Query Details

New Threat Actor Group Signature

Query

// New Threat Actor Group Signature
// https://www.linkedin.com/posts/activity-7193281542645768192-9ZIM/

// I just discovered a new threat actor group signature that started mounting aggressive spray about 2.5 weeks back on my tenant. If you run the below KQL on your Sentinel signin logs, you should probably see some hits on your tenant. Do shared your intel in the comment for community awareness if you observe it. 🙏

// This particular group are abusing the "OfficeHome" app and has the firefox 116 as their user agent. The method is similar to earlier this year February Proofpoint post when they uncovered a malicious campaign on cloud account take over (ATO). 🫡 

// Ongoing Malicious Campaign Impacting Microsoft Azure Cloud Environments
// Link: https://lnkd.in/d7A_evhi

SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == "50053" or ResultType == "50126"
| where AppDisplayName == "OfficeHome"
| where UserAgent == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"

// MITRE ATT&CK Mapping

// Based on the filters and the context of the query, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The query is looking for failed login attempts, which can be associated with attempts to use valid accounts with incorrect credentials.
// T1110 - Brute Force:
// The presence of multiple failed login attempts (ResultType 50126) suggests a brute force attack where an adversary is trying different passwords.
// T1212 - Exploitation for Credential Access:
// The specific user agent and application filters might indicate an attempt to exploit known vulnerabilities in the “OfficeHome” application or the browser to gain credential access.
// T1071 - Application Layer Protocol:
// The use of a specific user agent string can be related to the use of application layer protocols for communication, which might be part of the adversary’s tactics.

Explanation

This KQL query is designed to identify potential malicious activity in Microsoft Azure environments by detecting specific patterns in sign-in logs. Here's a simplified breakdown:

  1. Time Frame: The query examines sign-in logs from the past 90 days.

  2. Error Codes: It filters for specific sign-in result types, "50053" and "50126", which indicate failed login attempts. These failures could be due to incorrect credentials or other issues.

  3. Application: The query focuses on the "OfficeHome" application, which is being misused by a threat actor group.

  4. User Agent: It looks for sign-ins using a specific user agent string associated with Firefox version 116 on Windows 10. This detail helps identify the particular threat actor's activity.

  5. Threat Context: The query is based on a recent discovery of a threat actor group using these specific patterns to conduct a brute force attack, similar to a campaign identified earlier in the year.

  6. MITRE ATT&CK Techniques: The query aligns with several MITRE ATT&CK techniques, indicating it looks for:

    • T1078 (Valid Accounts): Attempts to use valid accounts with incorrect credentials.
    • T1110 (Brute Force): Repeated failed login attempts suggest a brute force attack.
    • T1212 (Exploitation for Credential Access): Possible exploitation of vulnerabilities in the "OfficeHome" app or browser.
    • T1071 (Application Layer Protocol): Use of specific user agent strings for communication, part of the adversary's tactics.

Overall, this query helps identify suspicious login activities that could indicate a malicious campaign targeting Azure environments. Users are encouraged to share any findings for community awareness.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogs

Keywords

SigninLogsMicrosoftAzureCloudEnvironmentsOfficeHomeUserAgentFirefox

Operators

SigninLogs|where>ago(90d)==or//

MITRE Techniques

Actions

GitHub