Adversaries may be using stolen FireEye red teaming tools to exfiltrate data via HTTP communications, leveraging known command and control patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of compromised red teaming assets and prevent data exfiltration.
KQL Query
let domainCountThreshold = 100; //Maxiumum number of times a domain ahs been visited
//Backdoor.HTTP.BEACON.[Yelp GET]
let FEQuery1 = CommonSecurityLog
| where RequestMethod == "GET"
| where RequestURL contains "&parent_request_id="
| where RequestURL matches regex @"&parent_request_id=(?:[A-Za-z0-9_\/\+\-\%]{128,1000})={0,2}[^\r\n]{0,256}"
| extend Quality = "high"
| extend RuleName = "Backdoor.HTTP.BEACON.[Yelp GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle CDN GET]
let FEQuery2 = CommonSecurityLog
| where RequestMethod == "GET"
| where FileType =~ "GZIP"
| where RequestURL matches regex @"(?:\/v1\/queue|\/v1\/profile|\/v1\/docs\/wsdl|\/v1\/pull)"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle CDN GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle USAToday GET]
let FEQuery3 = CommonSecurityLog
| where RequestMethod == "GET"
| where isempty(RequestContext)
| where RequestURL matches regex @"(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/ta`ngsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)"
| where DestinationHostName !endswith "usatoday.com"
| extend Quality = "medium"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle Original POST]
let FEQuery4 = CommonSecurityLog
| where RequestMethod == "POST"
| where isempty(RequestContext)
| where RequestURL matches regex @"(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle Original POST]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle MSOffice POST
let FEQuery5 = CommonSecurityLog
| where RequestMethod == "POST"
| where isempty(RequestContext)
| where RequestURL contains "/v1/push"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]
let FEQuery6 = CommonSecurityLog
| where RequestMethod == "POST"
| where isempty(RequestContext)
| where RequestURL matches regex @"(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]
let FEQuery7 = CommonSecurityLog
| where RequestMethod == "GET"
| where isempty(RequestContext)
| where RequestURL matches regex @"(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]
let FEQuery8 = CommonSecurityLog
| where RequestMethod == "POST"
| where isempty(RequestContext)
| where RequestURL contains "/notification"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle Original GET]
let FEQuery9 = CommonSecurityLog
| where RequestMethod == "GET"
| where isempty(RequestContext)
| where RequestURL matches regex @"(?:\/api2\/json\/access\/ticket|\/api2\/json\/cluster\/resources|\/api2\/json\/cluster\/tasks|\/en-us\/p\/onerf\/MeSilentPassport|\/en-us\/p\/book-2\/8MCPZJJCC98C|\/en-us\/store\/api\/checkproductinwishlist|\/gp\/cerberus\/gv|\/gp\/aj\/private\/reviewsGallery\/get-application-resources|\/gp\/aj\/private\/reviewsGallery\/get-image-gallery-assets|\/v1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|\/v3\/links\/ping-centre|\/v4\/links\/activity-stream|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-includes\/js\/script\/indigo-migrate)"
| extend Quality = "medium"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle Original GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
let Results = union FEQuery1, FEQuery3, FEQuery4, FEQuery5, FEQuery6, FEQuery7, FEQuery8, FEQuery9;
//Check to see if the destination host name is low hitting in data, defeats a lot of legit API traffic
Results
| join (
CommonSecurityLog
| where DestinationHostName != ""
| summarize DomainCount=count() by DestinationHostName)
on $left.DestinationHostName == $right.DestinationHostName
| project TimeGenerated, Quality, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL, DomainCount
| where DomainCount <= domainCountThreshold
id: e3b8ca4a-2bab-4246-860c-fc3bb8e7ac50
name: FireEye stolen red teaming tools communications
description: |
'This composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Most FireEye red teaming tools are designed to mimic
legitimate API activity, false positives are common. This query includes a basic check to determine how common a hostname is in you environment, and allows you to modify this threshold to remove legitimate traffic from the query results.
This query contains only a subset of potential FireEye red team tool communications, and therefore should not be relied upon alone :) .'
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
tactics:
- CommandAndControl
relevantTechniques:
- T1071.001
query: |
let domainCountThreshold = 100; //Maxiumum number of times a domain ahs been visited
//Backdoor.HTTP.BEACON.[Yelp GET]
let FEQuery1 = CommonSecurityLog
| where RequestMethod == "GET"
| where RequestURL contains "&parent_request_id="
| where RequestURL matches regex @"&parent_request_id=(?:[A-Za-z0-9_\/\+\-\%]{128,1000})={0,2}[^\r\n]{0,256}"
| extend Quality = "high"
| extend RuleName = "Backdoor.HTTP.BEACON.[Yelp GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle CDN GET]
let FEQuery2 = CommonSecurityLog
| where RequestMethod == "GET"
| where FileType =~ "GZIP"
| where RequestURL matches regex @"(?:\/v1\/queue|\/v1\/profile|\/v1\/docs\/wsdl|\/v1\/pull)"
| extend Quality = "low"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle CDN GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL;
//Backdoor.HTTP.BEACON.[CSBundle USAToday GET]
let FEQuery3 = CommonSecurityLog
| where RequestMethod == "GET"
| where isempty(RequestContext)
| where RequestURL matches regex @"(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/ta`ngsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)"
| where DestinationHostName !endswith "usatoday.com"
| extend Quality = "medium"
| extend RuleName = "Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"
| project TimeGenerated, Quality, RuleName, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMeth| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
Scenario: Legitimate Red Teaming Tool Usage
Description: A red teaming exercise is conducted using FireEye’s own red teaming tools (e.g., FireEye Red Team Toolkit), which may trigger the rule due to similar communication patterns.
Filter/Exclusion: Add a filter for process.name = "fireeye-redteamtoolkit.exe" or process.name = "fireeye-redteam.exe" to exclude legitimate red teaming activities.
Scenario: Scheduled System Maintenance Tasks
Description: A system administrator runs a scheduled maintenance job that uses a tool with similar HTTP communication patterns (e.g., PowerShell remoting or Task Scheduler jobs).
Filter/Exclusion: Filter by process.name = "schtasks.exe" or process.name = "powershell.exe" with a command-line argument indicating a scheduled task.
Scenario: Internal HTTP Proxy Usage
Description: Employees use the internal HTTP proxy (e.g., ZScaler, Cisco WSA) to access internal resources, which may match the rule’s HTTP pattern.
Filter/Exclusion: Filter by destination_ip = internal_ip_range or destination_port = 8080 to exclude internal proxy traffic.
Scenario: Software Update or Patching Tools
Description: A patching tool (e.g., Microsoft Update, WSUS, or Ansible) communicates with a central server using HTTP, which may trigger the rule.
Filter/Exclusion: Filter by process.name = "wuauclt.exe" or process.name = "ansible.exe" or check for known update server IPs in the destination IP field.
Scenario: Legitimate Security Tool Communication
Description: A security tool (e.g., **Crowd