCreationEvents
28-
| where EventTime > ago(10d)
29+
DeviceProcessEvents
30+
| where Timestamp > ago(10d)
2931
| where ProcessCommandLine contains
3032
"-noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJ"
33+
3134
// Query 4: Malicious domain in default browser commandline
32-
ProcessCreationEvents
33-
| where EventTime > ago(10d)
35+
DeviceProcessEvents
36+
| where Timestamp > ago(10d)
3437
| where ProcessCommandLine contains
3538
"https://www.jmj.com/personal/nauerthn_state_gov"
39+
3640
// Query 5: Events involving the ZIP
3741
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
38-
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents,
39-
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
42+
find in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents,
43+
DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents)
4044
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
41-
| where EventTime > ago(10d
45+
| where Timestamp > ago(10d)
4246
```
4347

4448
## Category
@@ -65,4 +69,4 @@ This query can be used to detect the following attack techniques and tactics ([s
6569

6670
## Contributor info
6771

68-
**Contributor:** Microsoft Threat Protection team
72+
**Contributor:** Microsoft Threat Protection team

0 commit comments

Comments
 (0)