Athena HTTP identification

Hunt Hypothesis

Athena HTTP identification detects potential adversary use of HTTP-based communication to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage network-based threats that may evade traditional detection methods.

YARA Rule

rule AthenaHTTP_v2 
{
    
    meta:
        author = "Jason Jones <[email protected]>"
        description = "Athena HTTP identification"
        source = "https://github.com/arbor/yara/blob/master/athena.yara"

    strings:
        $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
        $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
        $cmd1 = "filesearch.stop"
        $cmd2 = "rapidget"
        $cmd3 = "layer4."
        $cmd4 = "slowloris"
        $cmd5 = "rudy"
   
    condition:
        all of ($fmt_str*) and 3 of ($cmd*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Data Pipeline Job Using Apache Airflow
  Description: A legitimate scheduled job in Apache Airflow is making HTTP requests to an internal API to fetch data for processing.
  Filter/Exclusion: http.client_ip == "10.0.0.100" (IP of the Airflow scheduler) or http.request_url contains "/api/data-pipeline"

• Scenario: Admin Performing Configuration Management via Ansible
  Description: An administrator is using Ansible to configure remote hosts, which may involve HTTP requests to a central management server.
  Filter/Exclusion: http.user_agent contains "Ansible" or http.request_url contains "/api/ansible"

• Scenario: Internal Monitoring Tool Polling Metrics
  Description: A tool like Prometheus or Datadog is polling internal metrics endpoints to collect system performance data.
  Filter/Exclusion: http.request_url contains "/metrics" or http.user_agent contains "Prometheus"

• Scenario: CI/CD Pipeline Artifact Download
  Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is downloading artifacts from an internal artifact repository.
  Filter/Exclusion: http.request_url contains "/artifacts" or http.user_agent contains "Jenkins"

• Scenario: User Accessing Internal Documentation Portal
  Description: A user is accessing internal documentation hosted on a web server, which may involve HTTP requests to a static content server.
  Filter/Exclusion: http.request_url contains "/docs" or http.user_agent contains "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" (common browser user agent)