Threat Hunting Nation State Actors
Query
//Threat Hunting Nation State Actors
//https://www.linkedin.com/feed/update/urn:li:activity:7173156446581219328/
//In view of recent security updates from Microsoft on the January breach by Midnight Blizzard, for those on Microsoft Entra ID P2 you can also use Signin log's riskEventsTypes_v2 to threat hunt for possible nation state actors involvement on your Entra tenant by using below KQL query.
SigninLogs
| where TimeGenerated > ago(90d)
| extend V2Risk = tostring(RiskEventTypes_V2)
| where V2Risk contains "estsRiskStateP"
// MITRE ATT&CK Mapping
// The query focuses on filtering sign-in logs based on risk events, which can be associated with the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts: Monitoring sign-in logs helps detect the use of valid accounts by adversaries1.
// T1110 - Brute Force: Risk events related to sign-ins can indicate brute force attempts1.
// T1190 - Exploit Public-Facing Application: Sign-in attempts might be part of exploiting public-facing applications1.
// T1071 - Application Layer Protocol: Sign-in logs can reveal the use of application layer protocols for command and control1.Explanation
This KQL query is designed for threat hunting, specifically targeting potential activities by nation-state actors within a Microsoft Entra ID P2 environment. Here's a simplified breakdown of what the query does:
-
Data Source: It uses the
SigninLogstable, which contains records of sign-in activities. -
Time Frame: The query looks at sign-in logs from the past 90 days.
-
Risk Event Filtering: It focuses on sign-in events that have specific risk indicators. It does this by checking the
RiskEventTypes_V2field for entries that contain the string "estsRiskStateP", which likely signifies a particular type of risk event. -
Purpose: The goal is to identify potentially malicious activities that could be linked to nation-state actors, leveraging recent security updates from Microsoft.
-
MITRE ATT&CK Techniques: The query is associated with several MITRE ATT&CK techniques, which are frameworks for understanding adversary behaviors:
- T1078 - Valid Accounts: Detects the use of legitimate accounts by adversaries.
- T1110 - Brute Force: Identifies attempts to guess passwords through brute force.
- T1190 - Exploit Public-Facing Application: Monitors for attempts to exploit vulnerabilities in public-facing applications.
- T1071 - Application Layer Protocol: Observes the use of application layer protocols that might be used for command and control activities.
In summary, this query helps security teams monitor and analyze sign-in activities for signs of sophisticated threats, particularly those associated with nation-state actors, by leveraging risk event data in sign-in logs.
