Azorult
Description
Generated datasets for azorult in attack range.
MITRE ATT&CK Techniques
No MITRE techniques specified for this dataset.
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | azorult |
| Test Date | 2022-06-22 |
Datasets
The following datasets were collected during this attack simulation:
Sysmon
- Path:
/datasets/malware/azorult/sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Windows Remote Access Software RMS Registry | TTP |
Endpoint | T1219 | Azorult |
| Windows Modify Registry DisAllow Windows App | TTP |
Endpoint | T1112 | Azorult |
| Windows Modify Registry Regedit Silent Reg Import | Anomaly |
Endpoint | T1112 | Azorult |
| Windows Remote Services Allow Rdp In Firewall | Anomaly |
Endpoint | T1021.001 | Azorult, Windows RDP Artifacts and Defense Evasion |
| Windows Impair Defense Deny Security Software With Applocker | TTP |
Endpoint | T1562.001 | Azorult, Scattered Lapsus$ Hunters |
| Windows Remote Services Allow Remote Assistance | Anomaly |
Endpoint | T1021.001 | Azorult |
| Windows Remote Services Rdp Enable | TTP |
Endpoint | T1021.001 | Medusa Ransomware, BlackSuit Ransomware, Azorult, Windows RDP Artifacts and Defense Evasion |
| Windows Application Layer Protocol RMS Radmin Tool Namedpipe | TTP |
Endpoint | T1071 | Azorult |
| Windows Modify Registry Suppress Win Defender Notif | Anomaly |
Endpoint | T1112 | Azorult, CISA AA23-347A |
| Windows Modify Registry Disable Toast Notifications | Anomaly |
Endpoint | T1112 | Azorult |
| Windows Modify Registry Disable Windows Security Center Notif | Anomaly |
Endpoint | T1112 | Azorult, CISA AA23-347A |
| Windows Set Account Password Policy To Unlimited Via Net | Anomaly |
Endpoint | T1489 | Ransomware, BlackByte Ransomware, Crypto Stealer, XMRig |
| Windows Modify Registry Disabling WER Settings | TTP |
Endpoint | T1112 | Azorult, CISA AA23-347A |
| Windows Modify Registry Disable Win Defender Raw Write Notif | Anomaly |
Endpoint | T1112 | Azorult, CISA AA23-347A |
| Windows Remote Service Rdpwinst Tool Execution | TTP |
Endpoint | T1021.001 | Azorult, Compromised Windows Host, Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters |
| Windows Impair Defense Add Xml Applocker Rules | Hunting |
Endpoint | T1562.001 | Azorult |
| Windows Service Stop By Deletion | TTP |
Endpoint | T1489 | Azorult, Graceful Wipe Out Attack, Crypto Stealer |
| Windows Gather Victim Network Info Through Ip Check Web Services | Anomaly |
Network | T1590.005 | Azorult, DarkCrystal RAT, Phemedrone Stealer, Snake Keylogger, Handala Wiper, PXA Stealer, Meduza Stealer, Water Gamayun, Quasar RAT, 0bj3ctivity Stealer |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/malware/azorult/sysmon.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0