Detect device token stealing with WDAC
Detect Token Stealing With Wdac
Query
DeviceEvents
| where ActionType startswith "AppControl"
| where FileName =~ "MicrosoftAccountTokenProvider.dll"
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where GlobalPrevalence < 250About this query
Explanation
This query is designed to detect potential security threats related to device token stealing by monitoring specific activities on a device. Here's a simple breakdown of what the query does:
-
Context: The query is part of a security measure to detect unauthorized access attempts by exploiting a specific file,
MicrosoftAccountTokenProvider.dll, which is associated with credential access and token stealing techniques. -
Data Source: It uses data from
DeviceEvents, which logs various actions and events occurring on devices. -
Filtering Criteria:
- It looks for events where the
ActionTypestarts with "AppControl", indicating application control-related activities. - It specifically targets events involving the file
MicrosoftAccountTokenProvider.dll.
- It looks for events where the
-
File Profiling:
- The query uses a function
FileProfileto analyze the file based on its SHA1 hash (InitiatingProcessSHA1) and checks its prevalence globally. - It filters results to include only those instances where the file's global prevalence is less than 250, suggesting that the file is not commonly seen and might be suspicious.
- The query uses a function
-
Purpose: The main goal is to identify and alert on unusual or potentially malicious activities that involve the exploitation of
MicrosoftAccountTokenProvider.dll, which could indicate attempts to steal device tokens or credentials. -
Importance: This detection is crucial because the default settings of Microsoft Defender for Endpoint might not catch these specific exploitation attempts, thus addressing a significant security blind spot.
Overall, the query helps security teams identify and respond to potential threats related to credential and token theft on devices by focusing on uncommon and potentially malicious activities involving a specific DLL file.
