KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting FIDO2 Passkey Abuse

Query

// Detecting FIDO2 Passkey Abuse🔥

// Max Rozendaal from Secura has penned an insightful blog titled “Abusing FIDO2 Passkeys to Take Over Global Administrators in Entra ID.” In this post, he delves into a critical attack vector, demonstrating how Microsoft’s Graph API for provisioning FIDO2 passkeys could be exploited to gain control over accounts with high-level privileges. (Blog link will be shared in the comments.)
// To address this issue, I’ve developed a Sentinel Graph API KQL threat detection script inspired by Max’s findings. You can download the KQL code from my SlimKQL GitHub Repository, which is highlighted on my LinkedIn profile. Just search for “Detecting FIDO2 Passkey Abuse.”

let AbusedRoleMonitor = dynamic(["Privileged Role Administrator", "Global Administrator"]);
let FIDOAccountObjID =
MicrosoftGraphActivityLogs
| where RequestUri has "/authentication/fido2Methods/creationOptions"
| where RequestMethod == "GET" and ResponseStatusCode == 200
| parse RequestUri with "https://graph.microsoft.com/beta/users/" 
UserObjectID "/authentication/fido2Methods/creationOptions"
| distinct UserObjectID;
IdentityInfo
| where AccountObjectId has_any(FIDOAccountObjID)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where AssignedRoles has_any(AbusedRoleMonitor)

//  T1111: Multi-Factor Authentication Interception

Explanation

This KQL query is designed to detect potential abuse of FIDO2 passkeys, specifically targeting accounts with high-level administrative roles in Microsoft Entra ID. Here's a simplified breakdown of what the query does:

  1. Define Target Roles: It starts by specifying a list of sensitive roles that are of interest, such as "Privileged Role Administrator" and "Global Administrator."

  2. Identify FIDO2 Passkey Activity: The query looks through Microsoft Graph API activity logs to find instances where FIDO2 passkey creation options were accessed. It filters for successful GET requests (indicated by a 200 response status) to the specific endpoint related to FIDO2 passkey creation.

  3. Extract User IDs: From these logs, it extracts distinct user IDs (UserObjectID) that have accessed the FIDO2 passkey creation options.

  4. Match with Identity Information: It then checks these user IDs against identity information to find accounts that have any of the specified sensitive roles.

  5. Summarize and Filter: The query summarizes the most recent activity for each account and filters to show only those accounts that have been assigned any of the monitored roles.

The purpose of this query is to identify and alert on potential misuse of FIDO2 passkeys that could lead to unauthorized access or control over high-privilege accounts, aligning with the attack technique T1111: Multi-Factor Authentication Interception.

Details

Steven Lim profile picture

Steven Lim

Released: November 12, 2024

Tables

MicrosoftGraphActivityLogsIdentityInfo

Keywords

DevicesUsersAccountsRolesAuthenticationLogs

Operators

letdynamic|wherehas==andparsewithdistinctsummarizearg_maxbyhas_any

Actions