Detect Copilot Exfiltration Arises From Ai TM Token Theft
Query
// Detect Copilot Exfiltration arises from AiTM Token Theft
// https://www.linkedin.com/posts/activity-7217887769744793601-JUeb/
// Identify token theft through AiTM phishing attacks, where stolen tokens are exploited for Copilot activities involving data summarization and extraction from a "non-malicious" IP. Leverage Sentinel Behavior Analytics to detect initial logins from new ISP with investigation score set (potentially threat actors) and correlate this IP data with Copilot activities from CloudAppEvents. This KQL is primarily targeted at threat actors using clean IP to perform Copilot exfiltration.
let FirstTimeUserConnectedISPIP =
BehaviorAnalytics
| where TimeGenerated > ago(7d)
// Behaviour Analytics detecting user first time connected to a new ISP
| where tostring(ActivityInsights.FirstTimeUserConnectedViaISP) == "True"
| where ActivityType == "LogOn"
| where SourceDevice == "" // Non-corporate endpoint
| where InvestigationPriority > 0 // Suspicious Session
| project SourceIPAddress;
CloudAppEvents
| where ActionType == "CopilotInteraction"
// Correlating copilot activities from the new ISP IP
| where IPAddress has_any(FirstTimeUserConnectedISPIP)
// MITRE ATT&CK Mapping
// Initial Access:
// Technique T1078 - Valid Accounts: The detection of a new ISP connection and logon activity could indicate the use of valid accounts from an unusual location.
// Persistence:
// Technique T1078 - Valid Accounts: Repeated logon activities from a new ISP might suggest persistence using valid credentials.
// Defense Evasion:
// Technique T1078 - Valid Accounts: Using a non-corporate endpoint and a new ISP can be a method to evade detection.
// Credential Access:
// Technique T1078 - Valid Accounts: Suspicious logon activities might indicate attempts to access credentials.
// Command and Control:
// Technique T1071 - Application Layer Protocol: Correlating Copilot interactions from the new ISP IP could indicate command and control activities using legitimate services.Explanation
This query is designed to detect potential security threats related to token theft through phishing attacks, specifically focusing on activities involving Microsoft's Copilot. Here's a simplified breakdown:
-
Objective: The query aims to identify suspicious activities where stolen tokens are used to interact with Copilot, potentially for unauthorized data access or extraction.
-
Detection Method:
- It uses Microsoft Sentinel's Behavior Analytics to find instances where a user connects to a new Internet Service Provider (ISP) for the first time in the past week.
- It filters for logins from non-corporate devices that have a high investigation priority, indicating they might be suspicious.
- It captures the IP addresses associated with these activities.
-
Correlation:
- The query then checks for any Copilot interactions (like data summarization or extraction) that occur from these newly identified IP addresses.
- This helps in identifying if the suspicious IPs are being used for potentially malicious Copilot activities.
-
Security Framework Mapping:
- The query aligns with the MITRE ATT&CK framework, mapping detected activities to various techniques such as:
- Initial Access: Using valid accounts from unusual locations.
- Persistence: Repeated logins from new ISPs suggesting ongoing unauthorized access.
- Defense Evasion: Using non-corporate devices and new ISPs to avoid detection.
- Credential Access: Suspicious logins indicating attempts to access credentials.
- Command and Control: Using legitimate services for potentially malicious communication.
- The query aligns with the MITRE ATT&CK framework, mapping detected activities to various techniques such as:
In essence, this query helps identify and investigate potential threats where attackers use clean IP addresses to perform unauthorized activities with Copilot, leveraging stolen tokens from phishing attacks.
