HackTool - BabyShark Agent Default URL Pattern

Hunt Hypothesis

The hypothesis is that the detected communication pattern indicates an adversary is using the BabyShark C2 framework to establish command and control over compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistent threats leveraging the BabyShark agent’s default URL patterns.

Detection Rule

Sigma (Original)

title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 'momyshark\?key='
    condition: selection
falsepositives:
    - Unlikely
level: critical

KQL (Azure Sentinel)

imWebSession
| where Url contains "momyshark?key="

False Positive Guidance

• Scenario: Scheduled system maintenance or patching using PowerShell scripts that download files from a URL matching the C2 pattern.
  Filter/Exclusion: Exclude URLs containing patch, update, or maintenance in the request path.

• Scenario: Windows Task Scheduler job that performs routine log cleanup, which may use a script that temporarily connects to a server with a URL matching the C2 pattern.
  Filter/Exclusion: Exclude URLs associated with Task Scheduler or jobs with names containing Cleanup, Log, or Archive.

• Scenario: Microsoft Endpoint Configuration Manager (MECM) or Intune deployment that uses a custom URL for content distribution, which coincidentally matches the C2 pattern.
  Filter/Exclusion: Exclude URLs containing content, distribution, or software in the request path.

• Scenario: SQL Server Agent Job that performs database backups and uses a script that connects to an external storage service with a URL resembling the C2 pattern.
  Filter/Exclusion: Exclude URLs containing backup, restore, or sqlbackup in the request path.

• Scenario: Ansible Tower or Puppet orchestration job that uses a custom module or script which temporarily connects to a server with a URL matching the C2 pattern.
  Filter/Exclusion: Exclude URLs containing orchestration, playbook, or module in the request path.

MITRE ATT&CK Context

• Tactic: Command and Control
• Technique: T1071.001