Detect Privilege Admin Under Ai TM Attack
Query
// Detect Privilege Admin under AiTM attack
// https://www.linkedin.com/posts/0x534c_sentinel-privilegeadmin-aitm-activity-7227603649688952832--1Id/
//Sentinel rule trigger => Run Playbook "Disable User Account"
//A simple and effective offline detection and mitigation strategy.
let PrivilegeAdmin =
IdentityInfo
| where AssignedRoles != "[]" and isnotnull(AssignedRoles)
| distinct AccountUPN;
AADUserRiskEvents
| where RiskEventType == "attackerinTheMiddle"
| where UserPrincipalName has_any(PrivilegeAdmin)
// #Sentinel #PrivilegeAdmin #AiTM #IdentityProtection #Entra #PremiumDetection
// MITRE ATT&CK Mapping
// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1557 - Man-in-the-Middle:
// The RiskEventType == "attackerinTheMiddle" directly maps to the MITRE ATT&CK technique T1557, which involves adversaries positioning themselves between two or more networked devices to intercept or alter communications.
// T1078 - Valid Accounts:
// The query focuses on privileged accounts (PrivilegeAdmin), which aligns with T1078. Adversaries may use valid accounts to maintain access to systems and networks.Explanation
This query is designed to detect potential "Attacker-in-the-Middle" (AiTM) attacks targeting privileged admin accounts. Here's a simple breakdown:
-
Identify Privileged Admin Accounts:
- The query first looks at the
IdentityInfotable to find user accounts that have been assigned roles, specifically focusing on those with non-empty role assignments. It collects a list of unique user principal names (UPNs) for these privileged accounts.
- The query first looks at the
-
Detect AiTM Attacks:
- It then checks the
AADUserRiskEventstable for any risk events where the type is "attackerinTheMiddle". This indicates a potential man-in-the-middle attack. - The query filters these events to see if any involve the previously identified privileged admin accounts.
- It then checks the
-
Actionable Response:
- If such an event is detected, a playbook is triggered to disable the affected user account, providing a quick response to mitigate the threat.
-
Relevance to Security Frameworks:
- The query aligns with specific MITRE ATT&CK techniques:
- T1557 - Man-in-the-Middle: The detection of AiTM attacks directly relates to this technique.
- T1078 - Valid Accounts: The focus on privileged accounts corresponds to the use of valid accounts by adversaries to maintain access.
- The query aligns with specific MITRE ATT&CK techniques:
In summary, this query is part of a security strategy to detect and respond to AiTM attacks on privileged accounts, leveraging Azure Sentinel and aligning with established security frameworks.
