Skip to content

[New Hunt] Potential Spoofed microsoftonline.com via Fuzzy Match #4770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

terrancedejesus
Copy link
Contributor

Pull Request

Issue link(s):

Summary - What I changed

Adds a new hunt for potentially spoofed MSFT domains related to recent VOID BLIZZARD activity. Note that this hunt will need to be adjusted based on the environment it runs in as scores will vary depending on volume of documents.

How To Test

  • Can be used in TRADE stack against spoofed-domains-test-v2 index

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

Copy link
Contributor

github-actions bot commented Jun 3, 2025

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

  • Detailed description of the Hunt.
  • Link related issues or PRs.
  • Include references.
  • Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

  • author: The name of the individual or organization authoring the rule.
  • uuid: Unique UUID.
  • name and description are descriptive and typo-free.
  • language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
  • query is inclusive, not overly exclusive, considering performance for diverse environments.
  • integration aligns with the index. Ensure updates if the integration is newly introduced.
  • notes includes additional information regarding data collected from the hunting query.
  • mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
  • references are valid URL links that include information relevenat to the hunt or threat.
  • license

Testing and Validation

  • Evidence of testing and valid query usage.
  • Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
  • Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
  • Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.

@botelastic botelastic bot added the Hunting label Jun 4, 2025
@terrancedejesus terrancedejesus requested a review from Samirbous June 6, 2025 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[New hunt] Potentially Spoofed Microsoft Auth Domains
2 participants