KQL Search

// Threat Hunting AzureHound Usage

// Tool Profile: AzureHound framework
// Link: https://security.microsoft.com/threatanalytics3/ec964e9b-f365-4dc3-b5b4-44f1532198b5/
// The DefenderXDR portal has just released a Threat Analytics Report on the AzureHound Framework. AzureHound, part of the BloodHoundAD project on GitHub, is the official tool for collecting Azure data for BloodHound and BloodHound Enterprise. This command-line tool, which can be built from source, is utilized for both offensive and defensive security testing. The report includes two advanced hunting queries focused on AzureHound cmdlets and reconnaissance activities using network logs. Additionally, I have contributed another KQL query to GitHub for detecting AzureHound usage, which is not included in the Threat Analytics Report.

MicrosoftGraphActivityLogs
| where TimeGenerated > ago(90d)
| where UserAgent has "azurehound"
| extend ObjectID = iff(isempty(UserId), ServicePrincipalId, UserId)
| join kind=leftouter IdentityInfo on $left.ObjectID == $right.AccountObjectId
| where isnotempty(AccountUPN)
| project-reorder TimeGenerated, AppId, IPAddress, AccountUPN, AccountCreationTime, AssignedRoles, ServicePrincipalId, RequestId, RequestMethod, ResponseStatusCode, RequestUri, ResponseSizeBytes, Roles

// MITRE ATT&CK Mapping

// T1078 - Valid Accounts: The query filters logs based on user agents and identity information, which can help identify the use of valid accounts.
// T1087 - Account Discovery: By joining with identity information and filtering based on AccountUPN, the query can help in discovering accounts.
// T1071 - Application Layer Protocol: The RequestUri and RequestMethod fields can be used to analyze communication patterns, which is relevant to application layer protocols.
// T1040 - Network Sniffing: The IPAddress field can be used to detect network sniffing activities.
// T1057 - Process Discovery: The UserAgent field can help identify processes or tools used, such as “azurehound”.