T1555003 Credentials From Web Browsers
Query
// https://www.linkedin.com/posts/0x534c_cybersecurity-t1555-credentialtheft-activity-7324667429035368448-t6om
ThreatIntelIndicators
| where TimeGenerated > ago(365d)
| where now() between (ValidFrom .. ValidUntil)
| where isnotempty(Data.labels)
| mv-expand Data.labels
| where Data_labels has "mitre"
| extend MitreID = parse_json(tostring(Data_labels)).Alias
| where MitreID == "T1555.003" // Credentials from Web Browsers
| summarize IOCcount=count() by ObservableKey, Confidence
| sort by IOCcount descExplanation
This query is designed to analyze threat intelligence data to identify specific cybersecurity threats related to credential theft from web browsers. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing the
ThreatIntelIndicatorstable, which contains threat intelligence data. -
Time Filter: It filters the data to include only records generated in the past year (
365 days). -
Validity Check: It ensures that the current time (
now()) falls within the validity period of the threat indicators (ValidFromtoValidUntil). -
Label Check: It filters for records that have non-empty labels in the
Data.labelsfield. -
Label Expansion: It expands the
Data.labelsfield to handle multiple labels per record. -
MITRE Label Filter: It further filters the data to include only those records where the labels contain the term "mitre".
-
MITRE ID Extraction: It extracts the MITRE technique ID from the labels and assigns it to a new field called
MitreID. -
Specific Threat Filter: It filters the data to focus specifically on the MITRE technique ID "T1555.003", which corresponds to "Credentials from Web Browsers".
-
Summarization: It counts the number of occurrences (
IOCcount) of each unique observable key (ObservableKey) and groups them by their confidence level (Confidence). -
Sorting: Finally, it sorts the results in descending order based on the count of indicators of compromise (
IOCcount).
In summary, this query identifies and counts instances of a specific credential theft technique from web browsers, as defined by the MITRE framework, over the past year, and sorts the results by frequency.
