Query Details
Cobalt Strike HTTPS Beaconing Over Microsoft Graph API
Query
// Cobalt Strike HTTPS beaconing over Microsoft Graph API // https://www.linkedin.com/posts/activity-7186027037558505472-3pMe/ // Interesting observation if you have MDE or MDC enabled, running the below KQL query help me to visualize some important graph elevated traffics run by my privilege role admins. This is something worth monitoring for potential threat, e.g looking at the InitiatingProcessFileName & InitiatingProcessCommandLine DeviceNetworkEvents | where RemoteUrl contains "graph.microsoft.com" | where InitiatingProcessTokenElevation == @"TokenElevationTypeFull"
Explanation
This KQL query is designed to detect potentially suspicious network activity involving the Microsoft Graph API. Specifically, it looks for HTTPS traffic to the "graph.microsoft.com" domain that is initiated by processes with elevated privileges (full token elevation). This can help identify unusual or unauthorized actions performed by privileged role administrators, which could be indicative of a security threat like Cobalt Strike beaconing.
Here's a simple breakdown of what the query does:
- Data Source: It examines network events from devices (
DeviceNetworkEvents). - Filter by URL: It filters the events to only include those where the remote URL contains "graph.microsoft.com".
- Filter by Privilege Level: It further narrows down the results to events where the initiating process has full token elevation (
InitiatingProcessTokenElevation == "TokenElevationTypeFull").
This query helps in monitoring and visualizing important network traffic initiated by privileged users, which is crucial for identifying potential threats.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteUrlInitiatingProcessFileNameInitiatingProcessCommandLineInitiatingProcessTokenElevation
Operators
contains==|