Possible Forest Blizzard attempted credential harvesting - Sept 2020
| Id | 04384937-e927-4595-8f3c-89ff58ed231f |
| Rulename | Possible Forest Blizzard attempted credential harvesting - Sept 2020 |
| Description | Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events. References: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/. |
| Severity | Low |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Required data connectors | Office365 |
| Kind | Scheduled |
| Query frequency | 7d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ForestBlizzardCredHarvesting.yaml |
| Version | 2.0.1 |
| Arm template | 04384937-e927-4595-8f3c-89ff58ed231f.json |
let IPs = dynamic (["199.249.230.","185.220.101.","23.129.64.","109.70.100.","185.220.102."]);
OfficeActivity
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
| where Operation != 'UserLoggedIn'
| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ "UserAgent", extractjson("$[0].Value", ExtendedProperties, typeof(string)),"")
| mv-expand parse_json(ExtendedProperties)
| where ExtendedProperties.Name =~ "RequestType"
| extend RequestType = ExtendedProperties.Value
| where ClientIP has_any (IPs)
| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent
| where authAttempts > 2500
| extend timestamp = firstAttempt
| sort by uniqueAccounts
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
triggerOperator: gt
queryFrequency: 7d
name: Possible Forest Blizzard attempted credential harvesting - Sept 2020
status: Available
queryPeriod: 14d
id: 04384937-e927-4595-8f3c-89ff58ed231f
description: |
'Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.
References: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.'
severity: Low
query: |
let IPs = dynamic (["199.249.230.","185.220.101.","23.129.64.","109.70.100.","185.220.102."]);
OfficeActivity
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
| where Operation != 'UserLoggedIn'
| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ "UserAgent", extractjson("$[0].Value", ExtendedProperties, typeof(string)),"")
| mv-expand parse_json(ExtendedProperties)
| where ExtendedProperties.Name =~ "RequestType"
| extend RequestType = ExtendedProperties.Value
| where ClientIP has_any (IPs)
| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent
| where authAttempts > 2500
| extend timestamp = firstAttempt
| sort by uniqueAccounts
version: 2.0.1
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ForestBlizzardCredHarvesting.yaml
relevantTechniques:
- T1110
tactics:
- CredentialAccess
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04384937-e927-4595-8f3c-89ff58ed231f')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04384937-e927-4595-8f3c-89ff58ed231f')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Possible Forest Blizzard attempted credential harvesting - Sept 2020",
"description": "'Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.'\n",
"severity": "Low",
"enabled": true,
"query": "let IPs = dynamic ([\"199.249.230.\",\"185.220.101.\",\"23.129.64.\",\"109.70.100.\",\"185.220.102.\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = ExtendedProperties.Value\n| where ClientIP has_any (IPs)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 2500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
"queryFrequency": "P7D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1110"
],
"alertRuleTemplateName": "04384937-e927-4595-8f3c-89ff58ed231f",
"customDetails": null,
"entityMappings": null,
"templateVersion": "2.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ForestBlizzardCredHarvesting.yaml",
"status": "Available"
}
}
]
}