<img src="https://ws.zoominfo.com/pixel/JV60JGR5LG4sEWlH3Xte" width="1" height="1" style="display: none;">

In response to our recent LinkedIn post, we have had requests on how Microsoft Sentinel users can check their environment for any potentially malicious Russian scanning activity. SecureSky and other providers have been seeing the following indicators, and thousands of others, based on volumes, behavior, and threat intelligence, such as the FBI's latest report referenced below. Below are hunting queries you can use to check your environments. We will be starting a new series next week where we will continue to share custom queries that you can use to identify a variety of threats.

URL reference to FBI Flash Report on Cyber Actors Perform Increased Reconnaissance of US Energy Sector Networks from Russia-Based IP Addresses:
https://www.politico.com/f/?id=0000017f-b3dc-d9e9-a57f-b3dd0a2b0000

To be clear, many of these IP addresses have been scanning for years. This technique is used not only by state actors, but also cyber criminals, to discover parameter exposures of organizations.

CAUTION: Many of these IPs may produce false-positives, all threat intelligence indicators need to be maintained, curated, and  situationally evaluated.

Query

Query 1: Russian IP Traffic Volume - From FortiGate Firewall Logs Using Sentinel's Watchlist


let lookbacktime=60d;
_GetWatchlist('RussianScanners220324')
|join CommonSecurityLog
on $left.IPAddress == $right.SourceIP
|where TimeGenerated >ago(lookbacktime)
|extend Activity=case(Activity contains "deny","deny",Activity contains "accept", "accept",Activity contains "timeout","timeout",Activity)
| where Activity !contains "deny"
|summarize sum=count() by  bin(TimeGenerated,1d),Activity, SourceIP, DestinationIP//,DestinationPort, Message, DeviceInboundInterface, DeviceOutboundInterface


 

Query 2: Russian IP Traffic Volume - From FortiGate Firewall Logs Not Using Sentinel's Watchlist


let lookbacktime=60d;
let RussianScanners220324 = datatable(RussianIP:string)
["109.237.103.38","151.236.101.19","151.236.104.2","151.236.106.4","151.236.110.2","151.236.115.20","151.236.118.2","151.236.119.2","151.236.126.6","151.236.127.2","151.236.64.24","151.236.81.2","151.236.82.3","151.236.89.13","151.236.89.26","151.236.92.2","151.236.95.2","151.236.99.9","162.62.191.231","178.46.212.0","178.49.133.3","185.167.121.66","185.177.114.98","185.25.61.6","185.3.142.3","185.31.114.25","185.31.115.10","185.94.111.1","188.127.251.15","188.191.1.66","188.43.225.61","193.169.53.130","193.33.133.130","195.210.169.98","212.109.204.130","212.188.11.50","212.188.22.66","212.19.24.64","212.83.8.79","217.13.220.66","217.150.58.9","31.200.250.4","31.28.1.226","37.60.16.54","37.8.145.2","46.161.54.57","5.188.152.194","5.61.11.123","62.152.61.227","62.78.86.130","77.243.112.122","79.141.210.2","81.163.32.42","84.47.151.67","89.188.167.130","89.223.4.2","91.231.236.41","91.231.237.2","91.231.239.2","91.238.110.2","91.238.111.8","92.63.196.25","92.63.196.61","92.63.197.71","93.92.69.34","95.182.106.43","109.95.198.12","176.192.99.26","213.110.249.145","80.254.126.75","92.124.140.196","95.182.105.135","185.141.225.2","185.214.76.130","31.180.165.127","46.149.110.195","5.45.234.205","37.18.24.16","194.190.76.41","213.155.156.184","94.100.180.197","194.190.76.44","151.236.127.145","213.180.204.90","81.19.74.2","104.16.18.94","104.16.19.94","104.18.10.207","104.18.11.207"
"104.46.162.224","104.46.162.226","13.69.109.130","13.69.109.131","13.69.116.104","13.69.239.72","13.69.239.73","13.69.239.74","13.78.111.198","144.172.118.37","146.88.240.248","146.88.240.4","149.154.167.51","149.154.167.91","149.154.175.100","149.154.175.50","149.154.175.55","154.89.5.86","183.136.226.3","183.136.226.4","185.184.8.65","193.107.216.228","193.46.255.60","20.50.201.195","20.50.201.200","20.50.73.10","20.50.80.209","20.50.80.210","20.54.89.106","20.54.89.15","200.73.138.230","3.126.56.137","31.220.3.140","34.98.64.218","35.190.43.134","35.244.159.8","40.79.197.35","45.143.200.50","45.143.203.3","45.146.165.165","45.146.165.37","45.148.10.241","51.104.15.252","51.105.71.136","51.132.193.105","51.89.124.57","62.210.13.20","80.82.77.193","89.248.163.140","89.248.165.202","89.248.165.60"];
RussianScanners220324
|join CommonSecurityLog
on $left.RussianIP == $right.SourceIP
|where TimeGenerated >ago(lookbacktime)
|where TimeGenerated >ago(lookbacktime)
|extend Activity=case(Activity contains "deny","deny",Activity contains "accept", "accept",Activity contains "timeout","timeout",Activity)
| where Activity !contains "deny"
|summarize sum=count() by  bin(TimeGenerated,1d),Activity, SourceIP, DestinationIP//,DestinationPort, Message, DeviceInboundInterface, DeviceOutboundInterface


 

Query 3.A: Query Any IPs Within SigninLogs


let lookbacktime=100d;
_GetWatchlist('RussianScanners220324')
|join SigninLogs
on $left.RussianIP == $right.IPAddress
|where TimeGenerated >ago(lookbacktime)


 

Query 3.B: Query Any IPs Within Okta Logs


let lookbacktime=100d;
RussianScanners220324

|join Okta_CL
on $left.RussianIP == $right.client_ipAddress_s
|where TimeGenerated >ago(lookbacktime)


 

Query 3.C: Query Any IPs Within Azure VMs


let lookbacktime=60d;
_GetWatchlist('RussianScanners220324')
|join VMConnection
on $left.IPAddress == $right.SourceIp
|where TimeGenerated >ago(lookbacktime)
|summarize sum=count() by  bin(TimeGenerated,1d), SourceIp, DestinationIp,DestinationPort,Direction


 

If you need any additional help or details on how to integrate IOCs into Sentinel's threat intelligence repository, workbooks, hunting queries, etc. feel free to reach out to us. Please subscribe to our blog to stay updated on security trends and threats.