Microsoft security research teams have detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor tracked as ZINC. ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn, followed by communication over WhatsApp, which acted as the means of delivery for their malicious payloads. ZINC was found weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader etc. For more technical and in-depth information about the attack, please read the Microsoft Security blog post.This solution provides content to detect and investigate signals related to the attack in Microsoft Sentinel.

Pre-requisites:

This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.

1.Windows Security Events

2.Microsoft 365 Defender

3.Microsoft Windows DNS

4.F5 Advanced WAF

5.Cisco ASA

6.Palo Alto Networks

7.Common Event Format

8.Fortinet FortiGate

9.Check Point

10.Microsoft 365

11.Azure Firewall

12.Microsoft Windows Firewall

13.Windows Forwarded Events

Keywords: Zinc, Open Source, ZetaNile , Putty, Kitty, TightVNC , EventHorizon, FoggyBrass, PhantomStar, threat actor, Adversary.

Analytic Rules: 3

Learn more about Microsoft Sentinel | Learn more about Solutions