[New Rule] Entra ID Device Registration with Phishing Kit Default OS Build#6354
Conversation
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
⛔️ Test failed Results
|
| data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and | ||
| azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19045.2006* and | ||
| azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-* |
There was a problem hiding this comment.
Are the azure.auditlogs.properties.target_resources..modified_properties..new_value position agnostic? Maybe a good idea to find an alternative using ESQL and match name to value.
There was a problem hiding this comment.
Position is specific to event.action so these will always be 3 and 4.
django-88
left a comment
There was a problem hiding this comment.
Very cool, was nice to read through it!
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Pull request overview
This PR adds two new Microsoft Entra ID detections aimed at identifying device registrations consistent with AiTM phishing kit behavior (Tycoon2FA / Kali365), focusing on a “frozen” default OS build (10.0.19045.2006) combined with default DESKTOP- naming.
Changes:
- Added an Azure Audit Logs rule to detect
Add deviceevents whereCloudDeviceOSVersionandCloudDisplayNamematch the phishing-kit default fingerprint. - Added an Entity Analytics (device inventory) new-terms rule to alert on the first observed device matching the same fingerprint.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| rules/integrations/entityanalytics_entra_id/persistence_entra_id_device_phishing_kit_default_os_build.toml | New-terms “first seen” detection in Entra ID Entity Analytics device inventory for the default OS build + DESKTOP-* naming pattern. |
| rules/integrations/azure/persistence_entra_id_phishing_kit_default_os_build_device_registration.toml | Real-time (audit log) detection for device registration (Add device) events matching the same OS build + display name pattern. |
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Pull Request
Issue link(s):
Summary - What I changed
Adds specific detections for Kali365 & Tycoon phishing kits related to default OS build that is used to register virtual devices prior to PRT request. Used in all instances from dynamic testing.
How To Test
Query can be used in TRADE stack. No hits in other telemetry.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist