elastic
diff --git a/‎hunting/azure/docs/entra_authentication_attempts_behind_rare_user_agents.md‎
Lines changed: 91 additions & 0 deletions b/‎hunting/azure/docs/entra_authentication_attempts_behind_rare_user_agents.md‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎hunting/azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md‎
Lines changed: 71 additions & 0 deletions b/‎hunting/azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎hunting/azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md‎
Lines changed: 71 additions & 0 deletions b/‎hunting/azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎hunting/azure/queries/entra_authentication_attempts_behind_rare_user_agents.toml‎
Lines changed: 75 additions & 0 deletions b/‎hunting/azure/queries/entra_authentication_attempts_behind_rare_user_agents.toml‎
Lines changed: 75 additions & 0 deletions
@@ -0,0 +1,91 @@
+# Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query gathers evidence of failed authentication attempts in Azure Entra ID where unusual user agents are used. Adversaries may use tools like FastHTTP to conduct brute force attacks against Azure Entra ID user accounts. FastHTTP is a high-performance HTTP client optimized for speed and efficiency, making it a popular choice for password spraying attacks. By identifying failed authentication attempts behind rare user agents, security teams can detect and respond to unauthorized access attempts in Azure Entra ID.
+
+- **UUID:** `3f26f262-fe14-11ef-9ee5-f661ea17fbcd`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](../queries/entra_authentication_attempts_behind_rare_user_agents.toml)
+
+## Query
+
+```sql
+from logs-azure.signinlogs*
+| where @timestamp > now() - 14 day
+| keep
+    @timestamp,
+    event.dataset,
+    event.category,
+    azure.signinlogs.properties.authentication_requirement,
+    azure.signinlogs.properties.status.error_code,
+    azure.signinlogs.properties.app_id,
+    source.as.organization.name,
+    user_agent.original,
+    azure.signinlogs.category,
+    event.outcome,
+    azure.signinlogs.properties.user_principal_name,
+    source.ip
+| WHERE
+    event.dataset == "azure.signinlogs"
+    and event.category == "authentication"
+    and source.as.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
+    and event.outcome != "success"
+    and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
+    and (
+        to_lower(user_agent.original) LIKE "%go-http-client/1.1%" or
+        to_lower(user_agent.original) LIKE "%fasthttp%" or
+        to_lower(user_agent.original) LIKE "%python%" or
+        to_lower(user_agent.original) LIKE "%curl%" or
+        to_lower(user_agent.original) LIKE "%wget%" or
+        to_lower(user_agent.original) LIKE "%httpclient%" or
+        to_lower(user_agent.original) LIKE "%postmanruntime%" or
+        to_lower(user_agent.original) LIKE "%headlesschrome%" or
+        to_lower(user_agent.original) LIKE "%phantomjs%" or
+        to_lower(user_agent.original) LIKE "%selenium%" or
+        to_lower(user_agent.original) LIKE "%okhttp%" or
+        to_lower(user_agent.original) LIKE "%scrapy%" or
+        to_lower(user_agent.original) LIKE "%hydra%" or
+        to_lower(user_agent.original) LIKE "%patator%" or
+        to_lower(user_agent.original) LIKE "%metasploit%" or
+        to_lower(user_agent.original) LIKE "%curio%" or
+        to_lower(user_agent.original) LIKE "%hyper%" or
+        to_lower(user_agent.original) LIKE "%kali%" or
+        to_lower(user_agent.original) LIKE "%hydra%" or
+    )
+// count the number of unique user login attempts
+| stats
+    unique_user_app_login_count = count(*) by
+        azure.signinlogs.properties.user_principal_name,
+        azure.signinlogs.properties.authentication_requirement,
+        azure.signinlogs.properties.app_id
+| sort unique_user_app_login_count asc
+```
+
+## Notes
+
+- Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Non-interactive SFA is typically reserved for automated processes or legacy authentication methods.
+- Review `azure.signinlogs.properties.error_code` to identify the specific error codes associated with the failed authentication attempts. Common error codes include `50053` for account lockouts, `50126` for invalid credentials, and `50055` for expired passwords.
+- Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using SFA. Unusual use by regular accounts may indicate compromise.
+- Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.
+- Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.
+- Pivot on `azure.signinlogs.properties.user_principal_name` to identify any other high-risk activities within the same session.
+- Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, permission scopes or bypass mechanisms.
+- Review `user_agent.original` to identify the user agent used in the authentication request. Determine if this user agent is expected in your environment or if it is associated with known malicious activity.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+- [T1110.003](https://attack.mitre.org/techniques/T1110/003)
+
+## References
+
+- https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,71 @@
+# Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query gathers evidence of password spraying attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services or validate compromised credentials. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.
+
+- **UUID:** `a9281116-fde0-11ef-9ee5-f661ea17fbcd`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins](../queries/entra_excessive_non_interactive_sfa_sign_ins_across_users.toml)
+
+## Query
+
+```sql
+from logs-azure.signinlogs*
+| where @timestamp > now() - 14 day
+| keep
+    @timestamp,
+    event.dataset,
+    event.category,
+    azure.signinlogs.properties.is_interactive,
+    azure.signinlogs.properties.authentication_requirement,
+    azure.signinlogs.properties.resource_display_name,
+    azure.signinlogs.properties.status.error_code,
+    source.as.organization.name,
+    azure.signinlogs.category,
+    event.outcome,
+    azure.signinlogs.properties.user_principal_name,
+    source.ip
+// truncate the timestamp to a 10-minute window
+| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
+| WHERE
+  event.dataset == "azure.signinlogs"
+  and event.category == "authentication"
+  and azure.signinlogs.properties.is_interactive == false
+  and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
+  and source.as.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
+  and event.outcome != "success"
+  and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
+// count the number of unique user login attempts
+| stats
+    unique_user_login_count = count_distinct(azure.signinlogs.properties.user_principal_name) by target_time_window, azure.signinlogs.properties.status.error_code
+// filter for >= 30 failed SFA auth attempts with the same error codes
+| where unique_user_login_count >= 30
+```
+
+## Notes
+
+- Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Non-interactive SFA is typically reserved for automated processes or legacy authentication methods.
+- Review `azure.signinlogs.properties.error_code` to identify the specific error codes associated with the failed authentication attempts. Common error codes include `50053` for account lockouts, `50126` for invalid credentials, and `50055` for expired passwords.
+- Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using SFA. Unusual use by regular accounts may indicate compromise.
+- Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.
+- Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.
+- Pivot on `azure.signinlogs.properties.user_principal_name` to identify any other high-risk activities within the same session.
+- Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, permission scopes or bypass mechanisms.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+- [T1110.003](https://attack.mitre.org/techniques/T1110/003)
+
+## References
+
+- https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,71 @@
+# Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query gathers evidence of Azure Entra sign-in attempts on-behalf-of a user with an unusual client app. During brute-forcing attempts, adversaries may use a custom or Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity.
+
+- **UUID:** `ce47ec2c-fe13-11ef-9ee5-f661ea17fbcd`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](../queries/entra_unusual_client_app_auth_request_on_behalf_of_user.toml)
+
+## Query
+
+```sql
+from logs-azure.signinlogs*
+| where @timestamp > now() - 14 day
+| keep
+    @timestamp,
+    event.dataset,
+    event.category,
+    azure.signinlogs.properties.app_display_name,
+    azure.signinlogs.properties.app_id,
+    azure.signinlogs.properties.user_principal_name,
+    azure.signinlogs.properties.status.error_code,
+    azure.signinlogs.category,
+    source.as.organization.name,
+    event.outcome,
+    source.ip
+| WHERE
+    // filter for failed sign-in logs related to invalid username or password
+    event.dataset == "azure.signinlogs"
+    and event.category == "authentication"
+    and event.outcome != "success"
+    and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
+    and source.as.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
+// aggregate the number of failed sign-in attempts by user and app ID reported
+| stats
+    auth_via_app_count = count(*) by
+    azure.signinlogs.properties.user_principal_name,
+    azure.signinlogs.properties.app_display_name,
+    azure.signinlogs.properties.app_id
+// filter for users with less than or equal to 3 failed sign-in attempts per app
+| where auth_via_app_count <= 3
+| sort auth_via_app_count asc
+```
+
+## Notes
+
+- Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Non-interactive SFA is typically reserved for automated processes or legacy authentication methods.
+- Review `azure.signinlogs.properties.error_code` to identify the specific error codes associated with the failed authentication attempts. Common error codes include `50053` for account lockouts, `50126` for invalid credentials, and `50055` for expired passwords.
+- Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using SFA. Unusual use by regular accounts may indicate compromise.
+- Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.
+- Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.
+- Pivot on `azure.signinlogs.properties.user_principal_name` to identify any other high-risk activities within the same session.
+- Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, permission scopes or bypass mechanisms.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+- [T1110.003](https://attack.mitre.org/techniques/T1110/003)
+
+## References
+
+- https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,75 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunting query gathers evidence of failed authentication attempts in Azure Entra ID where unusual user agents are used. Adversaries may use tools like FastHTTP to conduct brute force attacks against Azure Entra ID user accounts. FastHTTP is a high-performance HTTP client optimized for speed and efficiency, making it a popular choice for password spraying attacks. By identifying failed authentication attempts behind rare user agents, security teams can detect and respond to unauthorized access attempts in Azure Entra ID.
+"""
+integration = ["azure"]
+uuid = "3f26f262-fe14-11ef-9ee5-f661ea17fbcd"
+name = "Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Non-interactive SFA is typically reserved for automated processes or legacy authentication methods.",
+    "Review `azure.signinlogs.properties.error_code` to identify the specific error codes associated with the failed authentication attempts. Common error codes include `50053` for account lockouts, `50126` for invalid credentials, and `50055` for expired passwords.",
+    "Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using SFA. Unusual use by regular accounts may indicate compromise.",
+    "Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.",
+    "Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.",
+    "Pivot on `azure.signinlogs.properties.user_principal_name` to identify any other high-risk activities within the same session.",
+    "Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, permission scopes or bypass mechanisms.",
+    "Review `user_agent.original` to identify the user agent used in the authentication request. Determine if this user agent is expected in your environment or if it is associated with known malicious activity.",
+]
+mitre = ['T1078.004','T1110.003']
+references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf"]
+query = [
+'''
+from logs-azure.signinlogs*
+| where @timestamp > now() - 14 day
+| keep
+    @timestamp,
+    event.dataset,
+    event.category,
+    azure.signinlogs.properties.authentication_requirement,
+    azure.signinlogs.properties.status.error_code,
+    azure.signinlogs.properties.app_id,
+    source.as.organization.name,
+    user_agent.original,
+    azure.signinlogs.category,
+    event.outcome,
+    azure.signinlogs.properties.user_principal_name,
+    source.ip
+| WHERE
+    event.dataset == "azure.signinlogs"
+    and event.category == "authentication"
+    and source.as.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
+    and event.outcome != "success"
+    and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
+    and (
+        to_lower(user_agent.original) LIKE "%go-http-client/1.1%" or
+        to_lower(user_agent.original) LIKE "%fasthttp%" or
+        to_lower(user_agent.original) LIKE "%python%" or
+        to_lower(user_agent.original) LIKE "%curl%" or
+        to_lower(user_agent.original) LIKE "%wget%" or
+        to_lower(user_agent.original) LIKE "%httpclient%" or
+        to_lower(user_agent.original) LIKE "%postmanruntime%" or
+        to_lower(user_agent.original) LIKE "%headlesschrome%" or
+        to_lower(user_agent.original) LIKE "%phantomjs%" or
+        to_lower(user_agent.original) LIKE "%selenium%" or
+        to_lower(user_agent.original) LIKE "%okhttp%" or
+        to_lower(user_agent.original) LIKE "%scrapy%" or
+        to_lower(user_agent.original) LIKE "%hydra%" or
+        to_lower(user_agent.original) LIKE "%patator%" or
+        to_lower(user_agent.original) LIKE "%metasploit%" or
+        to_lower(user_agent.original) LIKE "%curio%" or
+        to_lower(user_agent.original) LIKE "%hyper%" or
+        to_lower(user_agent.original) LIKE "%kali%" or
+        to_lower(user_agent.original) LIKE "%hydra%" or
+    )
+// count the number of unique user login attempts
+| stats
+    unique_user_app_login_count = count(*) by
+        azure.signinlogs.properties.user_principal_name,
+        azure.signinlogs.properties.authentication_requirement,
+        azure.signinlogs.properties.app_id
+| sort unique_user_app_login_count asc
+'''
+]