KQL Search

Query Details

HomeAI ToolsDevice Query

Exposure Management Browser Cookies With Credentials Of Privileged Users

Query

# Exposure management browser cookies with credentials of privileged users

### Description

This hunting query will look in ExposureGraphEdges table for stored credentials, that match users that are privileged.

### Microsoft Defender XDR
```
let PriveledgedRoles = dynamic(['Global Administrator', 'User Administrator']); // Add Entra ID roles you would like to monitor
ExposureGraphEdges
    | where EdgeLabel has "has credentials of"
    | extend parsedData = parse_json(EdgeProperties)
    | extend browserCookies = parsedData.rawData.browserCookies.browserCookies
    | where browserCookies == "true"
    | project SourceNodeName, SourceNodeLabel, TargetNodeName
| join (IdentityInfo
    | mv-expand AssignedRoles
    | where AssignedRoles has_any(PriveledgedRoles)
    | project AccountName
    )
on $left.TargetNodeName == $right.AccountName
```

### MITRE ATT&CK Mapping
- Tactic: Defense Evasion
- Technique ID: T1550.004
- [Use Alternate Authentication Material: Web Session Cookie](https://attack.mitre.org/techniques/T1550/004/)

### Source
- Exposure Management

### Versioning
| Version       | Date          | Comments                      |
| ------------- |---------------| ------------------------------|
| 1.0           | 01/08/2024    | Initial publish               |

Explanation

This query is designed to identify privileged users who have stored their credentials in browser cookies, which could pose a security risk. Here's a simplified breakdown:

  1. Purpose: The query searches for privileged users (e.g., Global Administrators, User Administrators) who have stored their credentials in browser cookies.
  2. Data Source: It uses the ExposureGraphEdges table to find credentials stored in browser cookies.
  3. Process:
    • It first defines a list of privileged roles to monitor.
    • It then looks for entries in the ExposureGraphEdges table where credentials are stored in browser cookies.
    • It extracts relevant data from these entries.
    • It joins this data with the IdentityInfo table to match the stored credentials with privileged users.
  4. Output: The query outputs the names of the source nodes, their labels, and the target node names (i.e., the privileged users with stored credentials in browser cookies).

MITRE ATT&CK Mapping:

  • Tactic: Defense Evasion
  • Technique ID: T1550.004 (Use Alternate Authentication Material: Web Session Cookie)

Source: Exposure Management

Versioning:

  • Version 1.0: Initial publish on 01/08/2024.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 1, 2024

Tables

ExposureGraphEdgesIdentityInfo

Keywords

ExposureManagementBrowserCookiesCredentialsPrivilegedUsers

Operators

letdynamic//|hasextendparse_json==projectjoinmv-expandhas_anyon

Actions