Potentially Suspicious Azure Front Door Connection

    Tuesday, November 19, 2024 In: Threat Research Print

    Date: 11/19/2024

    Severity: Medium

    Summary

    Detects connections to Azure Front Door—a legitimate service that can be exploited for C2—that deviate from the established benign behavior baseline, such as those not involving common applications or typical azurefd.net endpoints.

    Indicators of Compromise (IOC) List

    DestinationHostname :

    - 'azurefd.net'

    - 'afdxtest.z01.azurefd.net'

    - 'fp-afd.azurefd.net'

    - 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net'

    - 'roxy.azurefd.net'

    - 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net'

    - 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net'

    - 'graph.azurefd.net'

    Image :

    - 'brave.exe'

    - 'chrome.exe'

    - 'chromium.exe'

    - 'firefox.exe'

    - 'msedge.exe'

    - 'msedgewebview2.exe'

    - 'opera.exe'

    - 'vivaldi.exe'

    - 'searchapp.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1:

    (resourcename = "Sysmon"  AND eventtype = "3"  ) AND ( destinationhostname like "azurefd.net" ) AND ((destinationhostname not like "afdxtest.z01.azurefd.net"  or destinationhostname not like "fp-afd.azurefd.net" or destinationhostname not like "fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net" or destinationhostname not like "roxy.azurefd.net" or destinationhostname not like "powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net" or destinationhostname not like "storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net" or destinationhostname not like "graph.azurefd.net")  AND image not like  "searchapp.exe" )

    Detection Query 2:

    (technologygroup = "EDR" ) AND ( destinationhostname like "azurefd.net" ) AND ((destinationhostname not like "afdxtest.z01.azurefd.net"  or destinationhostname not like "fp-afd.azurefd.net" or destinationhostname not like "fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net" or destinationhostname not like "roxy.azurefd.net" or destinationhostname not like "powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net" or destinationhostname not like "storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net" or destinationhostname not like "graph.azurefd.net")  AND image not like  "searchapp.exe" )

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.