id: e3b8ca4a-2bab-4246-860c-fc3bb8e7ac50 name: FireEye stolen red teaming tools communications description: | 'This composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Most FireEye red teaming tools are designed to mimic legitimate API activity, false positives are common. This query includes a basic check to determine how common a hostname is in you environment, and allows you to modify this threshold to remove legitimate traffic from the query results. This query contains only a subset of potential FireEye red team tool communications, and therefore should not be relied upon alone :) .' requiredDataConnectors: - connectorId: Zscaler dataTypes: - CommonSecurityLog tactics: - CommandAndControl relevantTechniques: - T1071.001 query: | let domainCountThreshold = 100; //Maxiumum number of times a domain ahs been visited //Backdoor.HTTP.BEACON.[Yelp GET] let FEQuery1 = CommonSecurityLog | where RequestMethod == "GET" | where RequestURL contains "&parent_request_id=" | where RequestURL matches regex @"&parent_request_id=(?:[A-Za-z0-9_\/\+\-\%]{128,1000})={0,2}[^\r\n]{0,256}" | extend Quality = "high" | extend RuleName = "Backdoor.HTTP.BEACON.[Yelp GET]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle CDN GET] let FEQuery2 = CommonSecurityLog | where RequestMethod == "GET" | where FileType =~ "GZIP" | where RequestURL matches regex @"(?:\/v1\/queue|\/v1\/profile|\/v1\/docs\/wsdl|\/v1\/pull)" | extend Quality = "low" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle CDN GET]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle USAToday GET] let FEQuery3 = CommonSecurityLog | where RequestMethod == "GET" | where isempty(RequestContext) | where RequestURL matches regex @"(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/ta`ngsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)" | where DestinationHostName !endswith "usatoday.com" | extend Quality = "medium" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle USAToday GET]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle Original POST] let FEQuery4 = CommonSecurityLog | where RequestMethod == "POST" | where isempty(RequestContext) | where RequestURL matches regex @"(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)" | extend Quality = "low" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle Original POST]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle MSOffice POST let FEQuery5 = CommonSecurityLog | where RequestMethod == "POST" | where isempty(RequestContext) | where RequestURL contains "/v1/push" | extend Quality = "low" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST] let FEQuery6 = CommonSecurityLog | where RequestMethod == "POST" | where isempty(RequestContext) | where RequestURL matches regex @"(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)" | extend Quality = "low" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle MSOffice GET] let FEQuery7 = CommonSecurityLog | where RequestMethod == "GET" | where isempty(RequestContext) | where RequestURL matches regex @"(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)" | extend Quality = "low" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle MSOffice POST] let FEQuery8 = CommonSecurityLog | where RequestMethod == "POST" | where isempty(RequestContext) | where RequestURL contains "/notification" | extend Quality = "low" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; //Backdoor.HTTP.BEACON.[CSBundle Original GET] let FEQuery9 = CommonSecurityLog | where RequestMethod == "GET" | where isempty(RequestContext) | where RequestURL matches regex @"(?:\/api2\/json\/access\/ticket|\/api2\/json\/cluster\/resources|\/api2\/json\/cluster\/tasks|\/en-us\/p\/onerf\/MeSilentPassport|\/en-us\/p\/book-2\/8MCPZJJCC98C|\/en-us\/store\/api\/checkproductinwishlist|\/gp\/cerberus\/gv|\/gp\/aj\/private\/reviewsGallery\/get-application-resources|\/gp\/aj\/private\/reviewsGallery\/get-image-gallery-assets|\/v1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|\/v3\/links\/ping-centre|\/v4\/links\/activity-stream|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-includes\/js\/script\/indigo-migrate)" | extend Quality = "medium" | extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle Original GET]" | project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL; let Results = union FEQuery1, FEQuery3, FEQuery4, FEQuery5, FEQuery6, FEQuery7, FEQuery8, FEQuery9; //Check to see if the destination host name is low hitting in data, defeats a lot of legit API traffic Results | join ( CommonSecurityLog | where DestinationHostName != "" | summarize DomainCount=count() by DestinationHostName) on $left.DestinationHostName == $right.DestinationHostName | project TimeGenerated, Quality, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL, DomainCount | where DomainCount <= domainCountThreshold