Threat Huntmediumtest

Potentially Suspicious Azure Front Door Connection

Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Isaac DunhamCreated Thu Nov 078cb4d14e-776e-43c2-8fb9-91e7fcea32b4windows

Hunting Hypothesis

Log Source

WindowsNetwork Connection

ProductWindows← raw: windows

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic

detection:
    selection:
        DestinationHostname|contains: 'azurefd.net'
    filter_main_web_browsers:
        Image|endswith:
            - 'brave.exe'
            - 'chrome.exe'
            - 'chromium.exe'
            - 'firefox.exe'
            - 'msedge.exe'
            - 'msedgewebview2.exe'
            - 'opera.exe'
            - 'vivaldi.exe'
    filter_main_common_talkers:
        Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD
    filter_main_known_benign_domains:
        DestinationHostname|contains:
            - 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m
            - 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m
            - 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m
    condition: selection and not 1 of filter_main_*