Detect entra token request via specific BOF (IOC based)
Detect Entra Token Request Via Bof Io C
Query
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(5m)
| where UserAgent contains "ur mum"
| where ResourceIdentity == "797f4846-ba00-4fd7-ba43-dac1f8f63013"About this query
Detect entra token request via specific BOF (IOC based)
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1651 | Cloud Administration Command | https://attack.mitre.org/techniques/T1651/ |
| T1606 | Forge Web Credentials | https://attack.mitre.org/techniques/T1606/ |
Description
This might be one of the silliest detections I have created. But since there is a Beacon Object File out there which can be used to directly request Entra ID access tokens from an active beacon on a device using a specific User Agent, we can easily detect this beacon file by flagging the funny user agent and / or scope identifier that is used.
Risk
Detect token request via a specific BOF file.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Sentinel
Explanation
This query is designed to detect suspicious activity related to a specific type of cyber threat. Here's a simple breakdown of what it does:
-
Data Source: The query looks at logs from Azure Active Directory (AAD) that track non-interactive user sign-ins. These logs record instances where a user or application signs in without direct user interaction, often used by automated processes or scripts.
-
Time Frame: It focuses on events that have occurred in the last 5 minutes. This helps in identifying recent or ongoing suspicious activities.
-
User Agent Check: The query filters for sign-in attempts where the "UserAgent" field contains the phrase "ur mum". This is an unusual and humorous string that is likely used by a specific malicious tool or script to identify itself.
-
Resource Identity Check: It further filters the results to only include attempts targeting a specific resource identity, identified by the GUID "797f4846-ba00-4fd7-ba43-dac1f8f63013". This GUID is associated with a particular application or service in Azure.
Overall, the query is designed to detect attempts to request access tokens from Azure Active Directory using a known malicious tool that uses a distinctive user agent string. This helps in identifying potential unauthorized access attempts or security breaches.
