deimos-component-execution

Hunt Hypothesis

The deimos-component-execution rule detects the execution of suspicious Jupyter (SolarMarker) components, which are associated with info-stealing and backdoor activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from a sophisticated and persistent malware family.

KQL Query

DeviceEvents   
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "AmsiScriptContent"
| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields

Analytic Rule Definition

id: 0e86928c-cc9f-494c-a79e-04f647eb5ef8
name: deimos-component-execution
description: |
  Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
tactics:
- Execution
- Collection
- Exfiltration
- Impact
- Malware, component
query: |
  DeviceEvents   
  | where InitiatingProcessFileName =~ "powershell.exe"
  | where ActionType == "AmsiScriptContent"
  | where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()"}'
  | project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Collection
Tactic: Exfiltration
Tactic: Impact
Tactic: Malware, component

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/deimos-component-execution.yaml)

False Positive Guidance

Scenario: A system administrator is running a legitimate Jupyter Notebook for data analysis.
Filter/Exclusion: process.name != "jupyter-notebook" or process.parent.name != "python"
Scenario: A scheduled job is executing a Python script that uses the jupyter command to generate reports.
Filter/Exclusion: process.name != "jupyter" or process.args !~ "generate-report"
Scenario: A developer is using the SolarMarker tool (a legitimate Python package for SEO analysis) in a development environment.
Filter/Exclusion: process.name != "python" or process.args !~ "solarmarker"
Scenario: An admin is running a system cleanup script that temporarily uses Jupyter to process logs.
Filter/Exclusion: process.name != "jupyter" or process.args !~ "log-processing"
Scenario: A DevOps team is using a CI/CD pipeline that triggers a Jupyter notebook for automated testing.
Filter/Exclusion: process.name != "jupyter" or process.parent.name != "jenkins"