MDE KQL To Detect TA571 Socialengineering Abuse
Query
// MDE KQL to detect TA571 socialengineering abuse
// https://www.linkedin.com/posts/activity-7208705552833478656-8xUz/
DeviceEvents
| where ActionType == "GetClipboardData"
| where InitiatingProcessFileName == "powershell.exe"
// MITRE ATT&CK Mapping
// Based on the query, the following MITRE ATT&CK techniques are relevant:
// Technique: T1115 - Clipboard Data1
// Description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. This can include sensitive data such as passwords or other confidential information.
// Technique: T1059.001 - Command and Scripting Interpreter: PowerShell2
// Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Explanation
This query is designed to detect potential malicious activity related to social engineering attacks by a threat actor known as TA571. It specifically looks for instances where the clipboard data on a device is accessed using the PowerShell application. The query filters events to identify when the action "GetClipboardData" is performed by a process initiated by "powershell.exe."
The query is mapped to two MITRE ATT&CK techniques:
-
T1115 - Clipboard Data: This technique involves adversaries collecting data from the clipboard, which can include sensitive information like passwords.
-
T1059.001 - Command and Scripting Interpreter: PowerShell: This technique involves adversaries using PowerShell commands and scripts to execute malicious activities, leveraging PowerShell's capabilities as a command-line interface and scripting environment in Windows.
In summary, the query aims to identify suspicious use of PowerShell to access clipboard data, which could indicate an attempt to capture sensitive information as part of a social engineering attack.
