Detect malware with Microsoft Sentinel for Azure Firewall

Malware is any software that is designed to cause damage, disruption, or compromise the security and functionality of computer systems, networks, or devices. It includes diverse types of threats, such as viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Malware can have various negative impacts, such as stealing sensitive data, encrypting, or deleting files, displaying unwanted ads, slowing down performance, or even taking control of the device.

It's important to identify and eliminate malware from a system or network, which you can do by employing various detection techniques, such as signature-based, behavior-based, heuristic-based, or machine learning-based techniques. Malware detection is vital for protecting the security and privacy of users, as well as the integrity and availability of systems and networks.

The Azure Firewall IDPS feature automatically detects and denies malware by default and can prevent the cloud workloads from being infected. You can further enhance this capability by employing automated detection and response using prebuilt detection queries and Microsoft Sentinel. In this article, you explore how to detect some common malware found in Azure Firewall logs such as Coinminer, Cl0p and Sunburst using predefined KQL detection queries for Azure Firewall.

These detections enable security teams to receive Sentinel alerts when machines on the internal network request connections to domain names or IP addresses on the Internet that are linked to known Indicators of Compromise (IOCs), as defined in the detection rule query. True positive detections should be regarded as Indicators of Compromise (IOCs). Then, security incident response teams can initiate a response and implement appropriate custom remediation actions based on these detection signals.

For instructions to deploy the analytic rules using the following queries, see Detect new threats using Microsoft Sentinel with Azure Web Application Firewall.

Common malware exploits

The following malware exploits are common on today's networks.

Coinminer

Due to the recent surge in cryptocurrency mining, there's an increasing need for high-performance network processing units. Distributed computing is expanding and the widespread availability of mining software, both in legal and illegal contexts.

Coinminer represents a type of malware that uses the hardware resources of an unwitting victim's computer for cryptocurrency mining. The graphics processing unit (GPU) of the unsuspecting user's PC is used to run various scripts aimed at mining cryptocurrencies and calculating transaction block hashes.

To mitigate the risk of these threats, proactive measures should be implemented at the typical entry points. This includes ensuring that Jupyter software is deployed with proper authentication, configuring, and updating web applications to minimize vulnerabilities, controlling external access to Docker, and following extra Zero Trust principles.

The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.

// Coinminer Detection Rule
// Detects suspicious traffic patterns associated with coinmining activity in Azure Firewall logs for Sentinel

let coinminerPorts = dynamic(["2375", "2376", "2377", "4243", "4244"]); // List of known coinminer ports  
//Assign the known domains to a variable
let coinminerdomains = dynamic(["teamtnt.red", "kaiserfranz.cc", "45.9.148.123"]); // List of known coinminer domains  

(union isfuzzy=true 

(AzureDiagnostics  
| where ResourceType == "AZUREFIREWALLS"  
| where Category == "AzureFirewallApplicationRule" 
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action 
| extend action_s = column_ifexists("action_s", ""), transactionId_g = column_ifexists("transactionId_g", "")  
| where DestinationPort in (coinminerPorts) // Filter traffic on known coinminer ports  
| summarize CoinminerAttempts = count() by DestinationHost, DestinationPort  
| where CoinminerAttempts > 10 // Adjust threshold as needed  
), 

(AZFWIdpsSignature 
| where DestinationPort in (coinminerPorts) 
| summarize CoinminerAttempts = count() by DestinationIp, DestinationPort 
| where CoinminerAttempts > 10 // Adjust threshold as needed   

), 

(AzureDiagnostics  
| where ResourceType == "AZUREFIREWALLS"  
| where Category == "AzureFirewallDnsProxy"  
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Response_Code " " Response_Flags " " Response_Size " " Response_Duration  
| where Request_Name has_any(coinminerdomains)  
| extend DNSName = Request_Name  
| extend IPCustomEntity = ClientIP  

),  

(AzureDiagnostics  
| where ResourceType == "AZUREFIREWALLS"  
| where Category == "AzureFirewallApplicationRule"  
| parse msg_s with Protocol ' request from ' SourceHost ':' SourcePort 'to' DestinationHost ':' DestinationPort '. Action:' Action  
| where isnotempty(DestinationHost)  
| where DestinationHost has_any(coinminerdomains)  
| extend DNSName = DestinationHost  
| extend IPCustomEntity = SourceHost), 

(AZFWApplicationRule 
| where isnotempty(Fqdn) 
| where Fqdn has_any (coinminerdomains)   
| extend DNSName = Fqdn  
| extend IPCustomEntity = SourceIp), 

(AZFWDnsQuery 
| where isnotempty(QueryName) 
| where QueryName has_any (coinminerdomains) 
| extend DNSName = QueryName 
| extend IPCustomEntity = SourceIp 

), 

(AZFWIdpsSignature 
| where DestinationIp has_any (coinminerdomains) 
| extend DNSName = DestinationIp 
| extend IPCustomEntity = SourceIp 

), 

(AZFWIdpsSignature 
| where Description contains "coinminer" 
| extend DNSName = DestinationIp 
| extend IPCustomEntity = SourceIp 
) 

)

Cl0p

Cl0p is a ransomware that operates by applying distinctive encryption keys to the victim's files and then requesting a ransom for the files' decryption. It uses a vulnerability in the data transfer software MOVEit and sends spear phishing emails to numerous employees in the hope to deliver cl0p. Then it uses tools like truebot and dewmode to move laterally within the network and exfiltrate data. The ransomware encrypts files using the AES-256 encryption algorithm.

Cl0p vulnerabilities include CVE-2023-35036, CVE-2023-34362 and CVE-2023-35708. In June 2023, the FBI and CISA published a press release about this exploitation. The effects of cl0p ransomware are registered across several universities in the US Midwest and government organizations. Airlines, TV networks, and UK based retail stores are the latest victims of the cl0p ransomware gang.

The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.

Detection Query for Cl0p: Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Cl0p.json

Sunburst

This malware targets victims by using domain generation algorithm (DGA) strings to evade detection and establish a command-and-control backdoor attack. The DGA strings are often difficult for security tools to identify the domains used by the malware due to the pattern used in the syntax and their constant changing of the domain information.

The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.

Detection Query for Sunburst Malware: Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Sunburst.json