Query Details

Detect entra token request via specific BOF (IOC based)

Detect Entra Token Request Via Bof Io C

Query

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(5m)
| where UserAgent contains "ur mum" 
| where ResourceIdentity == "797f4846-ba00-4fd7-ba43-dac1f8f63013"

About this query

Detect entra token request via specific BOF (IOC based)

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1651Cloud Administration Commandhttps://attack.mitre.org/techniques/T1651/
T1606Forge Web Credentialshttps://attack.mitre.org/techniques/T1606/

Description

This might be one of the silliest detections I have created. But since there is a Beacon Object File out there which can be used to directly request Entra ID access tokens from an active beacon on a device using a specific User Agent, we can easily detect this beacon file by flagging the funny user agent and / or scope identifier that is used.

Risk

Detect token request via a specific BOF file.

Author <Optional>

References

Sentinel

Explanation

This query is designed to detect suspicious activity related to a specific type of cyber threat. Here's a simple breakdown of what it does:

  1. Data Source: The query looks at logs from Azure Active Directory (AAD) that track non-interactive user sign-ins. These logs record instances where a user or application signs in without direct user interaction, often used by automated processes or scripts.

  2. Time Frame: It focuses on events that have occurred in the last 5 minutes. This helps in identifying recent or ongoing suspicious activities.

  3. User Agent Check: The query filters for sign-in attempts where the "UserAgent" field contains the phrase "ur mum". This is an unusual and humorous string that is likely used by a specific malicious tool or script to identify itself.

  4. Resource Identity Check: It further filters the results to only include attempts targeting a specific resource identity, identified by the GUID "797f4846-ba00-4fd7-ba43-dac1f8f63013". This GUID is associated with a particular application or service in Azure.

Overall, the query is designed to detect attempts to request access tokens from Azure Active Directory using a known malicious tool that uses a distinctive user agent string. This helps in identifying potential unauthorized access attempts or security breaches.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: May 6, 2025

Tables

AADNonInteractiveUserSignInLogs

Keywords

AADNonInteractiveUserSignInLogsTimeGeneratedUserAgentResourceIdentity

Operators

|wherecontains==>ago

MITRE Techniques

Actions

GitHub