successive-tk-domain-calls

Hunt Hypothesis

The hypothesis is that successive calls to a suspicious domain associated with the Jupyter/SolarMarker malware indicate potential command and control communication or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity before it leads to data breaches or system compromise.

KQL Query

DeviceNetworkEvents
| where RemoteUrl endswith ".tk"
| summarize make_set(RemoteUrl) by DeviceId,bin(Timestamp, 10m)
| extend domainCount = array_length(set_RemoteUrl)
| where  domainCount >= 5

Analytic Rule Definition

id: 82e47917-b960-49a1-8089-c805eea06ed4
name: successive-tk-domain-calls
description: |
  Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics:
- Initial access
query: |
  DeviceNetworkEvents
  | where RemoteUrl endswith ".tk"
  | summarize make_set(RemoteUrl) by DeviceId,bin(Timestamp, 10m)
  | extend domainCount = array_length(set_RemoteUrl)
  | where  domainCount >= 5

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/successive-tk-domain-calls.yaml)

False Positive Guidance

Scenario: Scheduled Job for Data Processing
Description: A legitimate scheduled job runs a Python script that uses the tk module for GUI operations, which may trigger the rule due to the presence of tk in the call stack.
Filter/Exclusion: process.name != "python" OR process.args !~ "tk"
Scenario: Admin Task Using Tkinter for GUI Automation
Description: An administrator uses a Python script with tkinter to automate GUI interactions for a legitimate application, such as a custom dashboard or reporting tool.
Filter/Exclusion: process.name != "python" OR process.args !~ "tkinter"
Scenario: Jupyter Notebook for Data Analysis
Description: A data analyst uses Jupyter Notebook (which may include tk for GUI elements) to perform legitimate data analysis tasks.
Filter/Exclusion: process.name != "jupyter" OR process.args !~ "notebook"
Scenario: Python Script for System Monitoring with Tk GUI
Description: A system monitoring tool written in Python uses tk to display real-time metrics, which could be flagged by the rule.
Filter/Exclusion: process.name != "python" OR process.args !~ "tk"
Scenario: Legacy Application Using Tk for UI
Description: A legacy enterprise application uses the tk module for its graphical user interface, which is part of its normal operation.
Filter/Exclusion: process.name != "legacy_app" OR process.args !~ "tk"