Query Details
Daggerfly IOC Detection Sentinel
Query
//This query searches for Daggerfly threat actor indicators in Sentinel
//Checks file and network events against known hashes and IPs
let MD5_IOCs = dynamic(['12c2e058e0665bcbff3dbee38a1ef754',
'5535bbcf24a5767df085a1e34804c913','784dc986f0006aa47c35e60080c7ebf2',
'9bf90d7ea1e0f7e5086ce70771f44101','a48ea150eae374e7a79d6d4859aae710',
'a6bdcda8b125a6f2cb6a4ff705446793','b7720de6a3d438aee46f01d78e8fa806',
'c4db2081fb0c38afe5c6f7ea21805eb4']);
let SHA1_IOCs = dynamic (['2069b0de0ac8ef8e9d341eb65160030bfc6fa44d',
'3e6f6df7c7961e6004ed0e0fa4f68567dde8c28b',
'4333c3fb9e776f101df482ce012c0ad68e1dbf4b',
'43918b183d9164304ca2aba65711c17038686a9f',
'57fc82494e459e56f1317134b0961d39bb78fe2a',
'9737887d7cfd359d6735b66e2746e9acccd3cc19',
'a035b12274c9a9c5094549d7bd1373ac5c5e280b',
'da0611a300a9ce9aa7a09d1212f203fca5856794']);
let SHA256_IOCs = dynamic(['003764fd74bf13cff9bf1ddd870cbf593b23e2b584ba4465114023870ea6fbef',
'0cabb6780b804d4ee285b0ddb00b02468f91b218bd2db2e2310c90471f7f8e74',
'1f5e4d2f71478518fe76b0efbb75609d3fb6cab06d1b021d6aa30db424f84a5e',
'3894a8b82338791764524fddac786a2c5025cad37175877959a06c372b96ef05',
'3a6605266184d967ab4643af2c73dafb8b7724d21c7aa69e58d78b84ebc06612',
'49079ea789e75736f8f8fad804da4a99db52cbaca21e1d2b6d6e1ea4db56faad',
'4c3b9a568d8911a2a256fdc2ebe9ff5911a6b2b63c7784da08a4daf692e93c1a',
'5687b32cdd5c4d1b3e928ee0792f6ec43817883721f9b86ec8066c5ec2791595',
'570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6',
'5c52e41090cdd13e0bfa7ec11c283f5051347ba02c9868b4fddfd9c3fc452191',
'65441ea5a7c0d08c1467e9154312ac9d3fdd3ca9188b4234b5944b767d135074',
'955cee70c82bb225ca2b108f987fbb245c48eefe9dc53e804bbd9d55578ea3a4',
'd8a49e688f214553a7525be96cadddec224db19bae3771d14083a2c4c45f28eb',
'dad13b0a9f5fde7bcdda3e5afa10e7d83af0ff39288b9f11a725850b1e6f6313',
'ef9aebcd9022080189af8aa2fb0b6594c3dfdc862340f79c17fb248e51fc9929',
'eff1c078895bbb76502f1bbad12be6aa23914a4d208859d848d5f087da8e35e0',
'fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced']);
let IP_IOCs = dynamic (['103.96.128.44','103.96.131.150',
'103.243.212.98']);
(union isfuzzy=true
(DeviceNetworkEvents
| where RemoteIP has_any (IP_IOCs)),
(DeviceFileEvents
| where MD5 has_any (MD5_IOCs)),
(DeviceFileEvents
| where SHA1 has_any (SHA1_IOCs)),
(DeviceFileEvents
| where SHA256 has_any (SHA256_IOCs))
) Explanation
This query is designed to search for indicators of compromise (IOCs) associated with the Daggerfly threat actor within Microsoft Sentinel. It checks both file and network events against a predefined list of known malicious hashes and IP addresses. Here's a simple breakdown:
-
MD5_IOCs, SHA1_IOCs, SHA256_IOCs, and IP_IOCs: These are lists of known malicious hashes (MD5, SHA1, SHA256) and IP addresses associated with the Daggerfly threat actor.
-
DeviceNetworkEvents: The query looks at network events to see if any remote IP addresses match those in the IP_IOCs list.
-
DeviceFileEvents: The query examines file events to see if any file hashes match those in the MD5_IOCs, SHA1_IOCs, or SHA256_IOCs lists.
-
Union: The results from both network and file event checks are combined to provide a comprehensive view of potential threats related to Daggerfly.
In summary, the query is searching for any network or file activity that matches known threat indicators associated with the Daggerfly group.
Details
Alexandros Pappas
Released: November 10, 2024
Tables
Keywords
Operators