From 0fc23d26567d82135b28002eb7757e17e5766830 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 3 Jun 2025 14:00:20 -0400 Subject: [PATCH] new rule for bloodhound user agents --- ...overy_bloodhound_user_agents_detected.toml | 171 ++++++++++++++++++ .../execution_posh_hacktool_functions.toml | 8 +- 2 files changed, 176 insertions(+), 3 deletions(-) create mode 100644 rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml new file mode 100644 index 00000000000..402945fecc1 --- /dev/null +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -0,0 +1,171 @@ +[metadata] +creation_date = "2025/06/03" +integration = ["azure", "o365"] +maturity = "production" +updated_date = "2025/06/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. +These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access +relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. +""" +false_positives = [ + """ + Legitimate administrative or security assessment activities may use these user-agents, especially in environments + where BloodHound is employed for authorized audits. If this is expected behavior, consider adjusting the rule or + adding exceptions for specific user-agents or IP addresses. + """, + """ + Expected red team assessments or penetration tests may utilize BloodHound tools to evaluate the security posture of + Azure or Microsoft 365 environments. If this is expected behavior, consider adjusting the rule or adding exceptions + for specific IP addresses, registered applications, JWT tokens, PRTs or user principal names (UPNs). + """, +] +from = "now-9m" +index = ["filebeat-*", "logs-azure.*", "logs-o365.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "BloodHound Suite User-Agents Detected" +note = """## Triage and analysis + +This rule identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. + +The detection is based on known enumeration patterns, particularly the presence of suspicious user agent strings (e.g., `azurehound/`, `sharphound/`, `bloodhound/`) in various Azure and M365 logs. The rule monitors multiple log sources, including: + +- Azure Graph API Activity Logs +- Microsoft 365 Audit Logs +- Entra ID Sign-in Logs +- Entra ID Audit Logs +- Azure Activity Logs + +This ensures broader detection of credential abuse, token misuse, or unauthorized identity discovery activity from both interactive and non-interactive (API) sessions. + +### Possible investigation steps + +- Confirm the tool used via `user_agent.original`. Look for: + - `azurehound/x.y.z` + - `bloodhound/1.0` + - `sharphound/1.0` +- Examine `url.original` or `url.path` to determine which APIs were accessed if Graph API activity logs. For example: + - `/v1.0/organization`, `/v1.0/users`, `/v1.0/groups` may indicate user/group/tenant discovery. +- Identify the `user.id`, `user.name`, or `azure.auditlogs.properties.initiated_by.user.user_principal_name` fields to determine which identity executed the API request. +- Review `app_id`, `app_display_name`, or `client_id` to identify the application context (e.g., Azure CLI, Graph Explorer, unauthorized app). +- Check `http.request.method`, `http.response.status_code`, and `event.action` for enumeration patterns (many successful GETs in a short period) if Graph API activity logs. +- Investigate correlated sign-ins (`azure.signinlogs`) by the same user, IP, or app immediately preceding the API calls. Was MFA used? Is the location suspicious? +- Review `source.ip`, `client.geo.*`, and `network.*` fields to determine the origin of the requests. Flag unexpected IPs or ISPs. +- If the event originates in M365 Audit Logs, investigate cross-service activity: Exchange Online, Teams, SharePoint, or role escalations via Unified Audit. + +### False positive analysis + +- This activity may be benign if performed by red teams, internal security auditors, or known security tools under authorization. +- Automated monitoring solutions, cloud posture scanners, or legitimate Azure/M365 integrations may generate similar traffic. Review the `app_id` and user context. +- Developer activity in test tenants may include tool usage for learning or validation purposes. + +### Response and remediation + +- If confirmed malicious: + - Revoke active sessions or tokens associated with the identified user/app. + - Disable the account or rotate credentials immediately. + - Review the role assignments (`Directory.Read.All`, `AuditLog.Read.All`, `Directory.AccessAsUser.All`) and remove excessive privileges. + - Conduct historical analysis to determine how long enumeration has been occurring and what objects were queried. + - Enable Conditional Access policies to require MFA for API and CLI-based access. + - Validate audit logging and alerting is enabled across Microsoft Graph, Azure Activity Logs, and M365 workloads. + +- If legitimate: + - Document the source (e.g., red team operation, security tool). + - Add appropriate allowlist conditions for service principal, user, source address or device if policy allows. + +""" +references = [ + "https://specterops.io/bloodhound-overview/", + "https://github.com/SpecterOps/AzureHound", + "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/", +] +risk_score = 47 +rule_id = "c28750fa-4092-11f0-aca6-f661ea17fbcd" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Data Source: Graph API", + "Data Source: Graph API Activity Logs", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where event.dataset : ( + "azure.activitylogs", + "azure.graphactivitylogs", + "azure.auditlogs", + "azure.signinlogs", + "o365.audit" +) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.004" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1087/004/" + + +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat.technique]] +id = "T1673" +name = "Virtual Machine Discovery" +reference = "https://attack.mitre.org/techniques/T1673/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 0d9b37772c3..87fc33b868d 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/03" [transform] [[transform.osquery]] @@ -109,6 +109,7 @@ Adversaries often exploit PowerShell's capabilities to execute malicious scripts references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire", + "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/", ] risk_score = 47 rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" @@ -189,7 +190,7 @@ event.category:process and host.os.type:windows and "Get-GPPInnerFields" or "Get-GPPPassword" or "Get-GptTmpl" or "Get-GroupsXML" or "Get-HttpStatus" or "Get-ImageNtHeaders" or - "Get-Keystrokes" or "New-SOASerialNumberArray" or + "Get-Keystrokes" or "New-SOASerialNumberArray" or "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or @@ -319,7 +320,8 @@ event.category:process and host.os.type:windows and "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or - "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" + "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or + "Invoke-AzureHound" or "Invoke-SharpHound" ) and not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint"