In recent times, the fasthttp library has been leveraged in a new brute force campaign targeting Azure Active Directory (AAD) accounts. This high-performance HTTP server and client library for the Go programming language is designed to handle HTTP requests more efficiently than Go’s standard net/http package. However, its capabilities have been exploited by malicious actors to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests1.
In this blog post, we will explore how to detect such brute force attacks using Kusto Query Language (KQL) in Microsoft Defender. We will provide a detailed KQL query to help identify suspicious login attempts that may indicate a brute force attack.
On January 13th, 2025, the SpearTip Security Operations Center, in collaboration with the Managed SaaS Alerts team, identified an emerging threat leveraging the fasthttp library. The fasthttp framework is being used to gain unauthorized access to accounts through brute-force login attempts and spamming MFA requests. The majority of the traffic associated with this threat originates from Brazil, with other source countries including Turkey, Argentina, Uzbekistan, Pakistan, and Iraq1.
To detect fasthttp brute force attacks, we can use the Azure Active Directory Sign-in logs. The following KQL query is designed to identify failed login attempts using the fasthttp user agent. This query will help you detect potential brute force attacks by summarizing the failed login attempts and providing an overview of the IP addresses and countries involved.
// Define the time range for the query
let startTime = ago(7d);
let endTime = now();
// Define the threshold for failed login attempts
let failedAttemptsThreshold = 1;
// Filter the AADSignInEventsBeta table for fasthttp brute force attacks
AADSignInEventsBeta
| where Timestamp between (startTime .. endTime)
| where UserAgent == "fasthttp"
| where ErrorCode != "0"
| summarize
FailedAttempts = count(),
IPAddresses = make_set(pack("IPAddress", IPAddress, "Country", Country)),
LastPasswordChange = arg_max(LastPasswordChangeTimestamp, *)
by AccountDisplayName
| where FailedAttempts >= failedAttemptsThreshold
| project AccountDisplayName, FailedAttempts, IPAddresses, LastPasswordChange
| order by AccountDisplayName desc- Time Range: The query looks at the last 7 days of sign-in events.
- Threshold: It considers an account suspicious if it has 1 or more failed login attempts.
- Filtering: The query filters the
AADSignInEventsBetatable for events where theUserAgentisfasthttpand theErrorCodeindicates a failed login. - Aggregation: It counts the number of failed login attempts per user, creates a set of objects containing the IP address and country used for those attempts, and retrieves the last password change timestamp.
- Projection: The query selects the account display name, the number of failed attempts, the set of IP addresses and countries, and the last password change timestamp.
- Ordering: The results are sorted by the account display name in descending order.
Detecting fasthttp brute force attacks is crucial for maintaining the security of your Azure Active Directory accounts. By using the provided KQL query, you can identify and summarize failed login attempts, providing an overview of the IP addresses and countries involved. This information can help you take appropriate action to mitigate the threat and protect your accounts from unauthorized access.
Stay vigilant and ensure your security measures are up to date to defend against emerging threats like the fasthttp brute force campaign.
1: fasthttp Used in New Bruteforce Campaign
Feel free to customize the content and structure of this blog post to better fit your audience and platform. If you have any further questions or need additional assistance, feel free to ask!