Azurekid Blackcat Security Module Activity
Query
MicrosoftGraphActivityLogs
| where UserAgent contains "BlackCat"
| where UserId != "5b58f023-df41-4ddf-a0e6-ea9161f7606d"Explanation
This query is designed to detect specific HTTP requests made to the Microsoft Graph API that include the term "BlackCat" in the 'UserAgent' string. The presence of "BlackCat" suggests the use of the AzureKid BlackCat PowerShell module, which is a tool for security assessment and auditing of Microsoft Azure environments. While this tool is typically used for legitimate security testing, its unexpected presence could indicate unauthorized activities or potential threats.
Key points of the query:
- Purpose: To identify potential unauthorized use of the AzureKid BlackCat module, which might be used for reconnaissance or internal auditing without proper authorization.
- Severity: Medium, indicating a moderate level of concern.
- Tactics and Techniques: The query is associated with tactics like Discovery and Reconnaissance, and techniques such as T1087.004 (Account Discovery), T1526 (Cloud Service Discovery), T1082 (System Information Discovery), and T1595 (Active Scanning).
- Filtering: It excludes activities from a specific user ID ("5b58f023-df41-4ddf-a0e6-ea9161f7606d"), likely a known and authorized user.
- Entity Mappings: It maps IP addresses and cloud applications to specific fields for further analysis.
- Suppression: Alerts are suppressed for 5 hours to avoid repeated notifications for the same activity.
- Incident Management: If an incident is detected, it will create an alert and group related events into a single alert for easier management.
Overall, this query helps security teams monitor and respond to potential misuse of security tools within their Azure environment.
