Query Details

Entra Passkey Addition Threat Detection

Query

// Entra Passkey Addition Threat Detection
// https://www.linkedin.com/posts/activity-7184406157707390977-6N3C/

//Entra Passkey Addition Threat Detection KQL:

AuditLogs
| where ActivityDisplayName == "Add Passkey (device-bound) security key"
| where Result == "success"
| extend AccountUPN = TargetResources[0].userPrincipalName
| extend AAGUID = AdditionalDetails[1].value
| extend WebAuthnInfo = AdditionalDetails[0].value
| project TimeGenerated, AccountUPN, ActivityDisplayName, AAGUID, WebAuthnInfo

// MITRE ATT&CK Mapping

// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to maintain access to victim systems.
// Relevance: Adding a passkey could be part of an adversary’s attempt to maintain access using legitimate credentials.
// T1556.004 - Unsecured Credentials: Web Session Cookie:
// Description: Adversaries may steal or forge web session cookies to gain access to web applications.
// Relevance: The extraction of WebAuthn information could be related to securing or exploiting web session credentials.
// T1556 - Modify Authentication Process:
// Description: Adversaries may modify authentication mechanisms to bypass security controls.
// Relevance: Adding a new passkey could be an attempt to modify the authentication process.

Explanation

This KQL query is designed to detect potential security threats related to the addition of passkeys, specifically device-bound security keys, in an organization's system. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at the AuditLogs to find specific activities.

  2. Activity Filter: It filters the logs to find entries where the activity is "Add Passkey (device-bound) security key" and the result of this activity was successful.

  3. Data Extraction: For each relevant log entry, it extracts:

    • The time the activity was recorded (TimeGenerated).
    • The user principal name of the account involved (AccountUPN).
    • The activity name (ActivityDisplayName).
    • The AAGUID, which is a unique identifier for the security key (AAGUID).
    • Additional WebAuthn information (WebAuthnInfo).
  4. Security Context: The query is linked to specific MITRE ATT&CK techniques, which are frameworks for understanding potential adversary behaviors:

    • T1078 - Valid Accounts: This technique involves using legitimate accounts to maintain access, which could be relevant if an adversary is adding passkeys to maintain access.
    • T1556.004 - Unsecured Credentials: Web Session Cookie: This involves stealing or forging session cookies, and the extraction of WebAuthn information might relate to this.
    • T1556 - Modify Authentication Process: This involves changing authentication methods to bypass security, which could be relevant if an adversary is adding new passkeys to alter the authentication process.

Overall, this query helps identify potentially suspicious activities related to the addition of passkeys, which could indicate attempts to maintain unauthorized access or modify authentication processes.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

AuditLogs

Keywords

AuditlogsActivitydisplaynameResultAccountupnTargetresourcesUserprincipalnameAdditionaldetailsValueTimegeneratedAaguidWebauthninfo

Operators

AuditLogswhere==extendproject

MITRE Techniques

Actions

GitHub