KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Malicious Oauth Grant By Phished User

Query

// 'Tis the season – Hunting Season!😂

// With the rise in phishing campaigns 📈, threat actors are stealing tokens from phished users to deploy malicious OAuth applications on compromised cloud tenants. These applications are then used to control Exchange Online settings and spread spam. Can you swiftly detect and lock down the compromised user and OAuth app? The following KQL query leverages Sentinel UEBA identity risk information and cloudapp events to check for OAuth grants for high-risk users.

let OauthRiskLevel = dynamic(["High", "Medium"]);
let OauthBlastRadius = dynamic(["High","Medium"]);
let RiskUsers =
IdentityInfo
| where RiskLevel has_any(OauthRiskLevel)
| where BlastRadius has_any(OauthBlastRadius)
| where RiskState == "AtRisk"
| summarize arg_max(TimeGenerated, *) by AccountUPN
| distinct AccountUPN;
CloudAppEvents
| where ActionType == @"Add app role assignment grant to user."
| extend OauthApp = parse_json(RawEventData)["Target"][3]["ID"]
| extend UPN = parse_json(RawEventData)["UserId"]
| where UPN has_any(RiskUsers)

// MITRE ATT&CK

Explanation

This KQL query is designed to identify and address security threats related to OAuth applications in a cloud environment, specifically focusing on high-risk users. Here's a simplified breakdown:

  1. Define Risk Levels: The query begins by setting up two lists of risk levels: "High" and "Medium" for both OAuth risk and blast radius.

  2. Identify High-Risk Users: It searches through identity information to find users who are considered "AtRisk" based on their risk level and blast radius. It captures the most recent data for each user and creates a list of distinct user accounts (AccountUPN) that are at risk.

  3. Detect OAuth Activity: The query then examines cloud application events to find instances where an OAuth application role is assigned to a user. It extracts the OAuth application ID and the user ID from the event data.

  4. Filter for High-Risk Users: It checks if the user involved in the OAuth activity is part of the previously identified high-risk users.

The goal of this query is to quickly detect and potentially lock down compromised users and OAuth applications that could be used maliciously, leveraging Sentinel's User and Entity Behavior Analytics (UEBA) and cloud application event data.

Details

Steven Lim profile picture

Steven Lim

Released: December 5, 2024

Tables

IdentityInfoCloudAppEvents

Keywords

IdentityRiskInformationCloudappEventsUsersOAuthApplications

Operators

letdynamichas_anysummarizearg_maxdistinctwhereextendparse_json

Actions