// based on https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
let SHA256_IOC = dynamic ([
'184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3',
'2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03',
'542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d',
'61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610',
'753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647',
'8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a',
'8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190',
'99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f',
'bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7',
'eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18'
]);
let IP_IOC = dynamic (['104.131.30.201',
'108.191.224.47',
'131.150.216.118',
'134.209.88.140',
'138.68.227.71',
'139.177.192.145',
'139.60.160.20',
'139.60.161.99',
'143.198.110.248',
'143.198.131.210',
'159.65.246.188',
'161.35.137.163',
'162.33.177.27',
'162.33.178.244',
'162.33.179.17',
'165.227.219.211',
'165.227.23.218',
'165.232.154.73',
'166.205.190.23',
'167.99.160.91',
'172.56.42.39',
'172.58.220.52',
'172.58.239.34',
'174.205.239.164',
'176.59.109.115',
'178.128.171.206',
'185.220.100.244',
'185.220.101.10',
'185.220.101.13',
'185.220.101.15',
'185.220.101.16',
'185.220.101.2',
'185.220.101.20',
'185.220.101.34',
'185.220.101.45',
'185.220.101.6',
'185.220.101.65',
'185.220.101.73',
'185.220.101.79',
'185.220.102.242',
'185.220.102.250',
'192.241.133.130',
'194.165.16.98',
'195.149.87.136',
'24.6.144.43',
'45.145.67.170',
'45.227.255.215',
'45.32.141.138',
'45.32.228.189',
'45.32.228.190',
'45.55.36.143',
'45.61.136.207',
'45.61.136.5',
'45.61.136.83',
'46.161.27.117',
'5.165.200.7',
'52.154.0.241',
'64.227.0.177',
'64.4.238.56',
'65.188.102.43',
'66.42.97.210',
'67.171.114.251',
'68.183.200.63',
'68.46.232.60',
'73.153.192.98',
'74.119.194.203',
'74.119.194.4',
'76.22.236.142',
'82.116.32.77',
'87.251.67.41',
'94.142.241.194'
]);
let Domain_IOC = dynamic(['cisco-help.cf',
'cisco-helpdesk.cf',
'ciscovpn1.com',
'ciscovpn2.com',
'ciscovpn3.com',
'devcisco.com',
'devciscoprograms.com',
'helpzonecisco.com',
'kazaboldu.net',
'mycisco.cf',
'mycisco.gq',
'mycisco-helpdesk.ml',
'primecisco.com',
'pwresetcisco.com']);
(union isfuzzy=true
(DeviceFileEvents
| where SHA256 has_any (SHA256_IOC)),
(DeviceNetworkEvents
| where RemoteIP has_any (IP_IOC)),
(DeviceNetworkEvents
| where RemoteUrl has_any (Domain_IOC))
)
// based on https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
let SHA256_IOC = dynamic ([
'184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3',
'2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03',
'542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d',
'61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610',
'753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647',
'8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a',
'8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190',
'99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f',
'bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7',
'eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18'
]);
let IP_IOC = dynamic (['104.131.30.201',
'108.191.224.47',
'131.150.216.118',
'134.209.88.140',
'138.68.227.71',
'139.177.192.145',
'139.60.160.20',
'139.60.161.99',
'143.198.110.248',
'143.198.131.210',
'159.65.246.188',
'161.35.137.163',
'162.33.177.27',
'162.33.178.244',
'162.33.179.17',
'165.227.219.211',
'165.227.23.218',
'165.232.154.73',
'166.205.190.23',
'167.99.160.91',
'172.56.42.39',
'172.58.220.52',
'172.58.239.34',
'174.205.239.164',
'176.59.109.115',
'178.128.171.206',
'185.220.100.244',
'185.220.101.10',
'185.220.101.13',
'185.220.101.15',
'185.220.101.16',
'185.220.101.2',
'185.220.101.20',
'185.220.101.34',
'185.220.101.45',
'185.220.101.6',
'185.220.101.65',
'185.220.101.73',
'185.220.101.79',
'185.220.102.242',
'185.220.102.250',
'192.241.133.130',
'194.165.16.98',
'195.149.87.136',
'24.6.144.43',
'45.145.67.170',
'45.227.255.215',
'45.32.141.138',
'45.32.228.189',
'45.32.228.190',
'45.55.36.143',
'45.61.136.207',
'45.61.136.5',
'45.61.136.83',
'46.161.27.117',
'5.165.200.7',
'52.154.0.241',
'64.227.0.177',
'64.4.238.56',
'65.188.102.43',
'66.42.97.210',
'67.171.114.251',
'68.183.200.63',
'68.46.232.60',
'73.153.192.98',
'74.119.194.203',
'74.119.194.4',
'76.22.236.142',
'82.116.32.77',
'87.251.67.41',
'94.142.241.194'
]);
let Domain_IOC = dynamic(['cisco-help.cf',
'cisco-helpdesk.cf',
'ciscovpn1.com',
'ciscovpn2.com',
'ciscovpn3.com',
'devcisco.com',
'devciscoprograms.com',
'helpzonecisco.com',
'kazaboldu.net',
'mycisco.cf',
'mycisco.gq',
'mycisco-helpdesk.ml',
'primecisco.com',
'pwresetcisco.com']);
(union isfuzzy=true
(DeviceFileEvents
| where SHA256 has_any (SHA256_IOC)),
(DeviceNetworkEvents
| where RemoteIP has_any (IP_IOC)),
(DeviceNetworkEvents
| where RemoteUrl has_any (Domain_IOC))
)