Detect Vulnerable Device With Global Admin Browser Cookie Credential
Query
// Detect vulnerable device with Global Admin browser cookie credential
// https://www.linkedin.com/posts/0x534c_exposuremanagement-attackpaths-critical-activity-7227325225493803009-o5te/
//Thanks to Marko Lauren’s recent insights on how #ExposureManagement customers can identify #attackpaths that originate in non-cloud environments and target #critical cloud assets using Entra cloud credentials.
//Leveraging DefenderXDR Exposure Management, I developed a KQL query that replicates this attack path functionality. The following KQL checks all Critical Identities (in my use case, line 6 limits to GA accounts only; removing this line will include all critical identities) and identifies which devices have their Entra browser cookie credentials stored, then checks if these devices have any critical vulnerabilities.
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel)
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| where NodeProperties has "Global Administrator" // Remove this line to include all Critical Identities
| distinct NodeName;
let VulnerableEndPointwithBCookie =
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties has "BrowserCookies"
| where TargetNodeName has_any (CriticalIdentities)
// SourceNodeName = Devices that contains GA browser cookie
| distinct SourceNodeName;
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical"
| where DeviceName has_any (VulnerableEndPointwithBCookie)
// Bridging the On-premises to Cloud Security Gap: Cloud Credentials Detection
// Link: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/bridging-the-on-premises-to-cloud-security-gap-cloud-credentials/ba-p/4211794
// MITRE ATT&CK Mapping
//The KQL code is designed to identify critical identities, endpoints with browser cookies of these identities, and devices with critical vulnerabilities. The associated MITRE ATT&CK techniques include:
// T1078: Valid Accounts
// T1078.004: Valid Accounts: Cloud Accounts
// T1539: Steal Web Session Cookie
// T1190: Exploit Public-Facing ApplicationExplanation
This KQL query is designed to identify potential security risks in a network by focusing on critical identities and their associated devices. Here's a simple breakdown of what the query does:
-
Identify Critical Identities:
- The query first identifies critical identities within the system, specifically focusing on those with a "Global Administrator" role. This is done by filtering nodes that are categorized as identities and have a criticality level below 4.
-
Find Devices with Browser Cookies:
- It then looks for devices that have stored browser cookies associated with these critical identities. This is important because having such cookies can mean that the device has access to sensitive credentials.
-
Check for Vulnerabilities:
- Finally, the query checks if any of these devices with stored browser cookies have critical vulnerabilities. This step is crucial as it identifies devices that are not only associated with critical identities but are also at risk due to existing vulnerabilities.
The query helps in bridging the security gap between on-premises and cloud environments by detecting cloud credentials stored in browser cookies on potentially vulnerable devices. It aligns with certain MITRE ATT&CK techniques, which are frameworks for understanding and mitigating cyber threats, including:
- T1078: Valid Accounts
- T1078.004: Valid Accounts: Cloud Accounts
- T1539: Steal Web Session Cookie
- T1190: Exploit Public-Facing Application
Overall, this query helps security teams identify and mitigate risks associated with critical identities and their devices, ensuring better protection against potential cyber threats.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators