DofoilNameCoinServerTraffic

Hunt Hypothesis

Adversaries may use network connections to known Dofoil NameCoin servers to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential cryptocurrency-related malicious activity and mitigate associated risks.

KQL Query

DeviceNetworkEvents 
| where RemoteIP in (
    "139.59.208.246","130.255.73.90","31.3.135.232","52.174.55.168","185.121.177.177","185.121.177.53",
    "62.113.203.55","144.76.133.38","169.239.202.202","5.135.183.146","142.0.68.13","103.253.12.18",
    "62.112.8.85","69.164.196.21","107.150.40.234","162.211.64.20","217.12.210.54","89.18.27.34",
    "193.183.98.154","51.255.167.0","91.121.155.13","87.98.175.85","185.97.7.7")
| project DeviceName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort

Analytic Rule Definition

id: 4c62c572-8c8b-4a67-bde3-b94e5f09ce99
name: DofoilNameCoinServerTraffic
description: |
  This is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers.
  The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
query: |
  DeviceNetworkEvents 
  | where RemoteIP in (
      "139.59.208.246","130.255.73.90","31.3.135.232","52.174.55.168","185.121.177.177","185.121.177.53",
      "62.113.203.55","144.76.133.38","169.239.202.202","5.135.183.146","142.0.68.13","103.253.12.18",
      "62.112.8.85","69.164.196.21","107.150.40.234","162.211.64.20","217.12.210.54","89.18.27.34",
      "193.183.98.154","51.255.167.0","91.121.155.13","87.98.175.85","185.97.7.7")
  | project DeviceName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/DofoilNameCoinServerTraffic.yaml)

False Positive Guidance

Scenario: Legitimate system backups using wbadmin or vssadmin that temporarily connect to internal or external servers for data transfer.
Filter/Exclusion: Exclude connections initiated by wbadmin or vssadmin using the process name or command line arguments.
Scenario: Scheduled job running PowerShell or Task Scheduler to fetch cryptocurrency exchange rates or blockchain data from a known NameCoin server for reporting purposes.
Filter/Exclusion: Exclude connections made by PowerShell scripts or Task Scheduler tasks with specific command-line arguments or script paths.
Scenario: Network monitoring tool like Wireshark or tcpdump capturing traffic for analysis, including connections to NameCoin servers for forensic purposes.
Filter/Exclusion: Exclude connections initiated by Wireshark, tcpdump, or similar tools using process name or user context.
Scenario: Admin task using netsh or netstat to troubleshoot network connectivity, which may include connections to NameCoin servers as part of diagnostic checks.
Filter/Exclusion: Exclude connections made by netsh or netstat using process name or user context.
Scenario: Internal development or testing environment that connects to a NameCoin server for API testing or integration with blockchain services.
Filter/Exclusion: Exclude connections from IP addresses or hosts within the internal development network or those associated with test environments.