KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Cloud Account Takeover ATO Reconnaissance Detection

Query

//Azure cloud account takeover (ATO) Reconnaissance Detection
//https://www.linkedin.com/posts/activity-7179350804431085569-CcT_/

//In Feb, Proofpoint published "Ongoing Malicious Campaign Impacting Microsoft Azure Cloud Environments"
//https://lnkd.in/d7A_evhi

//Based on the published blog data, I was able to construct a KQL threat hunting query to correlate against Microsoft Graph commands used by threat actors to conduct tenant resource reconnaissance. Do make sure you send Microsoft Graph activity logs to a Log Analytics workspace (https://lnkd.in/ghqQiiEg) in order to be able to detect this type of reconnaissance.

//Below are the two types of graph commands your KQL needs to check in the RequestUri for potential tenant reconnaissance activity.

//List Tenants
//https://lnkd.in/gtPB_Mvq

//List subscribedSkus
//https://lnkd.in/gmi8uEa8 

//The below KQL help you check if you are potentially impacted by this ATO campaign.

let ATOIPs =
SigninLogs
| where TimeGenerated > ago(90d)
| where UserAgent == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
| where AppDisplayName == "OfficeHome"
| distinct IPAddress;
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any (ATOIPs)
| where RequestUri contains "tenantRelationships" or RequestUri contains "subscribedSkus"

Explanation

This KQL query is designed to detect potential reconnaissance activities related to account takeover (ATO) in Microsoft Azure cloud environments. Here's a simplified summary:

  1. Context: The query is based on a report by Proofpoint about ongoing malicious campaigns targeting Microsoft Azure environments. The goal is to identify if threat actors are using specific Microsoft Graph commands to gather information about tenant resources.

  2. Data Sources: The query requires Microsoft Graph activity logs to be sent to a Log Analytics workspace.

  3. Reconnaissance Commands: The query focuses on two types of Microsoft Graph commands:

    • Listing tenants.
    • Listing subscribed SKUs (licenses).

  4. Steps in the Query:

    • Identify Suspicious IPs:
      • Look at sign-in logs from the past 90 days.
      • Filter for a specific user agent string (indicating a particular browser and operating system).
      • Focus on sign-ins to the "OfficeHome" application.
      • Extract distinct IP addresses from these logs.
    • Check Graph Activity:
      • Look at Microsoft Graph activity logs from the past 90 days.
      • Filter logs to include only those from the suspicious IP addresses identified earlier.
      • Check if the request URIs contain "tenantRelationships" or "subscribedSkus", which are indicators of reconnaissance activity.

By running this query, you can determine if your Azure environment has been potentially impacted by the described ATO campaign.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

SigninLogsMicrosoftGraphActivityLogs

Keywords

AzureCloudSecurityThreatHuntingMicrosoftGraphLogs

Operators

let|>ago==distincthas_anycontainsor

Actions