KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Entra Token Request Via Bof Io C

Query

# *Detect entra token request via specific BOF (IOC based)*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1651 | Cloud Administration Command | https://attack.mitre.org/techniques/T1651/ |
| T1606 | Forge Web Credentials | https://attack.mitre.org/techniques/T1606/ |

#### Description
This might be one of the silliest detections I have created. But since there is a Beacon Object File out there which can be used to directly request Entra ID access tokens from an active beacon on a device using a specific User Agent, we can easily detect this beacon file by flagging the funny user agent and / or scope identifier that is used.

#### Risk
Detect token request via a specific BOF file.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/12850f1d9306ccdec21f2b4e9dd16f78b0b949a9/src/Remote/get_azure_token/entry.c#L260

## Sentinel
```KQL
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(5m)
| where UserAgent contains "ur mum" 
| where ResourceIdentity == "797f4846-ba00-4fd7-ba43-dac1f8f63013"
```

Explanation

This query is designed to detect suspicious activity related to a specific type of cyber threat. Here's a simple breakdown of what it does:

  1. Data Source: The query looks at logs from Azure Active Directory (AAD) that track non-interactive user sign-ins. These logs record instances where a user or application signs in without direct user interaction, often used by automated processes or scripts.

  2. Time Frame: It focuses on events that have occurred in the last 5 minutes. This helps in identifying recent or ongoing suspicious activities.

  3. User Agent Check: The query filters for sign-in attempts where the "UserAgent" field contains the phrase "ur mum". This is an unusual and humorous string that is likely used by a specific malicious tool or script to identify itself.

  4. Resource Identity Check: It further filters the results to only include attempts targeting a specific resource identity, identified by the GUID "797f4846-ba00-4fd7-ba43-dac1f8f63013". This GUID is associated with a particular application or service in Azure.

Overall, the query is designed to detect attempts to request access tokens from Azure Active Directory using a known malicious tool that uses a distinctive user agent string. This helps in identifying potential unauthorized access attempts or security breaches.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: May 6, 2025

Tables

AADNonInteractiveUserSignInLogs

Keywords

AADNonInteractiveUserSignInLogsTimeGeneratedUserAgentResourceIdentity

Operators

|wherecontains==>ago

Actions