Azure CLI Spray ASN 53667
Query
// Azure CLI Spray - ASN 53667
// https://www.linkedin.com/posts/activity-7216141179648716800-703J/
// Defenders take note of this ASN using IPV6 to conduct Azure CLI Spray on your Entra Tenant. Use the below KQL to check against you Sentinel.🤝
// ASN 53667 Lookup - https://lnkd.in/gAVK5htd
SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == "50126" or ResultType == "50053"
| where UserAgent == "node-fetch"
| where AutonomousSystemNumber == "53667"
| where AppDisplayName == "Microsoft Azure CLI"
// MITRE ATT&CK Mapping
// Based on the criteria in the KQL query, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts: The query is looking for failed sign-in attempts, which can indicate attempts to use valid accounts with incorrect credentials.
// T1071.001 - Application Layer Protocol: Web Protocols: The use of “node-fetch” suggests web-based communication, which falls under this technique.
// T1586.001 - Compromise Infrastructure: Botnet: The specific ASN and user agent might indicate the use of compromised infrastructure or botnets for automated sign-in attempts.
// T1078.004 - Valid Accounts: Cloud Accounts: The use of “Microsoft Azure CLI” indicates attempts to access cloud resources, which is relevant to this technique.Explanation
This KQL query is designed to help security defenders identify potential unauthorized access attempts on their Azure environment. Here's a simple breakdown of what the query does:
-
Data Source: It looks at sign-in logs from the past 30 days.
-
Failed Sign-ins: It filters for specific failed sign-in result types, "50126" and "50053", which typically indicate incorrect credentials or other sign-in issues.
-
User Agent: It checks if the sign-in attempts were made using "node-fetch", a tool often used for web requests, which might suggest automated or scripted access attempts.
-
Autonomous System Number (ASN): It focuses on attempts originating from ASN 53667, which is associated with suspicious activity, specifically using IPv6 addresses.
-
Application: It targets attempts to access the "Microsoft Azure CLI", a command-line tool for managing Azure resources, indicating that the attackers might be trying to access cloud resources.
The query is mapped to several MITRE ATT&CK techniques, suggesting that these activities could be part of a broader attack strategy involving:
- Attempts to use valid accounts with incorrect credentials (T1078).
- Use of web-based communication protocols (T1071.001).
- Possible use of compromised infrastructure or botnets (T1586.001).
- Attempts to access cloud accounts (T1078.004).
Overall, this query helps identify and analyze suspicious sign-in activities that could indicate an attempt to compromise Azure cloud resources.
