KNOTWEED-Domain IOCs | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be using KNOTWEED-related domain IOCs to establish command and control channels or exfiltrate data through network connections. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect potential compromise and mitigate lateral movement or data exfiltration activities.

KQL Query

// c2 domains
let c2domains = dynamic(["acrobatrelay[.]com","finconsult[.]cc","realmetaldns[.]com"]);
let iocs = print c2domains
| mv-expand domains=print_0
| extend domainioc = replace_string(tostring(domains),"[.]",".")
| distinct domainioc;
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any(iocs)

Analytic Rule Definition

id: db6fe14a-cbe9-4d01-bbef-60b0f1a6624b
name: KNOTWEED-Domain IOCs
description: |
  'This query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections'
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceNetworkEvents
tactics:
relevantTechniques:
query: |
  // c2 domains
  let c2domains = dynamic(["acrobatrelay[.]com","finconsult[.]cc","realmetaldns[.]com"]);
  let iocs = print c2domains
  | mv-expand domains=print_0
  | extend domainioc = replace_string(tostring(domains),"[.]",".")
  | distinct domainioc;
  DeviceNetworkEvents
  | where Timestamp > ago(1d)
  | where RemoteUrl has_any(iocs)

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml)

False Positive Guidance

Scenario: Legitimate domain access by Microsoft Defender for Endpoint service
Description: The Microsoft Defender for Endpoint service may connect to a domain associated with KNOTWEED for updates or telemetry.
Filter/Exclusion: process.name == "MsDefender.exe" || process.name == "MsEdge.exe"
Scenario: Scheduled job for system backup using a known domain
Description: A scheduled backup task (e.g., using Veeam Backup & Replication) may connect to a domain listed in the KNOTWEED IOC list for cloud storage.
Filter/Exclusion: process.name == "VeeamBackup.exe" || process.name == "vbackup.exe"
Scenario: Admin task involving domain-based remote management
Description: An administrator may use Microsoft Intune or System Center Configuration Manager (SCCM) to manage devices, which could involve domain connections.
Filter/Exclusion: process.name == "IntuneAgent.exe" || process.name == "ccmexec.exe"
Scenario: Legitimate domain access for software updates
Description: A tool like Chocolatey or WSUS may connect to a domain for software update distribution.
Filter/Exclusion: process.name == "choco.exe" || process.name == "wsusutil.exe"
Scenario: Domain access for cloud-based monitoring tools
Description: A tool like Datadog or Splunk may connect to a domain for sending logs or metrics.
Filter/Exclusion: process.name == "datadog-agent.exe" || process.name == "splunkforwarder.exe"