Seen IPv6 Network Subnets

Hunt Hypothesis

Adversaries may use IPv6 subnets to establish covert communication channels or exfiltrate data, leveraging the less monitored nature of IPv6 networks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that evade traditional detection methods.

KQL Query

// 
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand todynamic(IPAddresses)
| where isnotempty( IPAddresses.SubnetPrefix) and isnotempty( IPAddresses.IPAddress)
| extend Subnet = parse_ipv6_mask(tostring(IPAddresses.IPAddress), toint(IPAddresses.SubnetPrefix))
| summarize by Subnet

Analytic Rule Definition

id: dab99d96-b53d-438f-9826-fd0934e8578c
name: Seen IPv6 Network Subnets
description: |
  This query uncovers seen IPAddressV6 network subnets
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkInfo
tactics: []
relevantTechniques: []
query: |
  // 
  DeviceNetworkInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | mv-expand todynamic(IPAddresses)
  | where isnotempty( IPAddresses.SubnetPrefix) and isnotempty( IPAddresses.IPAddress)
  | extend Subnet = parse_ipv6_mask(tostring(IPAddresses.IPAddress), toint(IPAddresses.SubnetPrefix))
  | summarize by Subnet

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Seen IPv6 Network Subnets.yaml)

False Positive Guidance

• Scenario: IPv6 subnet discovery during network inventory scan
  Description: A network scanning tool like Nmap or Masscan is used to map the IPv6 network infrastructure.
  Filter/Exclusion: Exclude traffic originating from known network scanning tools or add a filter for process.name != "nmap" and process.name != "masscan".

• Scenario: Scheduled job for IPv6 subnet documentation
  Description: A script or tool like Ansible or PowerShell is used to document IPv6 subnets as part of a regular network audit.
  Filter/Exclusion: Exclude processes associated with configuration management tools or add a filter for process.name != "ansible" and process.name != "powershell.exe".

• Scenario: IPv6 subnet configuration during system deployment
  Description: A deployment tool like Chef, Puppet, or SaltStack is used to configure IPv6 subnets on new servers.
  Filter/Exclusion: Exclude processes related to configuration management or add a filter for process.name != "chef-client" and process.name != "puppet" and process.name != "salt-minion".

• Scenario: IPv6 subnet monitoring by SIEM tools
  Description: A SIEM tool like Splunk or ELK Stack is used to monitor and log IPv6 subnet activity as part of network visibility.
  Filter/Exclusion: Exclude logs generated by SIEM tools or add a filter for process.name != "splunkd" and process.name != "logstash".

• Scenario: IPv6 subnet testing during penetration testing
  Description: A penetration testing tool like Metasploit or Nmap is used to test IPv6 subnet connectivity and security.
  Filter/Exclusion: Exclude traffic from penetration testing tools or add