KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Rockstar 2FA

Query

// Hunting Rockstar 2FA: A Key Player in Phishing-as-a-Service (PaaS)

// Trustwave SpiderLabs highlights the rise of Phishing-as-a-Service (PaaS) platforms, focusing on the Rockstar 2FA phishing kit. This kit uses adversary-in-the-middle (AiTM) attacks to bypass MFA, targeting Microsoft 365 credentials. The blog (link provided at comment section) provides insights into the attack flow and techniques used in the phishing campaign.
//  I've crafted a Sentinel KQL to check if your Entra tenant is impacted by Rockstar 2FA.

let NationStateIP = 
SigninLogs
| where TimeGenerated > ago(90d)
| where RiskEventTypes_V2 has "estsNationStateIP"
| project IPAddress;
BehaviorAnalytics
| where SourceIPAddress has_any(NationStateIP)
| where DevicesInsights.ThreatIntelIndicatorDescription has "Storm-1575"
| project TimeGenerated, UserPrincipalName, ActivityType, 
SourceIPAddress, SourceIPLocation, DevicesInsights.ThreatIntelIndicatorDescription

// MITRE ATT&CK

Explanation

This query is designed to help identify if your Microsoft Entra tenant has been impacted by a specific phishing campaign using the Rockstar 2FA phishing kit. Here's a simple breakdown of what the query does:

  1. Identify Nation-State IPs: It starts by looking at sign-in logs from the past 90 days to find IP addresses associated with nation-state risk events, specifically those labeled as "estsNationStateIP."

  2. Analyze Behavior Analytics: It then checks behavior analytics data to see if any activities originated from these identified nation-state IP addresses.

  3. Filter for Specific Threats: The query further filters these activities to find those associated with a threat indicator described as "Storm-1575."

  4. Output Relevant Information: Finally, it extracts and displays relevant details such as the time of the activity, the user involved, the type of activity, the source IP address and location, and the threat description.

Overall, this query helps in detecting potential security threats related to the Rockstar 2FA phishing kit by examining sign-in and behavior analytics data for suspicious activities linked to known nation-state IP addresses and specific threat indicators.

Details

Steven Lim profile picture

Steven Lim

Released: November 29, 2024

Tables

SigninLogsBehaviorAnalytics

Keywords

SigninLogsBehaviorAnalyticsDevicesInsightsUserPrincipalNameActivityTypeSourceIPAddressSourceIPLocationThreatIntelIndicatorDescription

Operators

let|where>ago()hasprojecthas_any

Actions