The hypothesis is that the detection of Microsoft Defender AV alerts related to Europium actor indicators suggests potential compromise by advanced persistent threat actors leveraging known malicious behaviors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity associated with targeted attacks.
KQL Query
let Europium_threats = dynamic(["TrojanDropper:ASP/WebShell!MSR", "Trojan:Win32/BatRunGoXml", "DoS:Win64/WprJooblash", "Ransom:Win32/Eagle!MSR", "Trojan:Win32/Debitom.A"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
id: 186970ee-5001-41c1-8c73-3178f75ce96a
name: AV detections related to Europium actors
description: |
'This query looks for Microsoft Defender AV detections related to Europium actor.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government '
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- DeviceInfo
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1486
tags:
- Europium
query: |
let Europium_threats = dynamic(["TrojanDropper:ASP/WebShell!MSR", "Trojan:Win32/BatRunGoXml", "DoS:Win64/WprJooblash", "Ransom:Win32/Eagle!MSR", "Trojan:Win32/Debitom.A"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: CompromisedEntity
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.1.2
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Intelligence" ]| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: Legitimate software update process
Description: A scheduled job or Windows Update task may trigger AV detections due to the presence of legitimate files associated with the Europium actor’s infrastructure.
Filter/Exclusion: Exclude events where the file path contains known Windows update directories (e.g., C:\Windows\Temp, C:\Windows\Update) or where the process is wuauclt.exe or svchost.exe.
Scenario: Admin task using legitimate tools
Description: An administrator may be using tools like PowerShell or Task Scheduler to perform routine maintenance or configuration tasks that inadvertently trigger AV alerts.
Filter/Exclusion: Exclude events where the process is powershell.exe or taskhost.exe and the command line includes known admin tasks (e.g., schtasks, Get-Service, Get-EventLog).
Scenario: False positive from third-party software
Description: A third-party application (e.g., 7-Zip, WinRAR, or Notepad++) may be flagged due to its file signature or behavior being similar to malicious activity associated with the Europium actor.
Filter/Exclusion: Exclude events where the file name or path includes known third-party software names, or where the process is 7z.exe, rar.exe, or notepad++.exe.
Scenario: Legitimate network scanning tool usage
Description: Tools like Nmap or Masscan may be used for network discovery and may trigger AV alerts due to their scanning behavior.
Filter/Exclusion: Exclude events where the process is nmap.exe or masscan.exe and the command line includes scanning parameters (e.g., -sP, -sV, or -p).
**Scenario: False positive