Zero day threats

Hunt Hypothesis

Adversaries may leverage zero-day vulnerabilities by executing malicious URLs or files that bypass existing detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential zero-day attacks before they cause widespread damage.

KQL Query

EmailEvents 
| where Timestamp > ago(30d) 
| where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation" 
| count

Analytic Rule Definition

id: 95b0c7ed-2853-4343-80a9-ab076cf31e51
name: Zero day threats
description: |
  This query helps reviewing zero day threats via URL and file detonations
description-detailed: |
  This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents 
  | where Timestamp > ago(30d) 
  | where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation" 
  | count
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Mailflow/Zero day threats.yaml)

False Positive Guidance

• Scenario: Scheduled File Integrity Monitoring Scan
  Description: A legitimate scheduled scan using tools like Tripwire or OSSEC is performing a file integrity check, which may trigger file detonation alerts.
  Filter/Exclusion: Exclude events where the process is tripwire or ossec and the file path matches known integrity monitoring directories.

• Scenario: Admin Task - System File Update
  Description: An administrator is manually updating system files using PowerShell or Windows Update, which may be flagged as suspicious file detonation.
  Filter/Exclusion: Exclude events where the process is powershell.exe or wuauclt.exe and the file path is within system directories like C:\Windows\System32.

• Scenario: User-Initiated File Upload via Web Interface
  Description: A user uploads a file via a legitimate web interface (e.g., SharePoint, Google Drive, or Dropbox), which may be misinterpreted as a zero-day threat.
  Filter/Exclusion: Exclude events where the URL contains known enterprise file-sharing domains or the process is associated with a trusted web application.

• Scenario: Automated Log Collection Job
  Description: A scheduled job using Logstash, Splunk, or ELK Stack is collecting and processing logs, which may trigger URL or file detonation alerts.
  Filter/Exclusion: Exclude events where the process is logstash, splunkd, or java (for ELK) and the file path is within log directories.

• Scenario: Security Tool Self-Update
  Description: A security tool like CrowdStrike, Microsoft Defender, or FireEye is performing a self-update, which may be flagged as a zero-day threat.
  Filter/Exclusion: