KQL Search

Query Details

HomeAI ToolsDevice Query

Malicious FIDO2 Registration Threat Detection

Query

// Malicious FIDO2 Registration Threat Detection
// https://www.linkedin.com/posts/activity-7219732839422992385-FHSM/

// In the event of a user account being compromised, a threat actor may attempt to register a passkey for persistence. This ensures that even if the account password is reset automatically, the passkey remains intact for ongoing malicious activities. By using audit logs, one can determine the IP address used for the threat actor’s passkey registration and correlate this information with threat intelligence data from BehaviourAnalytics to identify potential malicious FIDO2 passkey registration and abuse.

let PasskeyAuthenticatorIP =
AuditLogs
| where ResultDescription contains "User registered Fido2 Authentication Method"
| extend AuthenticatorIP = tostring(InitiatedBy.user.ipAddress)
| distinct AuthenticatorIP;
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| extend ThreatIntelIndicatorDescription = DevicesInsights.ThreatIntelIndicatorDescription
| where isnotempty( ThreatIntelIndicatorDescription )
| where SourceIPAddress has_any(PasskeyAuthenticatorIP)

Explanation

This KQL query is designed to detect potentially malicious FIDO2 passkey registrations by analyzing audit logs and correlating them with threat intelligence data. Here's a simplified breakdown:

  1. Identify IP Addresses from Audit Logs:

    • The query first looks at audit logs to find instances where a user registered a FIDO2 authentication method.
    • It extracts and lists the unique IP addresses (AuthenticatorIP) from these events.

  2. Correlate with Threat Intelligence:

    • It then checks the BehaviorAnalytics data from the past 90 days.
    • It extends this data to include descriptions of threat intelligence indicators.
    • The query filters out entries that have non-empty threat intelligence descriptions.
    • Finally, it matches the IP addresses from the audit logs with those in the threat intelligence data to identify potential malicious activities.

In essence, the query aims to find IP addresses used for registering FIDO2 passkeys and checks if these IPs are associated with any known threats, helping to detect and prevent ongoing malicious activities.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AuditLogsBehaviorAnalytics

Keywords

AuditLogsBehaviorAnalyticsDevicesInsightsThreatIntelUser

Operators

let|wherecontainsextendtostringdistinct>agoisnotemptyhas_any

Actions