Query Details

Threat Hunting Nation State Actors

Query

//Threat Hunting Nation State Actors
//https://www.linkedin.com/feed/update/urn:li:activity:7173156446581219328/

//In view of recent security updates from Microsoft on the January breach by Midnight Blizzard, for those on Microsoft Entra ID P2 you can also use Signin log's riskEventsTypes_v2 to threat hunt for possible nation state actors involvement on your Entra tenant by using below KQL query.

SigninLogs
| where TimeGenerated > ago(90d)
| extend V2Risk = tostring(RiskEventTypes_V2)
| where V2Risk contains "estsRiskStateP"


// MITRE ATT&CK Mapping

// The query focuses on filtering sign-in logs based on risk events, which can be associated with the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts: Monitoring sign-in logs helps detect the use of valid accounts by adversaries1.
// T1110 - Brute Force: Risk events related to sign-ins can indicate brute force attempts1.
// T1190 - Exploit Public-Facing Application: Sign-in attempts might be part of exploiting public-facing applications1.
// T1071 - Application Layer Protocol: Sign-in logs can reveal the use of application layer protocols for command and control1.

Explanation

This KQL query is designed for threat hunting, specifically targeting potential activities by nation-state actors within a Microsoft Entra ID P2 environment. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses the SigninLogs table, which contains records of sign-in activities.

  2. Time Frame: The query looks at sign-in logs from the past 90 days.

  3. Risk Event Filtering: It focuses on sign-in events that have specific risk indicators. It does this by checking the RiskEventTypes_V2 field for entries that contain the string "estsRiskStateP", which likely signifies a particular type of risk event.

  4. Purpose: The goal is to identify potentially malicious activities that could be linked to nation-state actors, leveraging recent security updates from Microsoft.

  5. MITRE ATT&CK Techniques: The query is associated with several MITRE ATT&CK techniques, which are frameworks for understanding adversary behaviors:

    • T1078 - Valid Accounts: Detects the use of legitimate accounts by adversaries.
    • T1110 - Brute Force: Identifies attempts to guess passwords through brute force.
    • T1190 - Exploit Public-Facing Application: Monitors for attempts to exploit vulnerabilities in public-facing applications.
    • T1071 - Application Layer Protocol: Observes the use of application layer protocols that might be used for command and control activities.

In summary, this query helps security teams monitor and analyze sign-in activities for signs of sophisticated threats, particularly those associated with nation-state actors, by leveraging risk event data in sign-in logs.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogs

Keywords

SigninLogsTimeGeneratedRiskEventTypesV2RiskEntraTenantNationStateActorsMicrosoftIDP2

Operators

SigninLogs|where>ago()extend=tostringcontains

MITRE Techniques

Actions

GitHub