Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI

How It Works

This Uncoder AI feature generates a broad-spectrum KQL detection query for Microsoft Sentinel, based on indicators from CERT-UA#14045 (DarkCrystal RAT). The AI processes a threat report and outputs a query to search logs for strings such as:

  • "Розпорядження.zip" – a suspicious Ukrainian-language file name used to disguise malware
  • "imgurl.ir" – a known malicious domain associated with command-and-control infrastructure

The query syntax:

search (@"Розпорядження.zip" or @"imgurl.ir")

uses the search operator to identify any mention of these IOCs across all available data tables and fields in Microsoft Sentinel.

The query is constructed using KQL verbatim string literals (@””) to ensure exact pattern matching without escape sequences — crucial for multilingual or obfuscated filenames.

Explore Uncoder AI

Why It’s Innovative

Rather than relying on manual IOC integration or crafting field-specific logic, Uncoder AI uses NLP and LLMs to extract high-confidence indicators from raw threat reports. It then instantly generates a query applying:

  • Proper KQL formatting (e.g., verbatim string syntax)
  • Logical structure using the or operator for multi-indicator coverage
  • Microsoft Sentinel syntax compatibility without needing user intervention

This greatly reduces the overhead for analysts who previously had to translate threat intel into valid Sentinel queries themselves.

Operational Value / Results / Benefits

Broad IOC Discovery

The query enables fast triage for environments possibly affected by DarkCrystal RAT activity. It can detect log traces of:

  • Archive downloads and other event types containing "Розпорядження.zip"
  • DNS resolutions or HTTP traffic involving "imgurl.ir"

Accelerated Detection Engineering

Uncoder AI eliminates the guesswork in query assembly, ensuring:

  • Detection logic is instantly usable within Microsoft Sentinel
  • Indicators from multilingual or obfuscated payloads are not lost in translation

Improved SOC Efficiency

By allowing direct paste-to-query capability, the AI-driven output enables faster incident response, enrichment, and detection logic authoring.

Explore Uncoder AI

The post Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI appeared first on SOC Prime.