Query Details

Seashell Blizzard IRIDIUM PWS Win64 High Count

Query

// Seashell Blizzard (IRIDIUM) - PWS:Win64-HighCount
// https://www.linkedin.com/posts/activity-7198555614627651584-z6C7/

// Seashell Blizzard (IRIDIUM) is high-impact threat actor linked to the Russian Federation and conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU). Below are some KQL detections to complement the Threat Analytics Report.

// Persistance KQL Detection:

DeviceRegistryEvents 
| where ActionType == @"RegistryKeyCreated"
| where RegistryValueData contains "win32msa.exe"


// PWS:Win64/HighCount KQL Detection:

DeviceFileEvents 
| where SHA256 == "e62e418ffa87fdcfe14125ab8b429cb9d91a07088e13cd15423bd084c713564e" or FileName == "win32msa.exe"


// MITRE ATT&CK Mapping

// Registry Key Creation Detection: Maps to T1547.001.
// File Event Detection: Maps to T1036.005.

Explanation

This query is designed to detect potential malicious activities associated with a threat actor known as Seashell Blizzard (IRIDIUM), which is linked to Russian Military Intelligence. The query includes two main detection components:

  1. Persistence Detection: This part of the query looks for events where a registry key is created with a value containing "win32msa.exe". This could indicate an attempt to establish persistence on a device by modifying the registry.

  2. File Detection: This part checks for file events involving a specific file hash (SHA256) or a file named "win32msa.exe". This could indicate the presence or execution of a potentially malicious file on the system.

Additionally, the query maps these detections to specific MITRE ATT&CK techniques:

  • The registry key creation detection is mapped to technique T1547.001, which involves creating or modifying registry keys for persistence.
  • The file event detection is mapped to technique T1036.005, which involves masquerading or using deceptive file names to evade detection.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceRegistryEventsDeviceFileEvents

Keywords

DeviceRegistryEventsFile

Operators

DeviceRegistryEventswhereActionTypecontainsDeviceFileEventsSHA256orFileName

MITRE Techniques

Actions

GitHub