Query Details
Detect Vulnerable Device With Global Admin Browser Cookie Credential
Query
// Detect vulnerable device with Global Admin browser cookie credential // https://www.linkedin.com/posts/0x534c_exposuremanagement-attackpaths-critical-activity-7227325225493803009-o5te/ //Thanks to Marko Lauren’s recent insights on how #ExposureManagement customers can identify #attackpaths that originate in non-cloud environments and target #critical cloud assets using Entra cloud credentials. //Leveraging DefenderXDR Exposure Management, I developed a KQL query that replicates this attack path functionality. The following KQL checks all Critical Identities (in my use case, line 6 limits to GA accounts only; removing this line will include all critical identities) and identifies which devices have their Entra browser cookie credentials stored, then checks if these devices have any critical vulnerabilities. let CriticalIdentities = ExposureGraphNodes | where set_has_element(Categories, "identity") | where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 | where NodeProperties has "Global Administrator" // Remove this line to include all Critical Identities | distinct NodeName; let VulnerableEndPointwithBCookie = ExposureGraphEdges | where EdgeLabel == @"has credentials of" | where EdgeProperties has "BrowserCookies" | where TargetNodeName has_any (CriticalIdentities) // SourceNodeName = Devices that contains GA browser cookie | distinct SourceNodeName; DeviceTvmSoftwareVulnerabilities | where VulnerabilitySeverityLevel == "Critical" | where DeviceName has_any (VulnerableEndPointwithBCookie) // Bridging the On-premises to Cloud Security Gap: Cloud Credentials Detection // Link: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/bridging-the-on-premises-to-cloud-security-gap-cloud-credentials/ba-p/4211794
Explanation
This KQL query is designed to detect devices that are both vulnerable and have stored browser cookie credentials for Global Administrator (GA) accounts. Here’s a simplified breakdown of what the query does:
-
Identify Critical Identities:
- It searches for identities classified as "critical" in the
ExposureGraphNodestable. - Specifically, it looks for identities with a criticality level less than 4. - It further filters these identities to include only those with the "Global Administrator" role.
- It searches for identities classified as "critical" in the
-
Find Vulnerable Devices with GA Browser Cookies:
- It checks the
ExposureGraphEdgestable for edges labeled "has credentials of" and containing "BrowserCookies". - It identifies devices (source nodes) that have browser cookie credentials for any of the critical identities identified in the first step.
- It checks the
-
Check for Critical Vulnerabilities:
- It then looks into the
DeviceTvmSoftwareVulnerabilitiestable to find devices with a "Critical" vulnerability severity level. - It filters these devices to include only those identified in the previous step as having GA browser cookie credentials.
- It then looks into the
In summary, the query identifies devices that store browser cookie credentials for Global Administrator accounts and checks if these devices have any critical vulnerabilities. This helps in bridging the security gap between on-premises and cloud environments by detecting potential attack paths involving critical cloud credentials.
Details
Steven Lim
Released: August 8, 2024
Tables
ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities
Keywords
DevicesIntuneUser
Operators
let|whereset_has_elementisnotnulland<hasdistinct==has_any