KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Fasthttp Bruteforce Campaign

Query

// Hunting fasthttp Bruteforce Campaign
// https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/

// A new brute-force campaign identified by SpearTip Security Operations Center, which leverages the fasthttp library. This high-performance HTTP server and client library for the Go programming language is being used to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests. The attacks primarily target the Azure Active Directory Graph API and have been observed originating mainly from Brazil, with other sources including Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.

// I ran similar KQL queries on both Sentinel and DefenderXDR but only detected this brute force campaign in the AADSignInEventsBeta schema of DefenderXDR. The below KQL will help detect if the brute force campaign has attack your tenant using the long IOCs provided by SpearTip. Happy Hunting 🫡

let FastHttpIOCTable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/fasthttpIOCs.txt']
| parse RawData with FastHttpIPs:string;
let IOCs =
FastHttpIOCTable
| distinct FastHttpIPs;
AADSignInEventsBeta 
| where Timestamp > ago(30d)
| where ApplicationId == "00000002-0000-0000-c000-000000000000" and UserAgent == "fasthttp"
| where IPAddress has_any(IOCs)

Explanation

This query is designed to detect a specific brute-force attack campaign that uses the "fasthttp" library, which is a high-performance HTTP server and client library for the Go programming language. The campaign targets Azure Active Directory (AAD) by attempting unauthorized logins and spamming multi-factor authentication (MFA) requests. The attacks are primarily originating from Brazil, with other sources including Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.

Here's a simplified breakdown of the query:

  1. Importing Indicators of Compromise (IOCs): The query starts by importing a list of IP addresses associated with the fasthttp brute-force campaign from an external source (a text file hosted on GitHub).

  2. Filtering AAD Sign-In Events: It then looks at the AADSignInEventsBeta schema, which contains sign-in event logs, to find any events that match the following criteria:

    • The event occurred within the last 30 days.
    • The application ID matches a specific value ("00000002-0000-0000-c000-000000000000"), which is typically associated with Azure Active Directory Graph API.
    • The user agent string is "fasthttp," indicating the use of the fasthttp library.
    • The IP address of the sign-in event matches any of the IP addresses from the imported list of IOCs.

The goal of the query is to identify whether this specific brute-force campaign has targeted your Azure tenant by checking for suspicious sign-in attempts that match the known characteristics of the attack.

Details

Steven Lim profile picture

Steven Lim

Released: January 15, 2025

Tables

AADSignInEventsBeta

Keywords

AzureActiveDirectoryGraphAPISentinelDefenderXDRAADSignInEventsBeta

Operators

letexternaldataparsewithdistinctwhere>ago==has_any

Actions