The hypothesis is that the detection of Microsoft Defender AV alerts related to Dev-0530 actors indicates potential adversarial activity leveraging known malicious behaviors to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
KQL Query
let Dev0530_threats = dynamic(["Trojan:Win32/SiennaPurple.A", "Ransom:Win32/SiennaBlue.A", "Ransom:Win32/SiennaBlue.B"]);
SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
| join kind=inner (DeviceInfo
| extend DeviceName = tolower(DeviceName)
) on $left.CompromisedEntity == $right.DeviceName
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
id: 5f171045-88ab-4634-baae-a7b6509f483b
name: AV detections related to Dev-0530 actors
description: |
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1486
tags:
- Dev-0530 actors
query: |
let Dev0530_threats = dynamic(["Trojan:Win32/SiennaPurple.A", "Ransom:Win32/SiennaBlue.A", "Ransom:Win32/SiennaBlue.B"]);
SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
| join kind=inner (DeviceInfo
| extend DeviceName = tolower(DeviceName)
) on $left.CompromisedEntity == $right.DeviceName
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: CompromisedEntity
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]
| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: Scheduled system scan by Microsoft Defender AV
Description: A routine full system scan initiated by Microsoft Defender AV on a server in the DevOps environment.
Filter/Exclusion: ProcessName == "MsMpEng.exe" and EventID == 12345 (assuming 12345 is the event ID for a scheduled scan)
Scenario: Admin task to update antivirus definitions
Description: An administrator manually updates the Microsoft Defender AV definitions on a device in the DevOps environment.
Filter/Exclusion: ProcessName == "MpCmdRun.exe" and CommandLine contains "update" or "sync"
Scenario: CI/CD pipeline executing a malware scan
Description: A CI/CD pipeline runs a static malware scan on code using a tool like ClamAV or Microsoft Defender for Cloud as part of the build process.
Filter/Exclusion: ProcessName contains "clamscan" or "msdefender" and SourceIP in allowed CI/CD IP ranges
Scenario: Legitimate use of PowerShell for system maintenance
Description: A system administrator uses PowerShell scripts (e.g., Get-ChildItem, Get-Service) to perform routine maintenance tasks, which may trigger AV heuristic detection.
Filter/Exclusion: ProcessName == "powershell.exe" and User == "Domain\Administrator" and CommandLine contains "Get-ChildItem" or "Get-Service"
Scenario: False positive from third-party tool integration
Description: A third-party tool (e.g., Bitdefender, Kaspersky, or Malwarebytes) is integrated with Microsoft Defender AV, leading to false positives when scanning for malware.
Filter/Exclusion: `ProcessName contains “bitdefender” or “k