Query Details

Identity Blast Radius

Query

//Identity Blast Radius KQL
//https://www.linkedin.com/feed/update/urn:li:activity:7174327431485431808/

//Assessing high risk identity account blast radius by using risk data from AADSignInEventsBeta and edge/nodes data from ExposureGraphEdges and ExposureGraphNodes to determine the list of assets that can be potentially impacted in the event of account compromised.

let HighRiskAccounts =
AADSignInEventsBeta
| where RiskLevelAggregated > 50
| distinct AccountDisplayName;
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| where SourceNodeName has_any (HighRiskAccounts)
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| summarize by SourceNodeName, TargetNodeName

// MITRE ATT&CK Mapping

// Based on the analysis, the KQL query can be associated with the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts:
// The query identifies accounts that have a high risk level and can authenticate to other nodes, which aligns with the use of valid accounts for lateral movement or persistence1.
// T1071 - Application Layer Protocol:
// The query involves analyzing authentication events, which can be related to the use of application layer protocols for command and control2.
// T1087 - Account Discovery:
// The query discovers high-risk accounts and their authentication capabilities, which is related to account discovery techniques3.

Explanation

This KQL query is designed to assess the potential impact, or "blast radius," of a compromised high-risk identity account within an organization. Here's a simplified breakdown of what the query does:

  1. Identify High-Risk Accounts:

    • The query first looks at authentication events from AADSignInEventsBeta to find accounts with a risk level greater than 50. These are considered high-risk accounts.
  2. Determine Potential Impact:

    • It then uses data from ExposureGraphEdges and ExposureGraphNodes to map out which assets (like computers or services) these high-risk accounts can authenticate to. This helps determine which parts of the network could be affected if these accounts were compromised.
  3. Output:

    • The result is a list of high-risk accounts and the assets they can potentially access, indicating the scope of potential damage.
  4. Security Framework Mapping:

    • The query is linked to specific MITRE ATT&CK techniques:
      • T1078 - Valid Accounts: It identifies accounts that could be used for unauthorized access or lateral movement within the network.
      • T1071 - Application Layer Protocol: It involves analyzing authentication events, which can relate to how attackers might use protocols for communication.
      • T1087 - Account Discovery: It discovers which accounts are high-risk and what they can access, similar to how attackers might gather information about accounts.

Overall, this query helps security teams understand which high-risk accounts could pose a threat to their network and what assets might be at risk if those accounts are compromised.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

AADSignInEventsBetaExposureGraphEdgesExposureGraphNodes

Keywords

IdentityAccountsRiskAssetsAuthenticationEventsNodes

Operators

let|where>distincthas_anyjoinon==summarizeby

MITRE Techniques

Actions

GitHub