KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Aqua Blizzards

Query

// 𝗔𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗣𝗿𝗼𝗳𝗶𝗹𝗲: 𝗔𝗾𝘂𝗮 𝗕𝗹𝗶𝘇𝘇𝗮𝗿𝗱 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗶𝗻𝗴 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗧𝘂𝗻𝗻𝗲𝗹 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 𝘁𝗼 𝗰𝗼𝗻𝗰𝗲𝗮𝗹 𝗖2
// https://security.microsoft.com/threatanalytics3/48213822-f322-424f-9f0d-c619cefad8c9/analystreport

// ⏺️T1572 Protocol Tunneling | Aqua Blizzard uses Cloudflare Tunnel to tunnel network communications to and from a target system within a separate protocol to avoid detection or network filtering
// ⏺️T1102 Web Service | Aqua Blizzard uses Cloudflare services for C2 communications
// ⏺️T1090 Proxy | Aqua Blizzard uses Cloudflare Tunnel to obfuscate the host IP address of HTTP GET requests for malicious scripts/payloads

// 𝗞𝗤𝗟 𝘁𝗼 𝗰𝗵𝗲𝗰𝗸 𝗳𝗼𝗿 𝗔𝗾𝘂𝗮 𝗕𝗹𝗶𝘇𝘇𝗮𝗿𝗱 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝗶𝗲𝘀:

let AquaBlizzardIPs = dynamic(["167.71.193.19","146.190.129.82","137.184.50.238","146.190.173.21","143.244.162.106","128.199.170.197","147.182.245.94","167.99.73.109","139.59.227.7","159.65.226.187","137.184.86.236","137.184.142.176","146.190.33.206","68.183.185.84","68.183.226.96","157.230.83.122","67.205.171.195","139.59.236.13","147.182.235.190","146.190.129.82"]);
DeviceNetworkEvents
| where TimeGenerated > ago(90d) 
| where ActionType == @"HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where RemoteIP has_any(AquaBlizzardIPs)
| project TimeGenerated, DeviceId, DeviceName, LocalIP, RemoteIP, HttpHost, AdditionalFields, ConnectInfo

Explanation

This KQL (Kusto Query Language) query is designed to detect potential malicious activities associated with the Aqua Blizzard group, specifically focusing on their use of Cloudflare Tunnel services to conceal command and control (C2) communications. Here's a simplified breakdown of what the query does:

  1. Define a List of IPs: It starts by defining a list of IP addresses (AquaBlizzardIPs) that are associated with Aqua Blizzard activities.

  2. Filter Network Events: The query examines network events from the DeviceNetworkEvents table.

  3. Time Frame: It looks at events generated in the last 90 days (TimeGenerated > ago(90d)).

  4. Action Type: It filters for events where the action type is HttpConnectionInspected, indicating that these are HTTP connection events that have been inspected.

  5. Extract Additional Information: It extracts additional connection information from the AdditionalFields column and assigns it to ConnectInfo. It also extracts the HTTP host information from this dynamic field.

  6. Match IPs: The query checks if the RemoteIP (the IP address of the remote server) matches any of the IPs in the AquaBlizzardIPs list.

  7. Project Relevant Data: Finally, it selects and displays specific columns of interest: TimeGenerated, DeviceId, DeviceName, LocalIP, RemoteIP, HttpHost, AdditionalFields, and ConnectInfo.

In summary, this query is used to identify and analyze network events that might indicate Aqua Blizzard's use of Cloudflare Tunnel services to hide their C2 activities, by checking for connections to known IP addresses associated with them.

Details

Steven Lim profile picture

Steven Lim

Released: January 10, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimeGeneratedActionTypeConnectInfoHttpHostRemoteIPDeviceIdDeviceNameLocalIPAdditionalFields

Operators

letdynamic|where>ago==@extend=todynamichas_anyproject

Actions