ZINC Open Source Threat Protection

Solution: Zinc Open Source

Zinc Open Source Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2022-10-03
Solution Folder	Zinc Open Source
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)
Pre-requisites	Windows Security Events, Microsoft Defender XDR, Windows Server DNS, F5 Big-IP, CiscoASA, PaloAlto-PAN-OS, Common Event Format, Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel, Check Point, Microsoft 365, Azure Firewall, Windows Firewall, Windows Forwarded Events

Microsoft security research teams have detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor tracked as ZINC. ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn, followed by communication over WhatsApp, which acted as the means of delivery for their malicious payloads. ZINC was found weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader etc. For more technical and in-depth information about the attack, please read the Microsoft Security blog post.This solution provides content to detect and investigate signals related to the attack in Microsoft Sentinel.

For details on the required solutions, see the Pre-requisites section below.

Keywords: Zinc, Open Source, ZetaNile , Putty, Kitty, TightVNC , EventHorizon, FoggyBrass, PhantomStar, threat actor, Adversary.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 13 other solution(s):

Solution
Azure Firewall
Check Point
CiscoASA
Common Event Format
F5 Big-IP
Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Microsoft 365
Microsoft Defender XDR
PaloAlto-PAN-OS
Windows Firewall
Windows Forwarded Events
Windows Security Events
Windows Server DNS

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Windows DNS Events via AMA (dependency on Windows Server DNS)
Azure Firewall (dependency on Azure Firewall)
Common Event Format (CEF) (dependency on Common Event Format)
Common Event Format (CEF) via AMA (dependency on Common Event Format)
Cisco ASA via Legacy Agent (dependency on CiscoASA)
Cisco ASA/FTD via AMA (dependency on CiscoASA)
DNS (dependency on Windows Server DNS)
F5 BIG-IP (dependency on F5 Big-IP)
[Deprecated] Fortinet via Legacy Agent (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
[Deprecated] Fortinet via AMA (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
Microsoft Defender XDR (dependency on Microsoft Defender XDR)
Microsoft 365 (formerly, Office 365) (dependency on Microsoft 365)
[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
[Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
Security Events via Legacy Agent (dependency on Windows Security Events)
Windows Firewall (dependency on Windows Firewall)
Windows Firewall Events via AMA (dependency on Windows Firewall)
Windows Forwarded Events (dependency on Windows Forwarded Events)
Windows Security Events via AMA (dependency on Windows Security Events)

Tables Used

This solution queries 12 table(s) from its content items:

Table	Used By Content
`AzureDiagnostics`	Analytics
`CommonSecurityLog`	Analytics
`DeviceEvents`	Analytics
`DeviceFileEvents`	Analytics
`DeviceInfo`	Analytics
`DeviceNetworkEvents`	Analytics
`DeviceProcessEvents`	Analytics
`DnsEvents`	Analytics
`Event`	Analytics
`OfficeActivity`	Analytics
`SecurityEvent`	Analytics
`VMConnection`	Analytics

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Content
`SecurityAlert`	Analytics

Content Items

This solution includes 3 content item(s):

Content Type	Count
Analytic Rules	3

Analytic Rules

Name	Severity	Tactics	Tables Used
AV detections related to Zinc actors	High	Impact	`DeviceInfo` Internal use: `SecurityAlert`
Zinc Actor IOCs files - October 2022	High	Persistence	`DeviceEvents` `DeviceFileEvents` `DeviceNetworkEvents` `DeviceProcessEvents` `Event` `SecurityEvent`
[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022	High	Persistence	`AzureDiagnostics` `CommonSecurityLog` `DeviceEvents` `DeviceFileEvents` `DeviceNetworkEvents` `DeviceProcessEvents` `DnsEvents` `Event` `OfficeActivity` `VMConnection`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	30-05-2024	Added missing AMA Data Connector reference in Analytic rules
3.0.2	27-02-2024	Tagged for dependent solutions for deployment
3.0.1	19-12-2023	Corrected typo mistake Microsoft Windows DNS to Windows Server DNS
3.0.0	25-10-2023	Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR