Query Details
Azurekid Blackcat Security Module Activity
Query
id: bd110a3e-7ef8-41c8-a9c6-5fe0f5c13aea
name: AzureKid BlackCat Security Module Activity
version: 1.0.0
kind: NRT
description: |-
This rule identifies HTTP requests made to the Microsoft Graph API where the 'UserAgent' string contains "BlackCat". This signature is associated with the AzureKid BlackCat PowerShell module, a security assessment and auditing tool designed to validate Microsoft Azure environment configurations and identify potential security risks.
While this tool is used for legitimate security testing, its presence in unexpected contexts may indicate unauthorized reconnaissance, internal auditing without change control, or a threat actor using open-source tools to map the Azure environment.
Reference: https://github.com/azurekid/blackcat
severity: Medium
tactics:
- Discovery
- Reconnaissance
relevantTechniques:
- T1087.004
- T1526
- T1082
- T1595
query: |-
MicrosoftGraphActivityLogs
| where UserAgent contains "BlackCat"
| where UserId != "5b58f023-df41-4ddf-a0e6-ea9161f7606d"
customDetails:
SessionId: SessionId
UniqueTokenId: SignInActivityId
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: AppId
suppressionEnabled: true
suppressionDuration: 5h
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
Explanation
This query is designed to detect specific HTTP requests made to the Microsoft Graph API that include the term "BlackCat" in the 'UserAgent' string. The presence of "BlackCat" suggests the use of the AzureKid BlackCat PowerShell module, which is a tool for security assessment and auditing of Microsoft Azure environments. While this tool is typically used for legitimate security testing, its unexpected presence could indicate unauthorized activities or potential threats.
Key points of the query:
- Purpose: To identify potential unauthorized use of the AzureKid BlackCat module, which might be used for reconnaissance or internal auditing without proper authorization.
- Severity: Medium, indicating a moderate level of concern.
- Tactics and Techniques: The query is associated with tactics like Discovery and Reconnaissance, and techniques such as T1087.004 (Account Discovery), T1526 (Cloud Service Discovery), T1082 (System Information Discovery), and T1595 (Active Scanning).
- Filtering: It excludes activities from a specific user ID ("5b58f023-df41-4ddf-a0e6-ea9161f7606d"), likely a known and authorized user.
- Entity Mappings: It maps IP addresses and cloud applications to specific fields for further analysis.
- Suppression: Alerts are suppressed for 5 hours to avoid repeated notifications for the same activity.
- Incident Management: If an incident is detected, it will create an alert and group related events into a single alert for easier management.
Overall, this query helps security teams monitor and respond to potential misuse of security tools within their Azure environment.
Details
Fabian Bader
Released: February 5, 2026
Tables
MicrosoftGraphActivityLogs
Keywords
MicrosoftGraphAPIUserAgentAzureEnvironmentSecurityIPCloudApplication
Operators
contains!=