Query Details
Seashell Blizzard IRIDIUM PWS Win64 High Count
Query
// Seashell Blizzard (IRIDIUM) - PWS:Win64-HighCount // https://www.linkedin.com/posts/activity-7198555614627651584-z6C7/ // Seashell Blizzard (IRIDIUM) is high-impact threat actor linked to the Russian Federation and conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU). Below are some KQL detections to complement the Threat Analytics Report. // Persistance KQL Detection: DeviceRegistryEvents | where ActionType == @"RegistryKeyCreated" | where RegistryValueData contains "win32msa.exe" // PWS:Win64/HighCount KQL Detection: DeviceFileEvents | where SHA256 == "e62e418ffa87fdcfe14125ab8b429cb9d91a07088e13cd15423bd084c713564e" or FileName == "win32msa.exe"
Explanation
This query is designed to detect specific activities associated with a high-impact threat actor known as Seashell Blizzard (IRIDIUM), which is linked to Russian Military Intelligence Unit 74455 (GRU). The query includes two parts:
-
Persistence Detection:
- It looks for events where a registry key is created.
- Specifically, it checks if the registry value data contains "win32msa.exe".
-
PWS:Win64/HighCount Detection:
- It searches for file events where the file's SHA256 hash matches a specific value or the file name is "win32msa.exe".
In simple terms, this query helps identify if the threat actor has created a specific registry key or if a particular file (either by name or hash) is present on the device, which could indicate malicious activity.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceRegistryEventsDeviceFileEvents
Keywords
DeviceRegistryEventsDeviceFileEvents
Operators
==contains|or