KQL Search

Query Details

HomeAI ToolsDevice Query

New Threat Actor Group Signature

Query

// New Threat Actor Group Signature
// https://www.linkedin.com/posts/activity-7193281542645768192-9ZIM/

// I just discovered a new threat actor group signature that started mounting aggressive spray about 2.5 weeks back on my tenant. If you run the below KQL on your Sentinel signin logs, you should probably see some hits on your tenant. Do shared your intel in the comment for community awareness if you observe it. 🙏

// This particular group are abusing the "OfficeHome" app and has the firefox 116 as their user agent. The method is similar to earlier this year February Proofpoint post when they uncovered a malicious campaign on cloud account take over (ATO). 🫡 

// Ongoing Malicious Campaign Impacting Microsoft Azure Cloud Environments
// Link: https://lnkd.in/d7A_evhi

SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == "50053" or ResultType == "50126"
| where AppDisplayName == "OfficeHome"
| where UserAgent == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"

Explanation

This KQL (Kusto Query Language) query is designed to detect a new threat actor group that has been targeting Microsoft Azure environments. Here's a simple summary of what the query does:

  1. Data Source: It looks at the SigninLogs in Microsoft Sentinel.
  2. Time Frame: It filters the logs to include only those generated in the last 90 days.
  3. Error Codes: It specifically looks for sign-in attempts that resulted in error codes "50053" or "50126".
  4. Application: It filters for attempts involving the "OfficeHome" application.
  5. User Agent: It further filters for attempts where the user agent string is "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0".

In essence, this query helps identify suspicious sign-in attempts that match the behavior of a newly discovered threat actor group, which uses the "OfficeHome" app and a specific version of Firefox as their user agent. The goal is to help detect and share information about this ongoing malicious campaign targeting Microsoft Azure environments.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

SigninLogs

Keywords

SigninLogsMicrosoftAzureCloudEnvironmentsUserAgentAppDisplayNameTimeGeneratedResultType

Operators

|where>ago()==or

Actions