Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI

[post-views]
June 04, 2025 · 2 min read
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI

How It Works

This Uncoder AI feature generates a broad-spectrum KQL detection query for Microsoft Sentinel, based on indicators from CERT-UA#14045 (DarkCrystal RAT). The AI processes a threat report and outputs a query to search logs for strings such as:

  • "Розпорядження.zip" – a suspicious Ukrainian-language file name used to disguise malware
  • "imgurl.ir" – a known malicious domain associated with command-and-control infrastructure

The query syntax:

search (@"Розпорядження.zip" or @"imgurl.ir")

uses the search operator to identify any mention of these IOCs across all available data tables and fields in Microsoft Sentinel.

The query is constructed using KQL verbatim string literals (@””) to ensure exact pattern matching without escape sequences — crucial for multilingual or obfuscated filenames.

Explore Uncoder AI

Why It’s Innovative

Rather than relying on manual IOC integration or crafting field-specific logic, Uncoder AI uses NLP and LLMs to extract high-confidence indicators from raw threat reports. It then instantly generates a query applying:

  • Proper KQL formatting (e.g., verbatim string syntax)
  • Logical structure using the or operator for multi-indicator coverage
  • Microsoft Sentinel syntax compatibility without needing user intervention

This greatly reduces the overhead for analysts who previously had to translate threat intel into valid Sentinel queries themselves.

Operational Value / Results / Benefits

Broad IOC Discovery

The query enables fast triage for environments possibly affected by DarkCrystal RAT activity. It can detect log traces of:

  • Archive downloads and other event types containing "Розпорядження.zip"
  • DNS resolutions or HTTP traffic involving "imgurl.ir"

Accelerated Detection Engineering

Uncoder AI eliminates the guesswork in query assembly, ensuring:

  • Detection logic is instantly usable within Microsoft Sentinel
  • Indicators from multilingual or obfuscated payloads are not lost in translation

Improved SOC Efficiency

By allowing direct paste-to-query capability, the AI-driven output enables faster incident response, enrichment, and detection logic authoring.

Explore Uncoder AI

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts