Query Details
Insider Threat Monitoring Exfiltrate Data Via Link To Windows App
Query
// Insider Threat Monitoring - Exfiltrate data via Link to Windows app // https://www.linkedin.com/posts/activity-7222581799716016128-7Nww/ // Microsoft has simplified accessing Android phones from a PC on Windows 11. However, this convenience could potentially allow critical identities to exfiltrate data, as it lacks logging via browser or network access. By utilizing DefenderXDR exposure management, the following KQL can detect the installation of the ‘Link to Windows’ app on endpoints associated with critical identities for DLP monitoring. let CriticalIdentities = ExposureGraphNodes | where set_has_element(Categories, "identity") | where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 | distinct NodeName; let CriticalDevices = ExposureGraphEdges | where EdgeLabel == @"can authenticate to" | join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId | extend DName = tostring(NodeProperties.rawData.deviceName) | extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin | where SourceNodeName has_any (CriticalIdentities) | distinct DName; DeviceFileEvents | where Timestamp > ago(30d) | where ActionType == "FileCreated" | where FileName contains "YourPhoneAppProxy" | where DeviceName has_any (CriticalDevices)
Explanation
This KQL query is designed to monitor for potential insider threats by detecting the installation of the 'Link to Windows' app on devices associated with critical identities. Here's a simplified breakdown:
-
Identify Critical Identities:
- The query first identifies critical identities from the
ExposureGraphNodestable. These are identities with a criticality level less than 4.
- The query first identifies critical identities from the
-
Identify Devices Used by Critical Identities:
- It then finds devices that these critical identities can authenticate to, using the
ExposureGraphEdgestable. It also checks if the user has local admin rights on these devices.
- It then finds devices that these critical identities can authenticate to, using the
-
Monitor Device File Events:
- Finally, it looks at the
DeviceFileEventstable for the past 30 days to find instances where the 'YourPhoneAppProxy' file (associated with the 'Link to Windows' app) was created on any of these critical devices.
- Finally, it looks at the
In essence, this query helps in detecting the installation of the 'Link to Windows' app on devices used by critical identities, which could be a potential data exfiltration risk.
Details
Steven Lim
Released: August 2, 2024
Tables
ExposureGraphNodesExposureGraphEdgesDeviceFileEvents
Keywords
InsiderThreatMonitoringExfiltrateDataLinkWindowsAppMicrosoftAndroidPhonesPCWindowsDefenderXDRExposureManagementKQLInstallationEndpointsCriticalIdentitiesDLPMonitoringCriticalIdentitiesExposureGraphNodesCategoriesIdentityNodePropertiesRawDataCriticalityLevelNodeNameCriticalDevicesExposureGraphEdgesEdgeLabelAuthenticateDeviceNameLocalAdminSourceNodeNameDeviceFileEventsTimestampActionTypeFileCreatedFileNameYourPhoneAppProxy
Operators
letset_has_elementisnotnulldistinctjoinonextendtostringhas_anyagocontains