new hunting queries for Azure device code (#4468)

Author: terrancedejesus

hunting/azure/docs/entra_authentication_attempts_from_abused_hosting_service_providers.md

@@ -0,0 +1,102 @@
+# Azure Entra Authentication Attempts from Abused Hosting Service Providers
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query gathers evidence of Azure Entra authentication attempts from hosting service providers that are often abused by adversaries. By identifying authentication attempts from these sources, security teams can detect potential unauthorized access or malicious activities within their Azure environment.
+
+- **UUID:** `d27f1da8-eec6-11ef-983a-f661ea17fbce`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Azure Entra Authentication Attempts from Abused Hosting Service Providers](../queries/entra_authentication_attempts_from_abused_hosting_service_providers.toml)
+
+## Query
+
+```sql
+FROM logs-azure.signinlogs-*
+
+// query Azure Entra Sign-in logs
+| WHERE @timestamp > now() - 14 day
+| WHERE
+    event.dataset in ("azure.signinlogs") and
+
+    // filter for authentication events
+    event.category == "authentication" and
+
+    // filter for specific ASN organizations that are often abused
+    source.as.organization.name in (
+        "DigitalOcean", "Linode", "Vultr", "Hetzner", "OVH",
+        "Contabo", "Leaseweb", "G-Core Labs", "Scaleway", "Kamatera",
+        "Shinjiru", "M247", "Packet Host", "InterServer", "DataPacket",
+        "Choopa", "Path Network", "DediPath", "Maxided", "Quasi Networks",
+        "FlokiNET", "Njalla", "AbeloHost", "Inferno Solutions", "Hostinger",
+        "Hostwinds", "1&1 IONOS", "DreamHost", "A2 Hosting", "Bluehost",
+        "Namecheap Hosting", "FastComet", "InMotion Hosting", "SiteGround", "GreenGeeks",
+        "Liquid Web", "Hurricane Electric", "Ubiquity Hosting", "Snel.com", "Coresite",
+        "Eonix", "WebNX", "SharkTech", "Hivelocity", "Zenlayer",
+        "RapidSeedbox", "SeFlow", "Nexeon Technologies", "NextArray", "Zare",
+        "Clouvider", "TimeWeb", "YISP", "StackPath", "LuxVPS",
+        "Terrahost", "IP Volume", "RackNerd", "ServerMania", "HostEurope",
+        "HostHatch", "HostUS", "Cloudsigma", "QuadraNet", "CIV Host",
+        "Swiftway", "King Servers", "BeeHost", "Webzilla", "Flokinet",
+        "Alexhost", "DDoS-Guard", "StormWall", "Yokohama Networks", "DataGroup",
+        "GSL Networks", "MyLoc", "Hostlife", "Reprise Hosting", "GTT Communications",
+        "Telia", "Cogent Communications", "NForce", "Ecatel", "Novogara",
+        "CyberBunker", "DarkFiber", "Exoscale", "QHoster", "ServDiscount",
+        "Krypt", "Wowrack", "XLHost", "OVHCloud", "Privex",
+        "GreencloudVPS", "RamNode", "BuyVM", "LiteServer", "Host1Plus",
+        "EdgeUno", "CloudSouth", "IOFlood", "Hostry", "MivoCloud",
+        "CloudCone", "SwiftNode", "Flaunt7", "Infinitie Networks", "ServerHub",
+        "Verpex Hosting", "W3Space", "HostPapa", "Storm Internet", "WP Engine",
+        "Kinsta", "Fly.io", "Edgecast", "RocketNode", "CloudAtCost",
+        "Gullo's Hosting", "Serverion", "XHostFire", "Interserver", "DediServe",
+        "HostRound", "VPSServer", "HostMantis", "RapidSwitch", "Tiggee LLC",
+        "LogicWeb", "VPSCheap", "Versaweb", "SecureDragon", "ServerAstra",
+        "HostNeverDie", "CloudSigma", "IONOS Cloud", "StackClash", "ProtonVPN",
+        "NordVPN", "Mullvad VPN", "ExpressVPN", "Surfshark", "Private Internet Access",
+        "TorGuard", "VyprVPN", "Windscribe VPN", "iVPN", "Perfect Privacy",
+        "Astrill VPN", "TunnelBear", "CyberGhost VPN", "PureVPN", "Hotspot Shield",
+        "StrongVPN", "F-Secure VPN", "IVPN", "ZoogVPN", "SwitchVPN",
+        "AirVPN", "Buffered VPN", "SecureVPN", "RiseupVPN", "Betternet",
+        "Trust.Zone VPN", "OneVPN", "VeePN", "Speedify VPN", "VPN Unlimited",
+        "Anonine VPN", "X-VPN", "Hidemyass VPN", "ProXPN", "VPNArea",
+        "AceVPN", "IPVanish", "Bitmask VPN", "BolehVPN", "AnonVPN",
+        "Librem One VPN", "BlackVPN", "Cloudflare Warp VPN", "Torguard VPN", "VPN.ht"
+    )
+
+// aggregate authentication attempts by tenant, user principal name, authentication protocol, category, ASN organization name, and source address
+| STATS asn_count = count(*) by
+    azure.tenant_id,
+    azure.signinlogs.properties.user_principal_name,
+    azure.signinlogs.properties.authentication_protocol,
+    azure.signinlogs.category,
+    source.as.organization.name,
+    source.address
+```
+
+## Notes
+
+- Review `azure.signinlogs.properties.authentication_protocol` to determine the authentication method used.
+- Device Code Flow authentication is particularly suspicious for non-kiosk, non-IoT devices.
+- Analyze `source.as.organization.name` to identify if the authentication originated from a known hosting provider, VPN, or anonymization service you are not expecting
+- Investigate `source.address` to determine if the IP address has been previously flagged for suspicious activity.
+- Pivot on `azure.signinlogs.properties.user_principal_name` to check for additional authentication attempts from different IPs, ASNs, or unusual geolocations.
+- Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to check if legacy protocols, token replay, or bypass mechanisms were involved.
+- Look for associated Conditional Access policy decisions in `azure.signinlogs.properties.applied_conditional_access_policies` to determine if the authentication attempt was blocked or allowed.
+- Check `azure.signinlogs.properties.device_detail.browser` to see if the user agent is consistent with expected authentication patterns.
+- If authentication was successful, investigate any subsequent suspicious activity linked to the same user session.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+
+## References
+
+- https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
+- https://www.blackhillsinfosec.com/dynamic-device-code-phishing/
+
+## License
+
+- `Elastic License v2`

hunting/azure/docs/entra_device_code_authentication_from_unusual_principal.md

@@ -0,0 +1,68 @@
+# Azure Entra Device Code Authentication from Unusual Principal
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query identifies Azure Entra sign-in logs where the authentication method used was Device Code Flow, which is often used for kiosk or IoT devices. If this authentication method is observed from a user or device that does not typically use it, it may indicate a potential compromise. This technique is common by adversaries conducting phishing campaigns with pre-registered device codes sent to targeted users whom are then redirected to Microsoft's device code authentication endpoint to initiation the workflow. The query filters for unusual authentication attempts based on the user principal name and the source address.
+
+- **UUID:** `b54528ca-eec8-11ef-b314-f661ea17fbce`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Azure Entra Device Code Authentication from Unusual Principal](../queries/entra_device_code_authentication_from_unusual_principal.toml)
+
+## Query
+
+```sql
+FROM logs-azure.signinlogs-*
+
+// query Azure Entra Sign-in logs
+| WHERE @timestamp > now() - 14 day
+| WHERE event.dataset in ("azure.signinlogs")
+    and event.category == "authentication"
+
+    // filter for device code workflows
+    // original transfer method indicates refresh tokens where device code was originally used
+    and (
+        azure.signinlogs.properties.authentication_protocol == "deviceCode" or
+        azure.signinlogs.properties.original_transfer_method == "Device code flow"
+    )
+
+// bucket authentication attempts by each day
+| EVAL target_time_window = DATE_TRUNC(1 days, @timestamp)
+
+// aggregate authentication attempts by user principal name, source address, and message
+| STATS
+    auth_count = count(*) by
+        target_time_window,
+        azure.signinlogs.properties.user_principal_name,
+        source.address,
+        message
+
+// filter further for low auth counts by a particular principal name
+// indicating device code auth workflows are unusual for this user
+| WHERE auth_count < 5
+```
+
+## Notes
+
+- Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Device Code Flow is typically reserved for IoT, kiosk, or embedded devices.
+- Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using Device Code Flow. Unusual use by regular accounts may indicate compromise.
+- Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.
+- Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.
+- Pivot on `azure.signinlogs.properties.original_transfer_method` to identify if the Device Code Flow was used in combination with refresh tokens, which may indicate session hijacking.
+- Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, or bypass mechanisms.
+- Review `azure.signinlogs.properties.applied_conditional_access_policies` to determine if Conditional Access rules were applied, bypassed, or enforced during authentication.
+- Check `azure.signinlogs.properties.device_detail.browser` and `user_agent.original` to verify if the user agent aligns with expected authentication behavior for this user or device type.
+- If authentication was successful, pivot on `azure.signinlogs.properties.user_principal_name` to check for additional high-risk activities within the same session.
+- Monitor for multiple authentication attempts within a short period from different IPs or ASNs, which may indicate adversarial testing or phishing-based compromise.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+- [T1528](https://attack.mitre.org/techniques/T1528)
+
+## License
+
+- `Elastic License v2`

hunting/azure/queries/entra_authentication_attempts_from_abused_hosting_service_providers.toml

@@ -0,0 +1,90 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunting query gathers evidence of Azure Entra authentication attempts from hosting service providers that are often abused by adversaries. By identifying authentication attempts from these sources, security teams can detect potential unauthorized access or malicious activities within their Azure environment.
+"""
+integration = ["azure"]
+uuid = "d27f1da8-eec6-11ef-983a-f661ea17fbce"
+name = "Azure Entra Authentication Attempts from Abused Hosting Service Providers"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "Review `azure.signinlogs.properties.authentication_protocol` to determine the authentication method used.",
+    "Device Code Flow authentication is particularly suspicious for non-kiosk, non-IoT devices.",
+    "Analyze `source.as.organization.name` to identify if the authentication originated from a known hosting provider, VPN, or anonymization service you are not expecting",
+    "Investigate `source.address` to determine if the IP address has been previously flagged for suspicious activity.",
+    "Pivot on `azure.signinlogs.properties.user_principal_name` to check for additional authentication attempts from different IPs, ASNs, or unusual geolocations.",
+    "Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to check if legacy protocols, token replay, or bypass mechanisms were involved.",
+    "Look for associated Conditional Access policy decisions in `azure.signinlogs.properties.applied_conditional_access_policies` to determine if the authentication attempt was blocked or allowed.",
+    "Check `azure.signinlogs.properties.device_detail.browser` to see if the user agent is consistent with expected authentication patterns.",
+    "If authentication was successful, investigate any subsequent suspicious activity linked to the same user session."
+]
+
+mitre = ['T1078.004']
+query = [
+'''
+FROM logs-azure.signinlogs-*
+
+// query Azure Entra Sign-in logs
+| WHERE @timestamp > now() - 14 day
+| WHERE
+    event.dataset in ("azure.signinlogs") and
+
+    // filter for authentication events
+    event.category == "authentication" and
+
+    // filter for specific ASN organizations that are often abused
+    source.as.organization.name in (
+        "DigitalOcean", "Linode", "Vultr", "Hetzner", "OVH",
+        "Contabo", "Leaseweb", "G-Core Labs", "Scaleway", "Kamatera",
+        "Shinjiru", "M247", "Packet Host", "InterServer", "DataPacket",
+        "Choopa", "Path Network", "DediPath", "Maxided", "Quasi Networks",
+        "FlokiNET", "Njalla", "AbeloHost", "Inferno Solutions", "Hostinger",
+        "Hostwinds", "1&1 IONOS", "DreamHost", "A2 Hosting", "Bluehost",
+        "Namecheap Hosting", "FastComet", "InMotion Hosting", "SiteGround", "GreenGeeks",
+        "Liquid Web", "Hurricane Electric", "Ubiquity Hosting", "Snel.com", "Coresite",
+        "Eonix", "WebNX", "SharkTech", "Hivelocity", "Zenlayer",
+        "RapidSeedbox", "SeFlow", "Nexeon Technologies", "NextArray", "Zare",
+        "Clouvider", "TimeWeb", "YISP", "StackPath", "LuxVPS",
+        "Terrahost", "IP Volume", "RackNerd", "ServerMania", "HostEurope",
+        "HostHatch", "HostUS", "Cloudsigma", "QuadraNet", "CIV Host",
+        "Swiftway", "King Servers", "BeeHost", "Webzilla", "Flokinet",
+        "Alexhost", "DDoS-Guard", "StormWall", "Yokohama Networks", "DataGroup",
+        "GSL Networks", "MyLoc", "Hostlife", "Reprise Hosting", "GTT Communications",
+        "Telia", "Cogent Communications", "NForce", "Ecatel", "Novogara",
+        "CyberBunker", "DarkFiber", "Exoscale", "QHoster", "ServDiscount",
+        "Krypt", "Wowrack", "XLHost", "OVHCloud", "Privex",
+        "GreencloudVPS", "RamNode", "BuyVM", "LiteServer", "Host1Plus",
+        "EdgeUno", "CloudSouth", "IOFlood", "Hostry", "MivoCloud",
+        "CloudCone", "SwiftNode", "Flaunt7", "Infinitie Networks", "ServerHub",
+        "Verpex Hosting", "W3Space", "HostPapa", "Storm Internet", "WP Engine",
+        "Kinsta", "Fly.io", "Edgecast", "RocketNode", "CloudAtCost",
+        "Gullo's Hosting", "Serverion", "XHostFire", "Interserver", "DediServe",
+        "HostRound", "VPSServer", "HostMantis", "RapidSwitch", "Tiggee LLC",
+        "LogicWeb", "VPSCheap", "Versaweb", "SecureDragon", "ServerAstra",
+        "HostNeverDie", "CloudSigma", "IONOS Cloud", "StackClash", "ProtonVPN",
+        "NordVPN", "Mullvad VPN", "ExpressVPN", "Surfshark", "Private Internet Access",
+        "TorGuard", "VyprVPN", "Windscribe VPN", "iVPN", "Perfect Privacy",
+        "Astrill VPN", "TunnelBear", "CyberGhost VPN", "PureVPN", "Hotspot Shield",
+        "StrongVPN", "F-Secure VPN", "IVPN", "ZoogVPN", "SwitchVPN",
+        "AirVPN", "Buffered VPN", "SecureVPN", "RiseupVPN", "Betternet",
+        "Trust.Zone VPN", "OneVPN", "VeePN", "Speedify VPN", "VPN Unlimited",
+        "Anonine VPN", "X-VPN", "Hidemyass VPN", "ProXPN", "VPNArea",
+        "AceVPN", "IPVanish", "Bitmask VPN", "BolehVPN", "AnonVPN",
+        "Librem One VPN", "BlackVPN", "Cloudflare Warp VPN", "Torguard VPN", "VPN.ht"
+    )
+
+// aggregate authentication attempts by tenant, user principal name, authentication protocol, category, ASN organization name, and source address
+| STATS asn_count = count(*) by
+    azure.tenant_id,
+    azure.signinlogs.properties.user_principal_name,
+    azure.signinlogs.properties.authentication_protocol,
+    azure.signinlogs.category,
+    source.as.organization.name,
+    source.address
+'''
+]
+references = [
+    "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",
+    "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/"
+]

hunting/azure/queries/entra_device_code_authentication_from_unusual_principal.toml

@@ -0,0 +1,55 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunting query identifies Azure Entra sign-in logs where the authentication method used was Device Code Flow, which is often used for kiosk or IoT devices. If this authentication method is observed from a user or device that does not typically use it, it may indicate a potential compromise. This technique is common by adversaries conducting phishing campaigns with pre-registered device codes sent to targeted users whom are then redirected to Microsoft's device code authentication endpoint to initiation the workflow. The query filters for unusual authentication attempts based on the user principal name and the source address.
+"""
+integration = ["azure"]
+uuid = "b54528ca-eec8-11ef-b314-f661ea17fbce"
+name = "Azure Entra Device Code Authentication from Unusual Principal"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Device Code Flow is typically reserved for IoT, kiosk, or embedded devices.",
+    "Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using Device Code Flow. Unusual use by regular accounts may indicate compromise.",
+    "Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.",
+    "Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.",
+    "Pivot on `azure.signinlogs.properties.original_transfer_method` to identify if the Device Code Flow was used in combination with refresh tokens, which may indicate session hijacking.",
+    "Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, or bypass mechanisms.",
+    "Review `azure.signinlogs.properties.applied_conditional_access_policies` to determine if Conditional Access rules were applied, bypassed, or enforced during authentication.",
+    "Check `azure.signinlogs.properties.device_detail.browser` and `user_agent.original` to verify if the user agent aligns with expected authentication behavior for this user or device type.",
+    "If authentication was successful, pivot on `azure.signinlogs.properties.user_principal_name` to check for additional high-risk activities within the same session.",
+    "Monitor for multiple authentication attempts within a short period from different IPs or ASNs, which may indicate adversarial testing or phishing-based compromise."
+]
+mitre = ['T1078.004','T1528']
+query = [
+'''
+FROM logs-azure.signinlogs-*
+
+// query Azure Entra Sign-in logs
+| WHERE @timestamp > now() - 14 day
+| WHERE event.dataset in ("azure.signinlogs")
+    and event.category == "authentication"
+
+    // filter for device code workflows
+    // original transfer method indicates refresh tokens where device code was originally used
+    and (
+        azure.signinlogs.properties.authentication_protocol == "deviceCode" or
+        azure.signinlogs.properties.original_transfer_method == "Device code flow"
+    )
+
+// bucket authentication attempts by each day
+| EVAL target_time_window = DATE_TRUNC(1 days, @timestamp)
+
+// aggregate authentication attempts by user principal name, source address, and message
+| STATS
+    auth_count = count(*) by
+        target_time_window,
+        azure.signinlogs.properties.user_principal_name,
+        source.address,
+        message
+
+// filter further for low auth counts by a particular principal name
+// indicating device code auth workflows are unusual for this user
+| WHERE auth_count < 5
+'''
+]