Query Details
Daggerfly IOC Detection
Query
//This query searches for Daggerfly threat actor indicators
//Checks file and network events against known hashes and IPs
let MD5_IOCs = dynamic(['12c2e058e0665bcbff3dbee38a1ef754',
'5535bbcf24a5767df085a1e34804c913','784dc986f0006aa47c35e60080c7ebf2',
'9bf90d7ea1e0f7e5086ce70771f44101','a48ea150eae374e7a79d6d4859aae710',
'a6bdcda8b125a6f2cb6a4ff705446793','b7720de6a3d438aee46f01d78e8fa806',
'c4db2081fb0c38afe5c6f7ea21805eb4']);
let SHA1_IOCs = dynamic (['2069b0de0ac8ef8e9d341eb65160030bfc6fa44d',
'3e6f6df7c7961e6004ed0e0fa4f68567dde8c28b',
'4333c3fb9e776f101df482ce012c0ad68e1dbf4b',
'43918b183d9164304ca2aba65711c17038686a9f',
'57fc82494e459e56f1317134b0961d39bb78fe2a',
'9737887d7cfd359d6735b66e2746e9acccd3cc19',
'a035b12274c9a9c5094549d7bd1373ac5c5e280b',
'da0611a300a9ce9aa7a09d1212f203fca5856794']);
let SHA256_IOCs = dynamic(['003764fd74bf13cff9bf1ddd870cbf593b23e2b584ba4465114023870ea6fbef',
'0cabb6780b804d4ee285b0ddb00b02468f91b218bd2db2e2310c90471f7f8e74',
'1f5e4d2f71478518fe76b0efbb75609d3fb6cab06d1b021d6aa30db424f84a5e',
'3894a8b82338791764524fddac786a2c5025cad37175877959a06c372b96ef05',
'3a6605266184d967ab4643af2c73dafb8b7724d21c7aa69e58d78b84ebc06612',
'49079ea789e75736f8f8fad804da4a99db52cbaca21e1d2b6d6e1ea4db56faad',
'4c3b9a568d8911a2a256fdc2ebe9ff5911a6b2b63c7784da08a4daf692e93c1a',
'5687b32cdd5c4d1b3e928ee0792f6ec43817883721f9b86ec8066c5ec2791595',
'570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6',
'5c52e41090cdd13e0bfa7ec11c283f5051347ba02c9868b4fddfd9c3fc452191',
'65441ea5a7c0d08c1467e9154312ac9d3fdd3ca9188b4234b5944b767d135074',
'955cee70c82bb225ca2b108f987fbb245c48eefe9dc53e804bbd9d55578ea3a4',
'd8a49e688f214553a7525be96cadddec224db19bae3771d14083a2c4c45f28eb',
'dad13b0a9f5fde7bcdda3e5afa10e7d83af0ff39288b9f11a725850b1e6f6313',
'ef9aebcd9022080189af8aa2fb0b6594c3dfdc862340f79c17fb248e51fc9929',
'eff1c078895bbb76502f1bbad12be6aa23914a4d208859d848d5f087da8e35e0',
'fce66c26deff6a5b7320842bc5fa8fe12db991efe6e3edc9c63ffaa3cc5b8ced']);
let IP_IOCs = dynamic (['103.96.128.44','103.96.131.150',
'103.243.212.98']);
(union isfuzzy=true
(DeviceNetworkEvents
| where RemoteIP has_any (IP_IOCs)),
(DeviceFileEvents
| where MD5 has_any (MD5_IOCs)),
(DeviceFileEvents
| where SHA1 has_any (SHA1_IOCs)),
(DeviceFileEvents
| where SHA256 has_any (SHA256_IOCs))
) Explanation
This query is designed to detect potential threats from a specific threat actor known as "Daggerfly." It does this by checking network and file events against a predefined list of known malicious indicators. Here's a simple breakdown of what the query does:
-
Indicator Lists: It defines lists of known malicious indicators, including:
- MD5 hashes
- SHA1 hashes
- SHA256 hashes
- IP addresses
-
Event Sources: It examines two types of events:
- DeviceNetworkEvents: These are network-related events, such as connections to remote IP addresses.
- DeviceFileEvents: These are file-related events, such as file creation or modification.
-
Matching Process:
- For network events, it checks if the remote IP address matches any of the known malicious IPs.
- For file events, it checks if the file's hash (MD5, SHA1, or SHA256) matches any of the known malicious hashes.
-
Union of Results: It combines the results from these checks to provide a comprehensive view of any potential threats related to the Daggerfly threat actor.
In summary, the query is a security measure to identify suspicious activity by comparing network and file events against a set of known threat indicators associated with Daggerfly.
Details
Alexandros Pappas
Released: November 10, 2024
Tables
Keywords
Operators