Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Silk Typhoon Suspicious Exchange Request

Silk Typhoon Suspicious Exchange Request

Back
Id23005e87-2d3a-482b-b03d-edbebd1ae151
RulenameSilk Typhoon Suspicious Exchange Request
DescriptionThis query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.

The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.

Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsAzureMonitor(IIS)
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/SilkTyphoonSuspiciousExchangeRequestPattern.yaml
Version1.0.3
Arm template23005e87-2d3a-482b-b03d-edbebd1ae151.json
Deploy To Azure
let exchange_servers = (
W3CIISLog
| where TimeGenerated > ago(14d)
| where sSiteName =~ "Exchange Back End"
| summarize by Computer);
W3CIISLog
| where TimeGenerated > ago(1d)
| where Computer in (exchange_servers)
| where csUriQuery startswith "t="
| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])

kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/SilkTyphoonSuspiciousExchangeRequestPattern.yaml
query: |
  let exchange_servers = (
  W3CIISLog
  | where TimeGenerated > ago(14d)
  | where sSiteName =~ "Exchange Back End"
  | summarize by Computer);
  W3CIISLog
  | where TimeGenerated > ago(1d)
  | where Computer in (exchange_servers)
  | where csUriQuery startswith "t="
  | project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])  
requiredDataConnectors:
- dataTypes:
  - W3CIISLog
  connectorId: AzureMonitor(IIS)
tactics:
- InitialAccess
name: Silk Typhoon Suspicious Exchange Request
metadata:
  source:
    kind: Community
  author:
    name: Microsoft Security Research
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Intelligence
relevantTechniques:
- T1190
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: csUserName
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: cIP
  entityType: IP
queryFrequency: 1d
description: |
  'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.
  The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'  
triggerThreshold: 0
triggerOperator: gt
version: 1.0.3
queryPeriod: 14d
id: 23005e87-2d3a-482b-b03d-edbebd1ae151