Identity Blast Radius
Query
//Identity Blast Radius KQL
//https://www.linkedin.com/feed/update/urn:li:activity:7174327431485431808/
//Assessing high risk identity account blast radius by using risk data from AADSignInEventsBeta and edge/nodes data from ExposureGraphEdges and ExposureGraphNodes to determine the list of assets that can be potentially impacted in the event of account compromised.
let HighRiskAccounts =
AADSignInEventsBeta
| where RiskLevelAggregated > 50
| distinct AccountDisplayName;
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| where SourceNodeName has_any (HighRiskAccounts)
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| summarize by SourceNodeName, TargetNodeName
// MITRE ATT&CK Mapping
// Based on the analysis, the KQL query can be associated with the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// The query identifies accounts that have a high risk level and can authenticate to other nodes, which aligns with the use of valid accounts for lateral movement or persistence1.
// T1071 - Application Layer Protocol:
// The query involves analyzing authentication events, which can be related to the use of application layer protocols for command and control2.
// T1087 - Account Discovery:
// The query discovers high-risk accounts and their authentication capabilities, which is related to account discovery techniques3.Explanation
This KQL query is designed to assess the potential impact, or "blast radius," of a compromised high-risk identity account within an organization. Here's a simplified breakdown of what the query does:
-
Identify High-Risk Accounts:
- The query first looks at authentication events from
AADSignInEventsBetato find accounts with a risk level greater than 50. These are considered high-risk accounts.
- The query first looks at authentication events from
-
Determine Potential Impact:
- It then uses data from
ExposureGraphEdgesandExposureGraphNodesto map out which assets (like computers or services) these high-risk accounts can authenticate to. This helps determine which parts of the network could be affected if these accounts were compromised.
- It then uses data from
-
Output:
- The result is a list of high-risk accounts and the assets they can potentially access, indicating the scope of potential damage.
-
Security Framework Mapping:
- The query is linked to specific MITRE ATT&CK techniques:
- T1078 - Valid Accounts: It identifies accounts that could be used for unauthorized access or lateral movement within the network.
- T1071 - Application Layer Protocol: It involves analyzing authentication events, which can relate to how attackers might use protocols for communication.
- T1087 - Account Discovery: It discovers which accounts are high-risk and what they can access, similar to how attackers might gather information about accounts.
- The query is linked to specific MITRE ATT&CK techniques:
Overall, this query helps security teams understand which high-risk accounts could pose a threat to their network and what assets might be at risk if those accounts are compromised.
