Add Passkey Device Bound MS Authenticator Windows Hello Detection
Query
// Add Passkey device-bound MS Authenticator Windows Hello detection
// https://www.linkedin.com/posts/activity-7191839187543728128-DQ02/
// With the public preview of expanding Entra passkey options, Entra admins will now need to make sure passkeys are properly managed as part of the security key life cycle management for both privilege and non-privilege roles. Security operations will also need to have detection on *NEW* passkey added from both malicious or non-malicious perspectives so that threat can be monitor and mitigated when required.🫡
AuditLogs
| where ActivityDisplayName contains "Add Passkey"
| where Result == "success"
| extend AccountUPN = TargetResources[0].userPrincipalName
| extend AAGUID = AdditionalDetails[1].value
| extend WebAuthnInfo = AdditionalDetails[0].value
| project TimeGenerated, AccountUPN, ActivityDisplayName, AAGUID, WebAuthnInfo
// MITRE ATT&CK Mapping
// Based on the activities and data being extracted, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts:
// The query is identifying successful additions of passkeys, which can be related to the use of valid accounts for authentication purposes.
// T1556 - Modify Authentication Process:
// Adding a passkey can be seen as modifying the authentication process, which falls under this technique.
// T1589 - Gather Victim Identity Information:
// Extracting user principal names and WebAuthn information can be related to gathering identity information.Explanation
This query is designed to monitor and manage the addition of passkeys in an organization's security system, specifically focusing on Microsoft Authenticator and Windows Hello. Here's a simplified breakdown:
-
Purpose: The query helps security teams detect when a new passkey is added to the system, which is crucial for managing security keys effectively. This is important for both privileged and non-privileged roles to ensure security threats can be monitored and mitigated.
-
Data Source: It looks at audit logs to find entries where a passkey was successfully added.
-
Key Actions:
- Filters the logs to only include successful passkey additions.
- Extracts important details such as the user's principal name (AccountUPN), a unique identifier for the passkey (AAGUID), and additional authentication information (WebAuthnInfo).
-
Output: The query projects (displays) the time the event was generated, the user's principal name, the activity name, and the extracted authentication details.
-
Security Framework Mapping: The query is aligned with certain MITRE ATT&CK techniques:
- T1078 (Valid Accounts): It relates to the use of valid accounts for authentication.
- T1556 (Modify Authentication Process): Adding a passkey is considered a modification of the authentication process.
- T1589 (Gather Victim Identity Information): Extracting user and authentication details can be seen as gathering identity information.
In summary, this query is a tool for security operations to track and manage the addition of passkeys, ensuring that any potential threats can be identified and addressed promptly.
