Query Details

MDE KQL To Detect TA571 Socialengineering Abuse

Query

// MDE KQL to detect TA571 socialengineering abuse
// https://www.linkedin.com/posts/activity-7208705552833478656-8xUz/

DeviceEvents
| where ActionType == "GetClipboardData"
| where InitiatingProcessFileName == "powershell.exe"

// MITRE ATT&CK Mapping

// Based on the query, the following MITRE ATT&CK techniques are relevant:

// Technique: T1115 - Clipboard Data1
// Description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. This can include sensitive data such as passwords or other confidential information.
// Technique: T1059.001 - Command and Scripting Interpreter: PowerShell2
// Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.

Explanation

This query is designed to detect potential malicious activity related to social engineering attacks by a threat actor known as TA571. It specifically looks for instances where the clipboard data on a device is accessed using the PowerShell application. The query filters events to identify when the action "GetClipboardData" is performed by a process initiated by "powershell.exe."

The query is mapped to two MITRE ATT&CK techniques:

  1. T1115 - Clipboard Data: This technique involves adversaries collecting data from the clipboard, which can include sensitive information like passwords.

  2. T1059.001 - Command and Scripting Interpreter: PowerShell: This technique involves adversaries using PowerShell commands and scripts to execute malicious activities, leveraging PowerShell's capabilities as a command-line interface and scripting environment in Windows.

In summary, the query aims to identify suspicious use of PowerShell to access clipboard data, which could indicate an attempt to capture sensitive information as part of a social engineering attack.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

DeviceEvents|where==

MITRE Techniques

Actions

GitHub