Query Details

Detecting High Risk Passkey Users

Query

// Detecting High Risk Passkey Users
// https://www.linkedin.com/posts/activity-7193644152645959682-ylGM/

// As the use of passkeys becomes more popular due to their phishing-resistant advantages and their additional security through device biometrics, it’s important to recognize that there is still a risk of device compromise or potential compromise of the password manager storing the sync-able passkey. Consequently, security operations must actively monitor passkey users who are considered high risk and be prepared to revoke their passkeys when necessary or exclude them from the FIDO sign in policy.

// KQL for detecting High Risk Passkey Users: 

SigninLogs
| where RiskEventTypes_V2 != "[]"
| where RiskLevelAggregated == "high"
| where RiskLevelDuringSignIn == "high"
| where RiskState == "atRisk"
| where AuthenticationDetails contains "FIDO2 security key"

// MITRE ATT&CK Mapping

// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// This technique involves the use of valid accounts to gain access to systems. High-risk sign-ins with FIDO2 security keys could indicate an attempt to use compromised credentials.
// T1556 - Modify Authentication Process:
// This technique involves modifying the authentication process to bypass security controls. High-risk sign-ins with specific authentication methods like FIDO2 security keys could be part of an // attempt to manipulate the authentication process.
// T1071 - Application Layer Protocol:
// This technique involves the use of application layer protocols for command and control. High-risk sign-ins could be part of an adversary’s attempt to establish a foothold using legitimate protocols.

Explanation

This query is designed to identify users who are considered high-risk when using passkeys, specifically FIDO2 security keys, for authentication. Passkeys are gaining popularity due to their resistance to phishing and enhanced security through device biometrics. However, there is still a risk of device compromise or issues with the password manager storing these passkeys. Therefore, it's crucial for security operations to monitor these high-risk users and be ready to revoke their passkeys or exclude them from certain sign-in policies if necessary.

The query works by filtering sign-in logs to find instances where:

  • There are risk events associated with the sign-in.
  • The aggregated risk level is high.
  • The risk level during the sign-in is high.
  • The risk state is marked as "at risk."
  • The authentication method used includes a FIDO2 security key.

The query also maps to certain MITRE ATT&CK techniques, suggesting that:

  • High-risk sign-ins with FIDO2 keys might indicate the use of compromised credentials (T1078 - Valid Accounts).
  • There might be attempts to manipulate the authentication process (T1556 - Modify Authentication Process).
  • High-risk sign-ins could be part of an adversary's strategy to use legitimate protocols for malicious purposes (T1071 - Application Layer Protocol).

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogs

Keywords

SigninLogsRiskEventTypesRiskLevelAggregatedRiskLevelDuringSignInRiskStateAuthenticationDetailsFIDO2SecurityKey

Operators

SigninLogs|where!===contains

MITRE Techniques

Actions

GitHub