Query Details

Attacker In The Middle Precision Detection

Query

// Attacker in the Middle Precision Detection

//** A premium detection requiring Entra P2 license **

// Beginning in July 2024, the ‘Attacker in the Middle’ detection is now generally available in Identity Protection. By combining this offline detection with ‘Anomalous Token’ detection, it provides high-precision detection when a malicious actor attempts to replay a token. AAD Identity Protection will raise a security alert under ‘Anomalous Token’ with the ‘attackerInTheMiddle’ risk event type, ensuring reliable detection.

let AnomalousTokenRequestId=
SecurityAlert
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
AADUserRiskEvents
| where RequestId has_any(AnomalousTokenRequestId)
| where RiskEventType == "attackerinTheMiddle"

// #Sentinel #AiTM #AnomalousToken #IdentityProtection #Entra #PremiumDetection

// MITRE ATT&CK Mapping

// The KQL code is designed to detect anomalous token activities and correlate them with specific risk events. The associated MITRE ATT&CK techniques are:

// T1550.004 - Use Alternate Authentication Material: Web Session Cookie:
// This technique involves using stolen web session cookies to authenticate to web applications.
// T1071.001 - Application Layer Protocol: Web Protocols:
// This technique involves using web protocols for command and control.
// T1078 - Valid Accounts:
// This technique involves using valid accounts to gain access to systems.
// T1556.004 - Modify Authentication Process: Network Device Authentication:
// This technique involves modifying the authentication process to gain unauthorized access.

// The specific detection of “attackerinTheMiddle” suggests a focus on T1557.002 - Adversary-in-the-Middle: Man-in-the-Middle attacks, where attackers intercept and manipulate communications between two parties.

Explanation

This KQL query is designed to detect a specific type of security threat known as "Attacker in the Middle" (AiTM) within Microsoft's Identity Protection system. Here's a simplified breakdown:

  1. Purpose: The query aims to identify high-precision security threats where a malicious actor attempts to misuse or replay a token to gain unauthorized access. This is part of a premium detection feature available with an Entra P2 license.

  2. Detection Method:

    • The query first identifies security alerts labeled as "Anomalous Token."
    • It extracts unique request IDs associated with these alerts.
    • It then checks for any user risk events that match these request IDs and are specifically categorized under the "attackerInTheMiddle" risk event type.
  3. Outcome: If such events are detected, they indicate a potential "Attacker in the Middle" scenario, where an attacker might be intercepting and manipulating communications between two parties.

  4. MITRE ATT&CK Techniques: The query is mapped to several MITRE ATT&CK techniques, which are methods used by attackers:

    • T1550.004: Using stolen web session cookies.
    • T1071.001: Using web protocols for command and control.
    • T1078: Using valid accounts to access systems.
    • T1556.004: Modifying authentication processes.
    • T1557.002: Specifically focuses on "Adversary-in-the-Middle" attacks, where attackers intercept communications.

In summary, this query is part of a sophisticated detection mechanism to identify and alert on potential man-in-the-middle attacks by analyzing anomalous token activities and correlating them with specific risk events.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SecurityAlertAADUserRiskEvents

Keywords

SecurityAlertEntitiesRequestIdAADUserRiskEventsRiskEventTypeAnomalousTokenRequestIdAlertNameAnomalousTokenAADIdentityProtectionEntraMITREATTACKWebSessionCookieApplicationLayerProtocolProtocolsValidAccountsNetworkDeviceAuthenticationAdversary-in-the-MiddleMan-in-the-Middle

Operators

let==mv-expandtodynamic()projectextendtostring()distincthas_any

Actions

GitHub