Dev 0270 Detection and Hunting
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.1 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-11-29 |
| Last Updated | 2025-12-14 |
| Solution Folder | Dev 0270 Detection and Hunting |
| Marketplace | Azure Marketplace · Popularity: 🟡 Low (28%) |
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. For more technical and mitigation information, please read the Microsoft Security blog. As Microsoft continues to track DEV-0270’s tactics and techniques, we are also sharing guidance, detections and hunting queries to help our customers better defend against this threat through our security products.
Contents
Data Connectors
This solution does not include data connectors.
This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.
Tables Used
This solution queries 2 table(s) from its content items:
| Table | Used By Content |
|---|---|
DeviceProcessEvents |
Analytics |
SecurityEvent |
Analytics |
Content Items
This solution includes 4 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 4 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| DEV-0270 New User Creation | High | Persistence | DeviceProcessEventsSecurityEvent |
| Dev-0270 Malicious Powershell usage | High | Exfiltration, DefenseEvasion | DeviceProcessEventsSecurityEvent |
| Dev-0270 Registry IOC - September 2022 | High | Impact | DeviceProcessEventsSecurityEvent |
| Dev-0270 WMIC Discovery | High | Discovery | DeviceProcessEventsSecurityEvent |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 07-06-2024 | Added missing AMA Data Connector reference in Analytic Rule |
| 3.0.0 | 12-04-2024 | Updated Entity Mappings of Analytic Rule |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊