4 min read time

Security Operations and How to Defend Against COVID-19-themed Cyber Threats

by   in Cybersecurity

Greetings Cyber Defenders,

Update on April 28, 2020

We also have released a specific Threat Intel-based package, providing additional Threat Intel from Scan Titan and Anomali. Please see the blog post from our Senior Architect Pavan Raja for details.

Update on April 15, 2020

On top of the releases mentioned in our original blog post below, we now have released the official "CoronaVirus-related Malicious Monitoring" package for our Realtime Correlation platform, ArcSight ESM.

Original Post on April 5, 2020

Specific use cases suitable for realtime detection and relevant MITRE Techniques information are below:

CoronaVirus-related Malicious Monitoring


Coronavirus-related Malicious Monitoring package detects security threats which are related to coronavirus.

Following use cases are included in this package:

  • Coronavirus related suspicious files executed:
  • Macro Embedded on Coronavirus Office Document
  • Suspicious Coronavirus File Executed On Host
  • Coronavirus related suspicious traffic and email, based on intelligence Datafeed from MISP CIRCL
  • Dangerous Browsing to a Suspicious Coronavirus URL
  • Email Sent to Suspicious Coronavirus Address
  • Inbound Traffic from a Coronavirus Suspicious Address
  • Inbound Traffic from a Coronavirus Suspicious Domain
  • Outbound Traffic to a Coronavirus Suspicious Address
  • Outbound Traffic to a Coronavirus Suspicious Domain
  • Received Email from Suspicious Coronavirus Address
  • Suspicious Coronavirus File Hash Activity
  • Coronavirus Detected by Vendor

Following MITRE ATT&CK Techniques are covered as well:

  • T1048-Exfiltration Over Alternative Protocol
  • T1064-Scripting
  • T1190-Exploit Public-Facing Application
  • T1192-Spearphishing Link
  • T1193-Spearphishing Attachment
  • T1204-User Execution

Original Blog Post

We hope you and your loved ones are safe and sound, in today’s corona-ridden world.

With coronavirus-themed cyber-attacks skyrocketing, we are facing one of the largest cybersecurity challenges of our time.

Opportunistic cyber criminals are seeking to take advantage of the chaos, with targeted COVID-19 attacks such as:

  • Phishing scams that capitalize on victims’ fear of the virus, to deploy ransomware, etc…
  • Criminals disguising themselves as WHO to steal money or sensitive information
  • Web conference hijacking
  • Strain on infrastructure services as numerous workers become remote
  • DDoS on VPN & authentication systems
  • Two factor-authentication (2FA) bypass attacks

We believe there is hope after all, if existing defensive technologies are deployed properly.

This blog post will focus on how our customers can utilize Micro Focus ArcSight to help defend against COVID-19-themed cyber-attacks.

In the spirit of ArcSight’s next-gen SOC architecture, the following high-level capabilities exist:

  • Threat Intel to detect 0-day threats (using multiple indicator types, like malicious file hashes, domain names, email addresses….)
  • Real-time correlation to detect and stop malicious communications from known threat actors or email campaigns
  • Search and hunt queries to uncover attacks that have already taken place (before the real-time rules were implemented)
  • Real-time dashboards to provide true visibility across the enterprise
  • Machine Learning algorithms to identify misbehaving users. E.g. email recipients visiting a never-before-visited page or uploading large data to a page on first visit, etc…

We will provide links to existing content (packages, videos, etc…) and new ones as they become available.

Specialized ArcSight Content and Videos


  • ArcSight ESM Real-Time Correlation Package 1 – Basic dashboards and rules using CIRCL MISP Threat Intel to address Coronavirus threats


  • ArcSight ESM Real-Time Correlation Package 2 – CoronaVirus-related Malicious Monitoring
    This second bundle of special content includes advanced dashboards and rules using tough-to-bypass TTP’s to address Coronavirus-themed threats. More information are at the top of this blog post.

package 1_high-resolution.png

  • Partner-Provided Free Content:
    COVID-19 Security Package from SOC Prime, which provides specific ArcSight Logger search and hunt queries to find and investigate incidents that have already taken place.


Partner-Provided Free Content Details

Full List with SOC Prime's Free Package

Rule Name Rule Type MITRE ATT&CK Techniques
VBA DLL Loaded Via Microsoft Word Threat Hunting Sigma Spearphishing Attachment
Execution in Outlook Temp Folder Threat Hunting Sigma Spearphishing Attachment
Windows Shell Spawning Suspicious Program Threat Hunting Sigma Scripting
Suspicious Double Extension Threat Hunting Sigma Spearphishing Attachment
Encoded FromBase64String Threat Hunting Sigma Deobfuscate/Decode Files or Information, PowerShell
Suspicious Encoded PowerShell Command Line Threat Hunting Sigma PowerShell
Registry Persistence via Explorer Run Key Threat Hunting Sigma Registry Run Keys / Startup Folder
WMIExec VBS Script Threat Hunting Sigma Scripting
Scheduled Task Creation Threat Hunting Sigma Scheduled Task
Suspicious PowerShell Parameter Substring Threat Hunting Sigma PowerShell
New RUN Key Pointing to Suspicious Folder Threat Hunting Sigma Registry Run Keys / Startup Folder
Suspicious PowerShell Download Threat Hunting Sigma PowerShell


We will update this page with more content, as they become available.

Get information on how Micro Focus is working to help ensure business continuity for our customers during this time of transition due to the coronavirus by offering several product promotions.

The Micro Focus ArcSight Team


Join our Community | ArcSight User Discussion Forum | ArcSight Idea Exchange | What is Threat Intelligence? | What is a Security Operations Center (SOC)?



Security Operations