COVID-19 Indicators of Compromise and Azure Sentinel Alerts

by Adrian Grigorof, CISSP, CISM, CRISC, CCSK , Marius Mocanu, CISSP, CISM, CEH, SCF

Published: Mar 27, 2020

Last update: Apr 26, 2020

While the world is struggling to contain the devastating effects of the COVID-19 virus, there are an increasing number of malicious actors attempting to take advantage of it and attack organizations using the desire for information about this virus.

At Managed Sentinel, we decided to create and maintain a list of IoCs (IP addresses, domains, URL and hashes) related to COVID-19 malware and update it on regular basis. The lists can be accessed directly, as .txt files from our website:

As of April 16th, 2020, the lists contain 133 IP addresses, 2733 domains, 343 URLs and 791 hashes.

In addition to this, we are providing Kusto Query Language scripts that can be used to create alerts in Azure Sentinel for the various types of log sources and IoCs.

IP Addresses IOCs – Sample queries

CommonSecurityLog (published as “MS-A154: COVID 19 IP address IOC detected – CommonSecurityLog” in our catalog)

let timeRange = 1d;
let covidIPs = externaldata (IPAddress: string) [h”http://managedsentinel.com/downloads/covid19_ipaddresses.txt”] with (ignoreFirstRecord=true);
CommonSecurityLog
| where TimeGenerated >= ago(timeRange)
| where DestinationIP in~ (covidIPs)
| extend Device = iff(DeviceName <> ”, DeviceName, DeviceAddress)
| project TimeGenerated , Device, SourceIP, DestinationIP, Protocol, DestinationPort, ReceivedBytes , SentBytes , DeviceAction
| extend IPCustomEntity = SourceIP
BIND DNS logs (published as “MS-A155: COVID 19 Domain IOC detected – BIND DNS” in our catalog – this one requires the BIND DNS parser)

let timeRange = 1h;
let covidDomains = externaldata (Domain: string) [h”http://managedsentinel.com/downloads/covid19_domains.txt”] with (ignoreFirstRecord=false);
bind_dns
| extend tld = split(Request, ‘.’)
| extend tldLen = arraylength(tld)
| where tldLen >= 2
| extend tld2 = strcat(tostring(tld[-2]), ‘.’, tostring(tld[-1]))
| extend tld3 = strcat(tostring(tld[-3]), ‘.’,tostring(tld[-2]), “.”, tostring(tld[-1]))
| where TimeGenerated >= ago(timeRange)
| where tld2 in~ (covidDomains) or tld3 in~ (covidDomains)
| project TimeGenerated, SourceIP, Request
| extend IPCustomEntity = SourceIP
SigninLogs (published as “MS-A146: COVID 19 IP address IOC detected – SigninLogs” in our catalog)

let timeRange = 1d;
let covidIPs = externaldata (IPAddress: string) [h”http://managedsentinel.com/downloads/covid19_ipaddresses.txt”] with (ignoreFirstRecord=false);
SigninLogs
| where TimeGenerated >= ago(timeRange)
| where IPAddress in~ (covidIPs)
| project TimeGenerated , UserPrincipalName , IPAddress , ResultDescription , AppDisplayName , Location
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = IPAddress

These scripts match the reporting used by the playbooks deployed by Managed Sentinel but they can be easily adjusted for any kind of playbook. For the subscribers to our Firegen Threat Intelligence feed, these IPs are already monitored through the related alerts deployed in their environment.

For Kusto scripts processing domains, URLs and hashes, please contact us as they depend heavily on the log source type. We would be happy to assist, free of charge in developing the parser and the related alert rules.

Note: These are IoCs that we collect from multiple sources. We have no practical means of verifying them so please treat the information provided as such. Double-check for other potentially malicious behavior before considering the systems involved as compromised. Do not hesitate to contact us with additional IOCs or with comments about the existing ones.