This article is contributed. See the original author and article here.
This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.
This post was written in collaboration with @JulianGonzalez.
Introduction:
Threat hunting is a powerful way for the SOC to reduce organizational risk, but it’s commonly portrayed and seen as a complex and mysterious art form for deep experts only, which can be counterproductive. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, as they gather information and escalate privileges. If you wait until these advanced persistent threats (APT) become visible, it can be costly and time-consuming to address. In today’s cybersecurity landscape, SOC analysts need controls and integrated toolsets to search, filter, and pivot through their telemetry to derive relevant insights faster.
Taken into account, we are delighted to announce that we have introduced 80 new hunting queries that can empower your SOC analyst to reduce the gaps in your current detection coverage and ignite new hunting leads.
Hunting queries included:
The following queries are designed to help you find suspicious activity in your environment, and whilst many are likely to return legitimate activity as well as potentially malicious activity, they can be useful in guiding your hunting. If after running these queries you are confident with the results you could consider converting them to analytics or add hunting results to existing or new incidents.
The figure below illustrates the diversification and threat hunting coverage the new hunting queries provide across the MITRE ATT&CK framework matrix:
Feel free to expand the spoiler below to view the new list of out the box hunting queries and the MITRE ATT&CK tactics that are covered:
Hunting Query MITRE ATT&CK Tactic
| Azure DevOps- Project visibility changed to public | { Collection } | { } |
| Azure DevOps- Project visibility changed to public | { Collection } | { T1213 } |
| Non-owner mailbox login activity | { Collection Exfiltration } | { } |
| Non-owner mailbox login activity | { Collection Exfiltration } | { T1114 T1020 } |
| Potential DGA detected | { CommandAndControl } | { } |
| Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic | { CommandAndControl } | { } |
| Potential DGA detected | { CommandAndControl } | { T1483 T1008 } |
| Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic | { CommandAndControl } | { T1043 T1065 } |
| DNS – domain anomalous lookup increase | { CommandAndControl Exfiltration } | { } |
| RareDNSLookupWithDataTransfer | { CommandAndControl Exfiltration } | { } |
| DNS – domain anomalous lookup increase | { CommandAndControl Exfiltration } | { T1483 T1008 T1048 } |
| RareDNSLookupWithDataTransfer | { CommandAndControl Exfiltration } | { T1043 T1048 } |
| Failed service logon attempt by user account with available AuditData | { CredentialAccess } | { } |
| Permutations on logon attempts by UserPrincipalNames indicating potential brute force | { CredentialAccess } | { } |
| Failed service logon attempt by user account with available AuditData | { CredentialAccess } | { T1110 } |
| Permutations on logon attempts by UserPrincipalNames indicating potential brute force | { CredentialAccess } | { T1110 } |
| Azure storage key enumeration | { Discovery } | { } |
| Azure storage key enumeration | { Discovery } | { T1087 } |
| Cscript script daily summary breakdown | { Execution } | { } |
| Least Common Parent And Child Process Pairs | { Execution } | { } |
| Least Common Processes by Command Line | { Execution } | { } |
| New processes observed in last 24 hours | { Execution } | { } |
| Entropy for Processes for a given Host | { Execution } | { } |
| Rare Process Path | { Execution } | { } |
| Uncommon processes – bottom 5% | { Execution } | { } |
| Cscript script daily summary breakdown | { Execution } | { } |
| Least Common Parent And Child Process Pairs | { Execution } | { } |
| Least Common Processes by Command Line | { Execution } | { } |
| New processes observed in last 24 hours | { Execution } | { } |
| Entropy for Processes for a given Host | { Execution } | { } |
| Rare Process Path | { Execution } | { } |
| Uncommon processes – bottom 5% | { Execution } | { } |
| New PowerShell scripts encoded on the commandline | { Execution CommandAndControl } | { } |
| New PowerShell scripts encoded on the commandline | { Execution CommandAndControl } | { } |
| Powershell or non-browser mailbox login activity | { Execution Persistence Collection } | { T1059 T1098 T1114 } |
| Hosts running a rare process with commandline | { Execution Persistence Discovery LateralMovement Collection } | { } |
| Hosts running a rare process with commandline | { Execution Persistence Discovery LateralMovement Collection } | { } |
| GitHub OAuth App Restrictions Disabled | { Exfiltration } | { } |
| GitHub OAuth App Restrictions Disabled | { Exfiltration } | { T1537 } |
| Azure Sentinel Connectors Administrative Operations | { Impact } | { } |
| Azure Sentinel Workbooks Administrative Operations | { Impact } | { } |
| Azure Virtual Network Subnets Administrative Operations | { Impact } | { } |
| Common deployed resources | { Impact } | { } |
| Anomalous Password Reset | { Impact } | { } |
| Signin Logs with expanded Conditional Access Policies | { Impact } | { } |
| Multiple Teams deleted by a single user | { Impact } | { } |
| Preview – TI map File entity to OfficeActivity Event | { Impact } | { } |
| Preview – TI map File entity to Security Event | { Impact } | { } |
| Preview – TI map File entity to Syslog Event | { Impact } | { } |
| Preview – TI map File entity to VMConnection Event | { Impact } | { } |
| Azure Sentinel Connectors Administrative Operations | { Impact } | { T1496 } |
| Azure Sentinel Workbooks Administrative Operations | { Impact } | { T1496 } |
| Azure Virtual Network Subnets Administrative Operations | { Impact } | { T1496 } |
| Common deployed resources | { Impact } | { T1496 } |
| Anomalous Password Reset | { Impact } | { T1531 } |
| Signin Logs with expanded Conditional Access Policies | { Impact } | { } |
| Multiple Teams deleted by a single user | { Impact } | { T1485 T1489 } |
| Preview – TI map File entity to OfficeActivity Event | { Impact } | { } |
| Preview – TI map File entity to Security Event | { Impact } | { } |
| Preview – TI map File entity to Syslog Event | { Impact } | { } |
| Preview – TI map File entity to VMConnection Event | { Impact } | { } |
| Failed Login Attempt by Expired account | { InitialAccess } | { } |
| User added to Team and immediately uploads file | { InitialAccess } | { } |
| Attempts to sign in to disabled accounts by IP address | { InitialAccess } | { } |
| Azure Active Directory signins from new locations | { InitialAccess } | { } |
| Same IP address with multiple csUserAgent | { InitialAccess } | { } |
| Rare User Agent strings | { InitialAccess } | { } |
| New time zone observed | { InitialAccess } | { } |
| Failed Login Attempt by Expired account | { InitialAccess } | { T1078 } |
| User added to Team and immediately uploads file | { InitialAccess } | { T1566 } |
| Attempts to sign in to disabled accounts by IP address | { InitialAccess } | { T1078 } |
| Azure Active Directory signins from new locations | { InitialAccess } | { T1078 } |
| Same IP address with multiple csUserAgent | { InitialAccess } | { T1190 } |
| Rare User Agent strings | { InitialAccess } | { T1190 } |
| New time zone observed | { InitialAccess } | { T1078 } |
| Suspicious credential token access of valid IAM Roles | { InitialAccess DefenseEvasion } | { } |
| Suspicious credential token access of valid IAM Roles | { InitialAccess DefenseEvasion } | { T1078 } |
| Anomalous AAD Account Creation | { Persistence } | { } |
| Anomalous Role Assignment | { Persistence } | { } |
| External user from a new organisation added | { Persistence } | { } |
| New User created on SQL Server | { Persistence } | { } |
| New domain added to Whitelist | { Persistence } | { } |
| Anomalous AAD Account Creation | { Persistence } | { T1136 } |
| Anomalous Role Assignment | { Persistence } | { T1098 } |
| External user from a new organisation added | { Persistence } | { T1136 } |
| New User created on SQL Server | { Persistence } | { T1136 } |
| New domain added to Whitelist | { Persistence } | { T1098 } |
| Azure DevOps- Guest users access enabled | { Persistence DefenseEvasion } | { } |
| Azure DevOps- Public project created | { Persistence DefenseEvasion } | { } |
| Azure DevOps- Guest users access enabled | { Persistence DefenseEvasion } | { T1098 T1089 } |
| Azure DevOps- Public project created | { Persistence DefenseEvasion } | { T1098 T1089 } |
| Alerts related to IP | { Persistence Discovery LateralMovement Collection } | { } |
| Alerts related to IP | { Persistence Discovery LateralMovement Collection } | { } |
| Crypto currency miners EXECVE | { Persistence Execution } | { } |
| Crypto currency miners EXECVE | { Persistence Execution } | { T1059 T1053 } |
| Rare Audit activity initiated by App | { Persistence LateralMovement } | { } |
| Rare Audit activity initiated by App | { Persistence LateralMovement } | { T1136 } |
| User Granted Access and Grants others Access | { Persistence PrivilegeEscalation } | { } |
| User created by unauthorized user | { Persistence PrivilegeEscalation } | { } |
| User added to SQL Server SecurityAdmin Group | { Persistence PrivilegeEscalation } | { } |
| User Granted Access and Grants others Access | { Persistence PrivilegeEscalation } | { T1098 T1078 } |
| User created by unauthorized user | { Persistence PrivilegeEscalation } | { T1098 T1078 } |
| User added to SQL Server SecurityAdmin Group | { Persistence PrivilegeEscalation } | { T1098 T1078 } |
| User Granted Access and associated audit activity | { Persistence PrivilegeEscalation Impact } | { } |
| User removed from SQL Server Roles | { Persistence PrivilegeEscalation Impact } | { } |
| User Granted Access and associated audit activity | { Persistence PrivilegeEscalation Impact } | { T1098 T1078 T1496 } |
| User removed from SQL Server Roles | { Persistence PrivilegeEscalation Impact } | { T1098 T1078 T1496 } |
| Privileged role attached to Instance | { PrivilegeEscalation } | { } |
| Anomalous Login to Devices | { PrivilegeEscalation } | { } |
| User made Owner of multiple teams | { PrivilegeEscalation } | { } |
| Privileged role attached to Instance | { PrivilegeEscalation } | { T1098 } |
| Anomalous Login to Devices | { PrivilegeEscalation } | { T1078 } |
| User made Owner of multiple teams | { PrivilegeEscalation } | { T1078 } |
| Tracking Privileged Account Rare Activity | { PrivilegeEscalation Discovery } | { } |
| Tracking Privileged Account Rare Activity | { PrivilegeEscalation Discovery } | { T1078 T1087 } |
Azure DevOps- Project visibility changed to public
{ Collection }
{ }
Azure DevOps- Project visibility changed to public
{ Collection }
{ T1213 }
Non-owner mailbox login activity
{ Collection Exfiltration }
{ }
Non-owner mailbox login activity
{ Collection Exfiltration }
{ T1114 T1020 }
Potential DGA detected
{ CommandAndControl }
{ }
Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic
{ CommandAndControl }
{ }
Potential DGA detected
{ CommandAndControl }
{ T1483 T1008 }
Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic
{ CommandAndControl }
{ T1043 T1065 }
DNS – domain anomalous lookup increase
{ CommandAndControl Exfiltration }
{ }
RareDNSLookupWithDataTransfer
{ CommandAndControl Exfiltration }
{ }
DNS – domain anomalous lookup increase
{ CommandAndControl Exfiltration }
{ T1483 T1008 T1048 }
RareDNSLookupWithDataTransfer
{ CommandAndControl Exfiltration }
{ T1043 T1048 }
Failed service logon attempt by user account with available AuditData
{ CredentialAccess }
{ }
Permutations on logon attempts by UserPrincipalNames indicating potential brute force
{ CredentialAccess }
{ }
Failed service logon attempt by user account with available AuditData
{ CredentialAccess }
{ T1110 }
Permutations on logon attempts by UserPrincipalNames indicating potential brute force
{ CredentialAccess }
{ T1110 }
Azure storage key enumeration
{ Discovery }
{ }
Azure storage key enumeration
{ Discovery }
{ T1087 }
Cscript script daily summary breakdown
{ Execution }
{ }
Least Common Parent And Child Process Pairs
{ Execution }
{ }
Least Common Processes by Command Line
{ Execution }
{ }
New processes observed in last 24 hours
{ Execution }
{ }
Entropy for Processes for a given Host
{ Execution }
{ }
Rare Process Path
{ Execution }
{ }
Uncommon processes – bottom 5%
{ Execution }
{ }
Cscript script daily summary breakdown
{ Execution }
{ }
Least Common Parent And Child Process Pairs
{ Execution }
{ }
Least Common Processes by Command Line
{ Execution }
{ }
New processes observed in last 24 hours
{ Execution }
{ }
Entropy for Processes for a given Host
{ Execution }
{ }
Rare Process Path
{ Execution }
{ }
Uncommon processes – bottom 5%
{ Execution }
{ }
New PowerShell scripts encoded on the commandline
{ Execution CommandAndControl }
{ }
New PowerShell scripts encoded on the commandline
{ Execution CommandAndControl }
{ }
Powershell or non-browser mailbox login activity
{ Execution Persistence Collection }
{ T1059 T1098 T1114 }
Hosts running a rare process with commandline
{ Execution Persistence Discovery LateralMovement Collection }
{ }
Hosts running a rare process with commandline
{ Execution Persistence Discovery LateralMovement Collection }
{ }
GitHub OAuth App Restrictions Disabled
{ Exfiltration }
{ }
GitHub OAuth App Restrictions Disabled
{ Exfiltration }
{ T1537 }
Azure Sentinel Connectors Administrative Operations
{ Impact }
{ }
Azure Sentinel Workbooks Administrative Operations
{ Impact }
{ }
Azure Virtual Network Subnets Administrative Operations
{ Impact }
{ }
Common deployed resources
{ Impact }
{ }
Anomalous Password Reset
{ Impact }
{ }
Signin Logs with expanded Conditional Access Policies
{ Impact }
{ }
Multiple Teams deleted by a single user
{ Impact }
{ }
Preview – TI map File entity to OfficeActivity Event
{ Impact }
{ }
Preview – TI map File entity to Security Event
{ Impact }
{ }
Preview – TI map File entity to Syslog Event
{ Impact }
{ }
Preview – TI map File entity to VMConnection Event
{ Impact }
{ }
Azure Sentinel Connectors Administrative Operations
{ Impact }
{ T1496 }
Azure Sentinel Workbooks Administrative Operations
{ Impact }
{ T1496 }
Azure Virtual Network Subnets Administrative Operations
{ Impact }
{ T1496 }
Common deployed resources
{ Impact }
{ T1496 }
Anomalous Password Reset
{ Impact }
{ T1531 }
Signin Logs with expanded Conditional Access Policies
{ Impact }
{ }
Multiple Teams deleted by a single user
{ Impact }
{ T1485 T1489 }
Preview – TI map File entity to OfficeActivity Event
{ Impact }
{ }
Preview – TI map File entity to Security Event
{ Impact }
{ }
Preview – TI map File entity to Syslog Event
{ Impact }
{ }
Preview – TI map File entity to VMConnection Event
{ Impact }
{ }
Failed Login Attempt by Expired account
{ InitialAccess }
{ }
User added to Team and immediately uploads file
{ InitialAccess }
{ }
Attempts to sign in to disabled accounts by IP address
{ InitialAccess }
{ }
Azure Active Directory signins from new locations
{ InitialAccess }
{ }
Same IP address with multiple csUserAgent
{ InitialAccess }
{ }
Rare User Agent strings
{ InitialAccess }
{ }
New time zone observed
{ InitialAccess }
{ }
Failed Login Attempt by Expired account
{ InitialAccess }
{ T1078 }
User added to Team and immediately uploads file
{ InitialAccess }
{ T1566 }
Attempts to sign in to disabled accounts by IP address
{ InitialAccess }
{ T1078 }
Azure Active Directory signins from new locations
{ InitialAccess }
{ T1078 }
Same IP address with multiple csUserAgent
{ InitialAccess }
{ T1190 }
Rare User Agent strings
{ InitialAccess }
{ T1190 }
New time zone observed
{ InitialAccess }
{ T1078 }
Suspicious credential token access of valid IAM Roles
{ InitialAccess DefenseEvasion }
{ }
Suspicious credential token access of valid IAM Roles
{ InitialAccess DefenseEvasion }
{ T1078 }
Anomalous AAD Account Creation
{ Persistence }
{ }
Anomalous Role Assignment
{ Persistence }
{ }
External user from a new organisation added
{ Persistence }
{ }
New User created on SQL Server
{ Persistence }
{ }
New domain added to Whitelist
{ Persistence }
{ }
Anomalous AAD Account Creation
{ Persistence }
{ T1136 }
Anomalous Role Assignment
{ Persistence }
{ T1098 }
External user from a new organisation added
{ Persistence }
{ T1136 }
New User created on SQL Server
{ Persistence }
{ T1136 }
New domain added to Whitelist
{ Persistence }
{ T1098 }
Azure DevOps- Guest users access enabled
{ Persistence DefenseEvasion }
{ }
Azure DevOps- Public project created
{ Persistence DefenseEvasion }
{ }
Azure DevOps- Guest users access enabled
{ Persistence DefenseEvasion }
{ T1098 T1089 }
Azure DevOps- Public project created
{ Persistence DefenseEvasion }
{ T1098 T1089 }
Alerts related to IP
{ Persistence Discovery LateralMovement Collection }
{ }
Alerts related to IP
{ Persistence Discovery LateralMovement Collection }
{ }
Crypto currency miners EXECVE
{ Persistence Execution }
{ }
Crypto currency miners EXECVE
{ Persistence Execution }
{ T1059 T1053 }
Rare Audit activity initiated by App
{ Persistence LateralMovement }
{ }
Rare Audit activity initiated by App
{ Persistence LateralMovement }
{ T1136 }
User Granted Access and Grants others Access
{ Persistence PrivilegeEscalation }
{ }
User created by unauthorized user
{ Persistence PrivilegeEscalation }
{ }
User added to SQL Server SecurityAdmin Group
{ Persistence PrivilegeEscalation }
{ }
User Granted Access and Grants others Access
{ Persistence PrivilegeEscalation }
{ T1098 T1078 }
User created by unauthorized user
{ Persistence PrivilegeEscalation }
{ T1098 T1078 }
User added to SQL Server SecurityAdmin Group
{ Persistence PrivilegeEscalation }
{ T1098 T1078 }
User Granted Access and associated audit activity
{ Persistence PrivilegeEscalation Impact }
{ }
User removed from SQL Server Roles
{ Persistence PrivilegeEscalation Impact }
{ }
User Granted Access and associated audit activity
{ Persistence PrivilegeEscalation Impact }
{ T1098 T1078 T1496 }
User removed from SQL Server Roles
{ Persistence PrivilegeEscalation Impact }
{ T1098 T1078 T1496 }
Privileged role attached to Instance
{ PrivilegeEscalation }
{ }
Anomalous Login to Devices
{ PrivilegeEscalation }
{ }
User made Owner of multiple teams
{ PrivilegeEscalation }
{ }
Privileged role attached to Instance
{ PrivilegeEscalation }
{ T1098 }
Anomalous Login to Devices
{ PrivilegeEscalation }
{ T1078 }
User made Owner of multiple teams
{ PrivilegeEscalation }
{ T1078 }
Tracking Privileged Account Rare Activity
{ PrivilegeEscalation Discovery }
{ }
Tracking Privileged Account Rare Activity
{ PrivilegeEscalation Discovery }
{ T1078 T1087 }
How to access the new hunting queries:
All of the queries are available via the Hunting UI page. For this example, I will demonstrate how to filter the new Microsoft Teams hunting queries. To learn more, see article on the new Microsoft Teams data connector (Preview).
Navigate to the Azure Sentinel console, and select “Hunting” under the Threat Management area
Next, use the filter pills to filter the data source (TeamsData) for the hunting query. In this example, we are highlighting hunting queries that satisfy several use cases for Microsoft Teams:
Example: Previously unseen bot or application added to Microsoft Teams
As an example, this hunting query helps identify new, and potentially unapproved applications or bots being added to Microsoft Teams. This query requires you to have Microsoft Teams data ingesting into Azure Sentinel. Ensure you have the relevant data collectors configured for the target hunting queries. Visit here (Connect data sources to Azure Sentinel | Microsoft Docs) for more information.
// If you have more than 14 days worth of Teams data change this value
let data_date = 14d;
let historical_bots = (
TeamsData
| where CreationTime > ago(data_date)
| where isnotempty(AddOnName)
| project AddOnName);
TeamsData
| where CreationTime > ago(1d)
// Look for add-ins we have never seen before
| where AddOnName in (historical_bots)
// Uncomment the following line to map query entities is you plan to use this as a detection query
//| extend timestamp = CreationTime, AccountCustomEntity = UserId
Get started today!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments