Query Details

Insider Threat Monitoring Exfiltrate Data Via Link To Windows App

Query

// Insider Threat Monitoring - Exfiltrate data via Link to Windows app
// https://www.linkedin.com/posts/activity-7222581799716016128-7Nww/

// Microsoft has simplified accessing Android phones from a PC on Windows 11. However, this convenience could potentially allow critical identities to exfiltrate data, as it lacks logging via browser or network access. By utilizing DefenderXDR exposure management, the following KQL can detect the installation of the ‘Link to Windows’ app on endpoints associated with critical identities for DLP monitoring.

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType == "FileCreated"
| where FileName contains "YourPhoneAppProxy"
| where DeviceName has_any (CriticalDevices)

// MITRE ATT&CK Mapping

// The KQL query is designed to identify critical identities and devices, and then monitor for specific file creation events on those devices. This approach helps in detecting potential unauthorized access and suspicious activities, aligning with several MITRE ATT&CK techniques such as Valid Accounts (T1078), Permission Groups Discovery (T1069), Ingress Tool Transfer (T1105), and Application Layer Protocol (T1071).

// T1078: Valid Accounts - Identifying critical accounts that could be targeted for unauthorized access.
// T1078: Valid Accounts - Identifying devices that critical accounts can access.
// T1069: Permission Groups Discovery - Discovering devices and their associated permissions.
// T1105: Ingress Tool Transfer - Detecting the creation of files that might be used for transferring tools or data.
// T1071: Application Layer Protocol - Monitoring for suspicious file creation that could indicate data exfiltration or command and control.

Explanation

This KQL query is designed to monitor for potential insider threats by detecting the installation of the "Link to Windows" app on devices associated with critical identities. Here's a simple breakdown:

  1. Identify Critical Identities: The query first identifies critical user accounts (identities) that have a certain level of importance or sensitivity (criticality level less than 4).

  2. Identify Critical Devices: It then finds devices that these critical identities can access, especially those where they have administrative rights.

  3. Monitor File Creation: The query looks for the creation of a specific file ("YourPhoneAppProxy") on these critical devices within the last 30 days. This file is associated with the "Link to Windows" app.

  4. Purpose: By monitoring these file creation events, the query aims to detect unauthorized access or suspicious activities that could lead to data exfiltration.

  5. Security Framework Alignment: The query aligns with several MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. These include:

    • Valid Accounts (T1078): Identifying and monitoring critical accounts and the devices they can access.
    • Permission Groups Discovery (T1069): Understanding device permissions and access rights.
    • Ingress Tool Transfer (T1105): Detecting file creation that might indicate tool or data transfer.
    • Application Layer Protocol (T1071): Monitoring for suspicious activities that could signal data exfiltration or unauthorized communications.

Overall, this query helps in detecting and preventing potential data leaks by monitoring critical accounts and their associated devices for suspicious activities related to the "Link to Windows" app.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceFileEvents

Keywords

InsiderThreatMonitoringExfiltrateDataLinkWindowsAppMicrosoftAndroidPhonesPCDefenderXDRExposureManagementInstallationEndpointsCriticalIdentitiesDLPExposureGraphNodesCategoriesIdentityNodePropertiesRawDataCriticalityLevelNodeNameDevicesExposureGraphEdgesEdgeLabelAuthenticateDeviceNameDeviceFileEventsTimestampActionTypeFileNameYourPhoneAppProxyMITREATTCKMappingValidAccountsPermissionGroupsDiscoveryIngressToolTransferApplicationLayerProtocol

Operators

letset_has_elementisnotnulldistinctjoinextendtostringhas_anyagocontains

MITRE Techniques

Actions

GitHub