COVID-19 Indicators of Compromise and Azure Sentinel Alerts
by Adrian Grigorof, CISSP, CISM, CRISC, CCSK , Marius Mocanu, CISSP, CISM, CEH, SCF
Published: Mar 27, 2020
Last update: Apr 26, 2020
While the world is struggling to contain the devastating effects of the COVID-19 virus, there are an increasing number of malicious actors attempting to take advantage of it and attack organizations using the desire for information about this virus.
At Managed Sentinel, we decided to create and maintain a list of IoCs (IP addresses, domains, URL and hashes) related to COVID-19 malware and update it on regular basis. The lists can be accessed directly, as .txt files from our website:
As of April 16th, 2020, the lists contain 133 IP addresses, 2733 domains, 343 URLs and 791 hashes.
In addition to this, we are providing Kusto Query Language scripts that can be used to create alerts in Azure Sentinel for the various types of log sources and IoCs.
IP Addresses IOCs – Sample queries
CommonSecurityLog (published as “MS-A154: COVID 19 IP address IOC detected – CommonSecurityLog” in our catalog)
let timeRange = 1h;
let timeRange = 1d;
For Kusto scripts processing domains, URLs and hashes, please contact us as they depend heavily on the log source type. We would be happy to assist, free of charge in developing the parser and the related alert rules.
Note: These are IoCs that we collect from multiple sources. We have no practical means of verifying them so please treat the information provided as such. Double-check for other potentially malicious behavior before considering the systems involved as compromised. Do not hesitate to contact us with additional IOCs or with comments about the existing ones.