KQL Search

Query Details

HomeAI ToolsDevice Query

Blue Alpha Gamma Drop Detection

Query

// BlueAlpha GammaDrop Detection
// https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service

// BlueAlpha, a state-sponsored cyber threat group linked to the Russian FSB, has been active since 2014. Insikt Group has observed, via recent malware sample submissions to Recorded Future Public Sandbox, BlueAlpha abusing Cloudflare Tunnels for GammaDrop staging infrastructure. These tunnels have been leveraged by malicious .lnk files to download and execute GammaDrop.

let DeviceLNKCreation =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".lnk"
| invoke FileProfile(SHA1,100)
| where GlobalPrevalence < 10
// Detect low prevalence LNK file extracted from archive
| distinct DeviceName;
DeviceNetworkEvents
| where ActionType == "HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost endswith ".trycloudflare.com"
| where DeviceName has_any(DeviceLNKCreation)
// Endpoint with new low prevalence LNK created connecting to trycloudflare

// MITRE ATT&CK

Explanation

This query is designed to detect potential malicious activity associated with the BlueAlpha cyber threat group, which is linked to the Russian FSB. The group has been observed using Cloudflare Tunnels to facilitate their operations. Here's a simple breakdown of what the query does:

  1. Identify Suspicious Files: It looks for the creation of .lnk files (shortcut files) on devices. These files are considered suspicious if they have a low global prevalence, meaning they are not commonly found across many systems.

  2. Profile the Files: The query uses a profiling function to check the SHA1 hash of these .lnk files to ensure they are indeed rare or unusual.

  3. Network Activity Monitoring: It monitors network events where HTTP connections are inspected. Specifically, it looks for connections to domains ending with .trycloudflare.com, which is associated with Cloudflare Tunnels.

  4. Correlate File and Network Activity: The query checks if the devices that created the suspicious .lnk files are also the ones making connections to the Cloudflare Tunnel domains. This correlation helps identify if the unusual file creation is linked to potentially malicious network activity.

Overall, the query aims to detect endpoints that might be involved in BlueAlpha's activities by identifying rare shortcut files and their associated network connections to Cloudflare Tunnels.

Details

Steven Lim profile picture

Steven Lim

Released: December 7, 2024

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DeviceFileEventsDeviceNetworkEventsHttpConnectionInspectedFileNameGlobalPrevalenceDeviceNameHttpHost

Operators

let|whereendswithinvokedistinctextendtodynamichas_any

Actions