KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Token Stealing With Wdac

Query

# *Detect device token stealing with WDAC*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1212 | Exploitation for Credential Access | https://attack.mitre.org/techniques/T1212/ |
| T1606.001 | Forge Web Credentials: Web Cookies | https://attack.mitre.org/techniques/T1606/001/ |
| T1528 | Steal Application Access Token | https://attack.mitre.org/techniques/T1528/ |
| T1539 | Steal Web Session Cookie | https://attack.mitre.org/techniques/T1539/ |

#### Description
This rule uses a WDAC audit policy to ingest missing Microsoft Defender for Endpoint events. By doing this, we can detect PRT token stealing on a device when exploiting the MicrosoftAccountTokenProvider.dll. For more detailed information on the WDAC audit policy, see the blogpost added in the references.

#### Risk
Exploitation of the MicrosoftAccountTokenProvider.dll is something Defender for Endpoint does not detect by default. This makes this detection rule so important, since it fills a very important blind spot. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/using-wdac-to-ingest-missing-mde-events/

## Defender XDR
```KQL
DeviceEvents
| where ActionType startswith "AppControl"
| where FileName =~ "MicrosoftAccountTokenProvider.dll"
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where GlobalPrevalence < 250
```

## Sentinel
```KQL
N/A
```

Explanation

This query is designed to detect potential security threats related to device token stealing by monitoring specific activities on a device. Here's a simple breakdown of what the query does:

  1. Context: The query is part of a security measure to detect unauthorized access attempts by exploiting a specific file, MicrosoftAccountTokenProvider.dll, which is associated with credential access and token stealing techniques.

  2. Data Source: It uses data from DeviceEvents, which logs various actions and events occurring on devices.

  3. Filtering Criteria:

    • It looks for events where the ActionType starts with "AppControl", indicating application control-related activities.
    • It specifically targets events involving the file MicrosoftAccountTokenProvider.dll.

  4. File Profiling:

    • The query uses a function FileProfile to analyze the file based on its SHA1 hash (InitiatingProcessSHA1) and checks its prevalence globally.
    • It filters results to include only those instances where the file's global prevalence is less than 250, suggesting that the file is not commonly seen and might be suspicious.

  5. Purpose: The main goal is to identify and alert on unusual or potentially malicious activities that involve the exploitation of MicrosoftAccountTokenProvider.dll, which could indicate attempts to steal device tokens or credentials.

  6. Importance: This detection is crucial because the default settings of Microsoft Defender for Endpoint might not catch these specific exploitation attempts, thus addressing a significant security blind spot.

Overall, the query helps security teams identify and respond to potential threats related to credential and token theft on devices by focusing on uncommon and potentially malicious activities involving a specific DLL file.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 26, 2025

Tables

DeviceEvents

Keywords

DeviceEventsFileNameGlobalPrevalence

Operators

DeviceEventswherestartswith=~invokeFileProfile<

Actions