Attacker In The Middle Precision Detection
Query
// Attacker in the Middle Precision Detection
//** A premium detection requiring Entra P2 license **
// Beginning in July 2024, the ‘Attacker in the Middle’ detection is now generally available in Identity Protection. By combining this offline detection with ‘Anomalous Token’ detection, it provides high-precision detection when a malicious actor attempts to replay a token. AAD Identity Protection will raise a security alert under ‘Anomalous Token’ with the ‘attackerInTheMiddle’ risk event type, ensuring reliable detection.
let AnomalousTokenRequestId=
SecurityAlert
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
AADUserRiskEvents
| where RequestId has_any(AnomalousTokenRequestId)
| where RiskEventType == "attackerinTheMiddle"
// #Sentinel #AiTM #AnomalousToken #IdentityProtection #Entra #PremiumDetection
// MITRE ATT&CK Mapping
// The KQL code is designed to detect anomalous token activities and correlate them with specific risk events. The associated MITRE ATT&CK techniques are:
// T1550.004 - Use Alternate Authentication Material: Web Session Cookie:
// This technique involves using stolen web session cookies to authenticate to web applications.
// T1071.001 - Application Layer Protocol: Web Protocols:
// This technique involves using web protocols for command and control.
// T1078 - Valid Accounts:
// This technique involves using valid accounts to gain access to systems.
// T1556.004 - Modify Authentication Process: Network Device Authentication:
// This technique involves modifying the authentication process to gain unauthorized access.
// The specific detection of “attackerinTheMiddle” suggests a focus on T1557.002 - Adversary-in-the-Middle: Man-in-the-Middle attacks, where attackers intercept and manipulate communications between two parties.Explanation
This KQL query is designed to detect a specific type of security threat known as "Attacker in the Middle" (AiTM) within Microsoft's Identity Protection system. Here's a simplified breakdown:
-
Purpose: The query aims to identify high-precision security threats where a malicious actor attempts to misuse or replay a token to gain unauthorized access. This is part of a premium detection feature available with an Entra P2 license.
-
Detection Method:
- The query first identifies security alerts labeled as "Anomalous Token."
- It extracts unique request IDs associated with these alerts.
- It then checks for any user risk events that match these request IDs and are specifically categorized under the "attackerInTheMiddle" risk event type.
-
Outcome: If such events are detected, they indicate a potential "Attacker in the Middle" scenario, where an attacker might be intercepting and manipulating communications between two parties.
-
MITRE ATT&CK Techniques: The query is mapped to several MITRE ATT&CK techniques, which are methods used by attackers:
- T1550.004: Using stolen web session cookies.
- T1071.001: Using web protocols for command and control.
- T1078: Using valid accounts to access systems.
- T1556.004: Modifying authentication processes.
- T1557.002: Specifically focuses on "Adversary-in-the-Middle" attacks, where attackers intercept communications.
In summary, this query is part of a sophisticated detection mechanism to identify and alert on potential man-in-the-middle attacks by analyzing anomalous token activities and correlating them with specific risk events.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators