Dragon Fly | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use DragonFly tactics to establish persistent access and exfiltrate data through compromised Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term data breaches and lateral movement in their Azure Sentinel environment.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where FileName =~ "crackmapexec.exe"
| top 100 by Timestamp desc

Analytic Rule Definition

id: 0132d53e-8457-4ed3-b9be-e3ef5ea7d273
name: Dragon Fly
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where FileName =~ "crackmapexec.exe"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Dragon Fly.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses curl to fetch a configuration file from an internal server.
Filter/Exclusion: process.parent_process contains "Task Scheduler" or process.name contains "schtasks.exe"
Scenario: Admin Performing Software Update via Chocolatey
Description: An administrator uses Chocolatey to install a package, which triggers a network request that matches the rule’s network behavior.
Filter/Exclusion: process.name contains "choco.exe" or process.arguments contains "install"
Scenario: Internal Monitoring Tool Fetching Metrics
Description: A monitoring tool like Prometheus or Datadog uses curl or wget to fetch metrics from a local or internal endpoint.
Filter/Exclusion: process.name contains "prometheus" or "datadog-agent" or destination.address contains "internal"
Scenario: PowerShell Script for Log Rotation
Description: A PowerShell script runs a log rotation task that uses Invoke-WebRequest to download a template file from a local server.
Filter/Exclusion: process.name contains "powershell.exe" and process.arguments contains "Invoke-WebRequest" or destination.address contains "localhost"
Scenario: Database Backup Job Using rsync
Description: A scheduled backup job uses rsync to synchronize data between servers, which may involve network activity that matches the rule.
Filter/Exclusion: process.name contains "rsync" or process.parent_process contains "crontab" or process.parent_process contains "task scheduler"