Query Details

Exposure Management Browser Cookies With Credentials Of Privileged Users

Query

let PriveledgedRoles = dynamic(['Global Administrator', 'User Administrator']); // Add Entra ID roles you would like to monitor
ExposureGraphEdges
    | where EdgeLabel has "has credentials of"
    | extend parsedData = parse_json(EdgeProperties)
    | extend browserCookies = parsedData.rawData.browserCookies.browserCookies
    | where browserCookies == "true"
    | project SourceNodeName, SourceNodeLabel, TargetNodeName
| join (IdentityInfo
    | mv-expand AssignedRoles
    | where AssignedRoles has_any(PriveledgedRoles)
    | project AccountName
    )
on $left.TargetNodeName == $right.AccountName

About this query

Exposure management browser cookies with credentials of privileged users

Description

This hunting query will look in ExposureGraphEdges table for stored credentials, that match users that are privileged.

Microsoft Defender XDR

MITRE ATT&CK Mapping

Source

  • Exposure Management

Versioning

VersionDateComments
1.001/08/2024Initial publish

Explanation

This query is designed to identify privileged users who have stored their credentials in browser cookies, which could pose a security risk. Here's a simplified breakdown:

  1. Purpose: The query searches for privileged users (e.g., Global Administrators, User Administrators) who have stored their credentials in browser cookies.
  2. Data Source: It uses the ExposureGraphEdges table to find credentials stored in browser cookies.
  3. Process:
    • It first defines a list of privileged roles to monitor.
    • It then looks for entries in the ExposureGraphEdges table where credentials are stored in browser cookies.
    • It extracts relevant data from these entries.
    • It joins this data with the IdentityInfo table to match the stored credentials with privileged users.
  4. Output: The query outputs the names of the source nodes, their labels, and the target node names (i.e., the privileged users with stored credentials in browser cookies).

MITRE ATT&CK Mapping:

  • Tactic: Defense Evasion
  • Technique ID: T1550.004 (Use Alternate Authentication Material: Web Session Cookie)

Source: Exposure Management

Versioning:

  • Version 1.0: Initial publish on 01/08/2024.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 1, 2024

Tables

ExposureGraphEdgesIdentityInfo

Keywords

ExposureManagementBrowserCookiesCredentialsPrivilegedUsers

Operators

letdynamic//|hasextendparse_json==projectjoinmv-expandhas_anyon

MITRE Techniques

Actions

GitHub