Exposure Management Browser Cookies With Credentials Of Privileged Users
Query
let PriveledgedRoles = dynamic(['Global Administrator', 'User Administrator']); // Add Entra ID roles you would like to monitor
ExposureGraphEdges
| where EdgeLabel has "has credentials of"
| extend parsedData = parse_json(EdgeProperties)
| extend browserCookies = parsedData.rawData.browserCookies.browserCookies
| where browserCookies == "true"
| project SourceNodeName, SourceNodeLabel, TargetNodeName
| join (IdentityInfo
| mv-expand AssignedRoles
| where AssignedRoles has_any(PriveledgedRoles)
| project AccountName
)
on $left.TargetNodeName == $right.AccountNameAbout this query
Exposure management browser cookies with credentials of privileged users
Description
This hunting query will look in ExposureGraphEdges table for stored credentials, that match users that are privileged.
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Defense Evasion
- Technique ID: T1550.004
- Use Alternate Authentication Material: Web Session Cookie
Source
- Exposure Management
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 01/08/2024 | Initial publish |
Explanation
This query is designed to identify privileged users who have stored their credentials in browser cookies, which could pose a security risk. Here's a simplified breakdown:
- Purpose: The query searches for privileged users (e.g., Global Administrators, User Administrators) who have stored their credentials in browser cookies.
- Data Source: It uses the
ExposureGraphEdgestable to find credentials stored in browser cookies. - Process:
- It first defines a list of privileged roles to monitor.
- It then looks for entries in the
ExposureGraphEdgestable where credentials are stored in browser cookies. - It extracts relevant data from these entries.
- It joins this data with the
IdentityInfotable to match the stored credentials with privileged users.
- Output: The query outputs the names of the source nodes, their labels, and the target node names (i.e., the privileged users with stored credentials in browser cookies).
MITRE ATT&CK Mapping:
- Tactic: Defense Evasion
- Technique ID: T1550.004 (Use Alternate Authentication Material: Web Session Cookie)
Source: Exposure Management
Versioning:
- Version 1.0: Initial publish on 01/08/2024.
