Malicious FIDO2 Registration Threat Detection
Query
// Malicious FIDO2 Registration Threat Detection
// https://www.linkedin.com/posts/activity-7219732839422992385-FHSM/
// In the event of a user account being compromised, a threat actor may attempt to register a passkey for persistence. This ensures that even if the account password is reset automatically, the passkey remains intact for ongoing malicious activities. By using audit logs, one can determine the IP address used for the threat actor’s passkey registration and correlate this information with threat intelligence data from BehaviourAnalytics to identify potential malicious FIDO2 passkey registration and abuse.
let PasskeyAuthenticatorIP =
AuditLogs
| where ResultDescription contains "User registered Fido2 Authentication Method"
| extend AuthenticatorIP = tostring(InitiatedBy.user.ipAddress)
| distinct AuthenticatorIP;
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| extend ThreatIntelIndicatorDescription = DevicesInsights.ThreatIntelIndicatorDescription
| where isnotempty( ThreatIntelIndicatorDescription )
| where SourceIPAddress has_any(PasskeyAuthenticatorIP)
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts:
// Description: The query identifies IP addresses associated with the registration of Fido2 authentication methods, which can be linked to the use of valid accounts for authentication.
// Detection: Monitoring for unusual or unauthorized registration of authentication methods.
// T1071 - Application Layer Protocol:
// Description: The query involves network traffic analysis by examining IP addresses and their associated threat intelligence indicators.
// Detection: Identifying suspicious network traffic patterns and correlating them with known threat indicators.
// T1087 - Account Discovery:
// Description: The query extends behavior analytics with threat intelligence descriptions, which can help in discovering accounts that may have been compromised.
// Detection: Analyzing behavior analytics data to detect unusual account activities.
// T1057 - Process Discovery:
// Description: The query’s focus on behavior analytics and threat intelligence can also help in identifying processes or activities that are indicative of malicious behavior.
// Detection: Correlating process activities with threat intelligence to detect malicious processes.Explanation
This query is designed to detect potential malicious activities involving the registration of FIDO2 passkeys, which are used for authentication. Here's a simplified breakdown:
-
Purpose: The query aims to identify if a threat actor has registered a FIDO2 passkey on a compromised user account. This is a persistence technique that allows the attacker to maintain access even if the account password is changed.
-
Process:
- Step 1: It searches through audit logs to find instances where a FIDO2 authentication method was registered. It extracts the IP addresses associated with these registrations.
- Step 2: It checks these IP addresses against threat intelligence data from BehaviorAnalytics to see if any of them are known to be associated with malicious activities.
-
Outcome: By correlating the IP addresses used for FIDO2 registration with threat intelligence, the query helps identify potentially malicious registrations and ongoing abuse.
-
MITRE ATT&CK Techniques:
- T1078 (Valid Accounts): The query helps detect unauthorized use of valid accounts by monitoring unusual registration of authentication methods.
- T1071 (Application Layer Protocol): It involves analyzing network traffic to identify suspicious patterns linked to known threats.
- T1087 (Account Discovery): It uses behavior analytics to discover potentially compromised accounts.
- T1057 (Process Discovery): It helps identify malicious processes by correlating behavior analytics with threat intelligence.
In summary, this query is a security measure to detect and analyze suspicious activities related to FIDO2 passkey registrations, using audit logs and threat intelligence to enhance detection capabilities.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators