I would like to create a rule to detect emails coming from specific domain for Strat malware email delivery. Please guide me how to do that:
# StrRAT Malware Email Delivery
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
## Query
The following query looks for emails containing domains known to be associated with delivering StrRAT malware.
```
EmailUrlInfo
| where UrlDomain has_any ('metroscaffingltg.co.uk',
'pg-finacesolutions.co.uk',
'jpfletcherconsultancy.co.uk',
'buildersworlinc.co.uk',
'bentlyconstbuild.co.uk',
'alfredoscafeltd.co.uk',
'zincocorporation.co.uk',
'playerscircleinc.co.uk',
'tg-cranedinc.co.uk',
'adamridley.co.uk',
'westcoasttrustedtaxis.co.uk',
'sivospremiumclub.co.uk',
'gossyexperience.co.uk',
show original
system
July 10, 2021, 4:07am
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.