Cobalt Strike HTTPS Beaconing Over Microsoft Graph API
Query
// Cobalt Strike HTTPS beaconing over Microsoft Graph API
// https://www.linkedin.com/posts/activity-7186027037558505472-3pMe/
// Interesting observation if you have MDE or MDC enabled, running the below KQL query help me to visualize some important graph elevated traffics run by my privilege role admins. This is something worth monitoring for potential threat, e.g looking at the InitiatingProcessFileName & InitiatingProcessCommandLine
DeviceNetworkEvents
| where RemoteUrl contains "graph.microsoft.com"
| where InitiatingProcessTokenElevation == @"TokenElevationTypeFull"
// MITRE ATT&CK Mapping
// Based on the criteria in the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1071.001 - Application Layer Protocol: Web Protocols:
// The query filters for network events involving “graph.microsoft.com”, which is a web service. This aligns with the use of web protocols for communication1.
// T1078 - Valid Accounts:
// The filter for InitiatingProcessTokenElevation == @"TokenElevationTypeFull" suggests the use of elevated privileges. This can be associated with the use of valid accounts with higher privileges2.
// T1078.003 - Valid Accounts: Local Accounts:
// If the elevated token is associated with a local account, this technique is relevant2. These mappings help in identifying and categorizing the detected activities within the MITRE ATT&CK framework, aiding in better understanding and response to potential threats.Explanation
This KQL query is designed to monitor network activities related to potential security threats, specifically focusing on Cobalt Strike HTTPS beaconing over the Microsoft Graph API. Here's a simplified explanation:
-
Purpose: The query aims to identify and visualize network events where privileged role administrators might be using elevated privileges to interact with the Microsoft Graph API. This is important for detecting potential threats or unusual activities.
-
How it Works:
- The query looks at network events (
DeviceNetworkEvents) where the remote URL contains "graph.microsoft.com". This indicates communication with the Microsoft Graph API. - It further filters these events to only include those where the process initiating the network event has full token elevation (
InitiatingProcessTokenElevation == "TokenElevationTypeFull"). This means the process is running with elevated privileges, which could be a sign of a potential threat if misused.
- The query looks at network events (
-
Security Context:
- The query is mapped to specific MITRE ATT&CK techniques:
- T1071.001: This technique involves using web protocols for communication, which is relevant because the query filters for activities involving a web service (Microsoft Graph API).
- T1078: This technique involves the use of valid accounts, particularly those with elevated privileges, which is relevant because the query focuses on elevated token usage.
- T1078.003: This technique involves the use of local accounts with elevated privileges, which could be relevant if the elevated token is associated with a local account.
- The query is mapped to specific MITRE ATT&CK techniques:
Overall, this query helps security teams monitor for suspicious activities involving elevated privileges and interactions with the Microsoft Graph API, aiding in the detection and response to potential security threats.
