Query Details
HTTP Client Tools Exploitation For ATO Detection
Query
// HTTP Client Tools Exploitation for ATO Detection // https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks let HTTPClientTools=externaldata(RawData:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/Proofpoint_HTTPClientTools_ATO.txt'] | parse RawData with IOC:string; let HTTPClientToolsIOC = HTTPClientTools | project IOC; CloudAppEvents | where TimeGenerated > ago(1h) | where UserAgent has_any(HTTPClientToolsIOC) and ISP has_any(HTTPClientToolsIOC)
Explanation
This query is designed to detect potential account takeover (ATO) attacks by identifying suspicious HTTP client tools being used. Here's a simplified breakdown of what the query does:
-
Data Source: It pulls in a list of known suspicious HTTP client tools from an external source (a GitHub repository).
-
Parsing: The raw data from this external source is parsed to extract indicators of compromise (IOCs), which are essentially identifiers for these suspicious tools.
-
Filtering Events: The query then examines cloud application events that have occurred in the last hour.
-
Detection: It filters these events to find any instances where the user agent or internet service provider (ISP) matches any of the known suspicious HTTP client tools from the list.
In essence, the query is looking for recent cloud application activities that involve known malicious HTTP client tools, which could indicate an attempt to exploit these tools for unauthorized account access.
Details
Steven Lim
Released: February 7, 2025
Tables
Keywords
Operators