Note: Please refer to the following before installing the solution:

• Review the solution Release Notes

• There may be known issues pertaining to this Solution, please refer to them before installing.

Microsoft security research teams have detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor tracked as ZINC. ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn, followed by communication over WhatsApp, which acted as the means of delivery for their malicious payloads. ZINC was found weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader etc. For more technical and in-depth information about the attack, please read the Microsoft Security blog post.This solution provides content to detect and investigate signals related to the attack in Microsoft Sentinel.

Pre-requisites:

This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.

1. Windows Security Events

2. Microsoft Defender XDR

3. Windows Server DNS

4. F5 Advanced WAF

5. Cisco ASA

6. Palo Alto Networks

7. Common Event Format

8. Fortinet FortiGate

9. Check Point

10. Microsoft 365

11. Azure Firewall

12. Microsoft Windows Firewall

13. Windows Forwarded Events

Keywords: Zinc, Open Source, ZetaNile , Putty, Kitty, TightVNC , EventHorizon, FoggyBrass, PhantomStar, threat actor, Adversary.

Analytic Rules: 3

Learn more about Microsoft Sentinel | Learn more about Solutions