Azure-Sentinel/Hunting Queries/AzureActivity/AzureAdministrationFromVPS....

id: 1b8779c9-abf2-444f-a21f-437b8f90ac4a
name: AzureActivity Administration From VPS Providers
description: |
  'Looks for Administrative actions in AzureActivity from known VPS provider network ranges.
  This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.'
requiredDataConnectors:
  - connectorId: AzureActivity
    dataTypes:
      - AzureActivity
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
tags:
  - Ignite2021
query: |

  let IP_Data = (externaldata(network:string)
  [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv"] with (format="csv"));
  AzureActivity
  | where CategoryValue =~ "Administrative"
  | evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = false)
  | summarize Operations = make_set(OperationNameValue), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by CallerIpAddress, Caller
  | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
Ignite 2021 Queries - Creating AdditionalFilesUploadedByActor.yaml Detection: When an Azure Defender alert for a known-bad file hash triggers, the detection will collate other files uploaded by that same IP address to detect other risky files. - Created AzureAdministrationFromVPS.yaml Hunting Query: Finds instances where Azure Admin Activity takes place from a known VPS provider. - Created AzureStorageFileCreateAccessDelete.yaml Hunting Query: Finds instances where a file is created in Azure Storage, accessed by a single user, and then deleted. - Created AzureStorageFileCreatedQuicklyDeleted.yaml Hunting Query: Finds instances where a file is created and then deleted within a given threshold (by default 5min). - Created AzureStorageFileOnEndpoint.yaml Hunting Query: Finds instances where a file in Azure Storage is present on an Endpoint system based on data from Microsoft 365 Defender Advanced Hunting data. - Created AzureStorageMassDeletion.yaml Hunting Query: Finds instances where a mass-deletion event occurs from a single IP address. Configurable thresholds. - Created AzureStorageUploadFromVPS.yaml Hunting Query: Finds instances where a VPS provider IP is used to upload files to Azure Storage. - Created AzureStorageUploadLinkAccount.yaml Hunting Query: Links user account to Azure storage upload action if the upload actions takes place through Azure Portal. 2021-02-22 17:18:07 +03:00			`id: 1b8779c9-abf2-444f-a21f-437b8f90ac4a`
			`name: AzureActivity Administration From VPS Providers`
			`description: \|`
			`'Looks for Administrative actions in AzureActivity from known VPS provider network ranges.`
			`This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.'`
			`requiredDataConnectors:`
			`- connectorId: AzureActivity`
			`dataTypes:`
			`- AzureActivity`
			`tactics:`
			`- InitialAccess`
			`relevantTechniques:`
			`- T1078`
			`tags:`
			`- Ignite2021`
			`query: \|`

			`let IP_Data = (externaldata(network:string)`
			`[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv"] with (format="csv"));`
			`AzureActivity`
			`\| where CategoryValue =~ "Administrative"`
			`\| evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = false)`
changed field to new-OperationNameValue 2021-09-17 23:27:20 +03:00			`\| summarize Operations = make_set(OperationNameValue), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by CallerIpAddress, Caller`
adding in entities and fixing up some queries. 2021-03-21 22:11:46 +03:00			`\| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress`

Ignite 2021 Queries - Creating AdditionalFilesUploadedByActor.yaml Detection: When an Azure Defender alert for a known-bad file hash triggers, the detection will collate other files uploaded by that same IP address to detect other risky files. - Created AzureAdministrationFromVPS.yaml Hunting Query: Finds instances where Azure Admin Activity takes place from a known VPS provider. - Created AzureStorageFileCreateAccessDelete.yaml Hunting Query: Finds instances where a file is created in Azure Storage, accessed by a single user, and then deleted. - Created AzureStorageFileCreatedQuicklyDeleted.yaml Hunting Query: Finds instances where a file is created and then deleted within a given threshold (by default 5min). - Created AzureStorageFileOnEndpoint.yaml Hunting Query: Finds instances where a file in Azure Storage is present on an Endpoint system based on data from Microsoft 365 Defender Advanced Hunting data. - Created AzureStorageMassDeletion.yaml Hunting Query: Finds instances where a mass-deletion event occurs from a single IP address. Configurable thresholds. - Created AzureStorageUploadFromVPS.yaml Hunting Query: Finds instances where a VPS provider IP is used to upload files to Azure Storage. - Created AzureStorageUploadLinkAccount.yaml Hunting Query: Links user account to Azure storage upload action if the upload actions takes place through Azure Portal. 2021-02-22 17:18:07 +03:00			`entityMappings:`
adding in entities and fixing up some queries. 2021-03-21 22:11:46 +03:00			`- entityType: Account`
			`fieldMappings:`
			`- identifier: FullName`
			`columnName: AccountCustomEntity`
Ignite 2021 Queries - Creating AdditionalFilesUploadedByActor.yaml Detection: When an Azure Defender alert for a known-bad file hash triggers, the detection will collate other files uploaded by that same IP address to detect other risky files. - Created AzureAdministrationFromVPS.yaml Hunting Query: Finds instances where Azure Admin Activity takes place from a known VPS provider. - Created AzureStorageFileCreateAccessDelete.yaml Hunting Query: Finds instances where a file is created in Azure Storage, accessed by a single user, and then deleted. - Created AzureStorageFileCreatedQuicklyDeleted.yaml Hunting Query: Finds instances where a file is created and then deleted within a given threshold (by default 5min). - Created AzureStorageFileOnEndpoint.yaml Hunting Query: Finds instances where a file in Azure Storage is present on an Endpoint system based on data from Microsoft 365 Defender Advanced Hunting data. - Created AzureStorageMassDeletion.yaml Hunting Query: Finds instances where a mass-deletion event occurs from a single IP address. Configurable thresholds. - Created AzureStorageUploadFromVPS.yaml Hunting Query: Finds instances where a VPS provider IP is used to upload files to Azure Storage. - Created AzureStorageUploadLinkAccount.yaml Hunting Query: Links user account to Azure storage upload action if the upload actions takes place through Azure Portal. 2021-02-22 17:18:07 +03:00			`- entityType: IP`
			`fieldMappings:`
			`- identifier: Address`
changed field to new-OperationNameValue 2021-09-17 23:27:20 +03:00			`columnName: IPCustomEntity`