Query Details
Hunting Malicious Copilot Agent
Query
// Hunting Malicious Copilot Agent
// The "Copilot Agent" was a highlight at the recent Microsoft Ignite event. This AI-powered assistant is designed to help with a variety of tasks, such as answering questions, providing information, assisting with productivity tasks, and engaging in meaningful conversations.
// Consider a scenario where a user account is compromised, and a threat actor uses this account to create a Copilot Agent on a highly sensitive SharePoint site that the compromised user has access to. The threat actor could then exfiltrate data by accessing the private link created by the Copilot Agent, slowly extracting information as needed by providing the relevant prompts.
// To address such threats, I have created a KQL detection using Sentinel Behaviour Analytics and Power Platform solutions to monitor any potential malicious Copilot Agent creation.
let HighRiskUsers =
BehaviorAnalytics
| where InvestigationPriority > 0
| where UsersInsights.BlastRadius == "High"
| where ActivityType == "LogOn"
| where ActionType == "ResourceAccess"
| distinct UserPrincipalName;
PowerPlatformAdminActivity
| where EventOriginalType in ("BotCreate", "BotComponentCreate", "BotUpdateOperation-BotPublish")
| where ActorName has_any(HighRiskUsers)
// MITRE ATT&CK
Explanation
This KQL query is designed to detect potentially malicious activities involving the creation or modification of a "Copilot Agent" on a SharePoint site, which could be used by a threat actor to exfiltrate data. Here's a simplified breakdown of the query:
-
Identify High-Risk Users:
- The query first identifies users who are considered high-risk based on certain criteria:
- They have a non-zero investigation priority.
- Their actions have a high "blast radius," meaning they could potentially impact a large number of resources or users.
- They have logged on and accessed resources.
- The query first identifies users who are considered high-risk based on certain criteria:
-
Monitor Copilot Agent Activities:
- The query then looks for specific activities related to the creation or updating of bots (which could include Copilot Agents) within the Power Platform:
- It checks for events where a bot is created, a bot component is created, or a bot is published.
- It filters these events to see if any of the actions were performed by the high-risk users identified earlier.
- The query then looks for specific activities related to the creation or updating of bots (which could include Copilot Agents) within the Power Platform:
By correlating high-risk user activities with bot-related events, this query aims to detect and alert on potentially unauthorized or malicious creation of Copilot Agents, which could be used for data exfiltration or other malicious purposes.
Details
Steven Lim
Released: November 23, 2024
Tables
BehaviorAnalyticsPowerPlatformAdminActivity
Keywords
CopilotAgentMicrosoftIgniteAIUserAccountThreatActorSharePointSiteDataSentinelBehaviourAnalyticsPowerPlatformUsersInsightsActivityTypeActionTypeUserPrincipalNamePowerPlatformAdminActivityEventOriginalTypeActorNameMITREATT&CK
Operators
let|wherein==distincthas_any