AITM Phishing Attacks detect using Sentinel SIEM Tool and MSTICPY

In today's corporate world, many organizations are embracing the use of multi-cloud and hybrid cloud environments, a strategic move that allows for flexibility and cost efficiency. However, this shift has also led to an increase in cyber-attack risks, be it from industry-constructed threats or targeted attacks from Advanced Persistent Threat (APT) groups.

These attacks have become alarmingly sophisticated, with the ability to bypass security sensors and establish persistent activity within the enterprise environment. In order to detect and combat such activity, it is essential to employ an advanced Microsoft Sentinel SIEM (Security Information and Event Management) tool that is capable of hunting threats across multi-cloud environments.

Multi-cloud threat hunting is the art of uncovering and neutralizing security hazards that traverse multiple cloud infrastructures. One preferable tool that can be employed for this purpose is the Microsoft Sentinel SIEM, this SIEM platform allows organizations to monitor and analyze security events across their entire infrastructure, including on-premises, cloud, and hybrid environments. Allow me to illustrate with an example from the most current and emerging SIEM tool from Microsoft Sentinel.

One of the essential features of Sentinel SIM is its ability to Hunt and respond to Advanced Persistent Threats (APTs), which are highly sophisticated and targeted attacks that are designed to evade traditional security measures. One of the most prevalent APT scenarios is the  Adversary-in-the-Middle (AITM) phishing attacks, a common tactic employed by cybercriminals to gain unauthorized access to sensitive information. In this type of attack, the attacker intercepts communications between two parties and manipulates the data in order to trick one of the parties into providing sensitive information.

Microsoft Sentinel SIEM can detect AITM phishing attacks by analyzing email headers, attachment properties, and other email-related data to identify suspicious patterns and anomalies. Additionally, it can also analyze network traffic and endpoint data to detect signs of an AITM attack, such as the use of Threat Intelligence-based known malicious IP addresses or domains. 

Another significant aspect of multi-cloud threat hunting is log analytics. Sentinel SIM provides a robust log analytics engine that allows organizations to search and analyze large volumes of log data from multiple sources, such as firewall logs, intrusion detection systems, and cloud-based services, even providing data from 3rd party data connectors as well. This enables organizations to identify and respond to security threats in real time, as well as to generate detailed reports and charts that can be used to track trends and identify areas of concern in their security posture.

 An example of an AITM phishing attack would be an attacker sending an email to a user that appears to be from a legitimate source, such as a bank or a government agency. The email may contain a link or an attachment that, when clicked, will install malware on the user's device or prompt them to enter sensitive information, such as their login credentials or credit card information.

 One way to detect AITM phishing attacks using Sentinel SIM is to use log analytics to search for suspicious patterns in email-related data. Here one should utilize the best Threat Intelligence feeds for finding trending cyber-attack activity.

 For example, a query to detect AITM phishing attacks could include the following elements:

•  Searching for email messages that contain attachments with a file extension commonly associated with malware, such as .exe or .js
• Searching for email messages that contain links to known malicious domains or IP addresses.
• Searching for email messages that are sent from a domain that is different from the one displayed in the "From" field.
• Email messages from a campaign are removed after delivery. 
•  Suspicious inbox manipulation rule creations or "Anomalous Token" alert triggering. 

Here's an example of a query that could be used to detect AITM phishing attacks in Sentinel SIM:

//Detect the presence of a suspicious email attachment and a threat intelligence indicator in email entities.

EmailEvents

|join kind= leftouter EmailAttachmentInfo on NetworkMessageId

|where FileName endswith ".exe" or 

FileName  endswith ".js" and 

SenderIPv4 has_any (ThreatIntelligenceIndicator)or

SenderIPv6 has_any (ThreatIntelligenceIndicator) or 

SHA256 has_any (ThreatIntelligenceIndicator)

This query looks for email messages that contain attachments with a .exe or .js file extension, or that contain links to a domain known to be associated with malware from the best Threat Intelligence feed.

//Find suspicious tokens tagged by AAD "Anomalous Token" alert

let suspiciousSessionIds = materialize(

AlertInfo

| where  TimeGenerated  > ago(7d)

| where Title == "Anomalous Token"

| join (AlertEvidence | where Timestamp > ago(7d) | where EntityType == "CloudLogonSession") on AlertId

| project sessionId = todynamic(AdditionalFields).SessionId);

//Find Inbox rules created during a session that used the anomalous token

let hasSuspiciousSessionIds = isnotempty(toscalar(suspiciousSessionIds));

CloudAppEvents

| where hasSuspiciousSessionIds

| where TimeGenerated > ago(21d)

| where ActionType == "New-InboxRule"

| where RawEventData.SessionId in (suspiciousSessionIds) 

This query looks for "Anomalous Token" alerts from the cloud authentication session and finds a new "New-InboxRule" rules creation activity from a cloud-based office application. 

It's important to note that this is a simple query example, and organizations should work with their hunters or security team and adjust the query to match their own specific needs and environment. Also, this query is just one way to detect AITM phishing attacks, there are other techniques and methods that can be employed to detect and thwart Advanced Persistent Threats. A synergistic blend of various methods is essential for the establishment of threat hunters in a comprehensive threat-hunting program.

 

Detecting AITM activity using MSTICPY + Jupyter notebook

 All the security researchers and threat hunters knows the MSTICPY is very useful Python module crafted by the tech-titans at Microsoft, which can be employed for the purpose of hunting for digital threats and undertaking incident response actions within the Microsoft Sentinel. One of the key features of MSTICPY is its ability to perform advanced analytics on log data and detect advanced threats, such as AITM phishing attacks.

Here is an example of how MSTICPY can be used to detect AITM phishing attacks in Azure Sentinel:

 

# Import the necessary modules

from msticpy.nbtools import nbinit

from msticpy.nbtools.foliummap import FoliumMap

from msticpy.sectools import EmailAnalyzer

 # Initialize the Jupyter notebook environment

nbinit.init_notebook(namespace=globals())

 

# Create an instance of the EmailAnalyzer class

ea = EmailAnalyzer()

 

# Query Azure Sentinel for email messages that contain attachments with a .exe or .js file extension

query = '''

EmailAttachmentInfo

| where FileName endswith '.exe' or FileName endswith '.js'

'''

# Execute the query and store the results in a variable

email_results = ea.query_logs(query)

# Analyze the results to identify potential phishing emails

phishing_emails = ea.analyze_emails(email_results)

# Print the results

print(phishing_emails)

 

This code uses the MSTICPY EmailAnalyzer class to query Azure Sentinel for email messages that contain attachments with a .exe or .js file extension. It then analyzes the results to identify potential phishing emails.

 

It's important to note that the EmailAnalyzer class provides various other functionalities like analyzing email headers, body, links, and attachments, and also it can be used to identify phishing domains, IP addresses, sender's reputation etc. This is just a simple example and organizations should work with their security team and adjust the code to match their specific needs and environment.

 Please note that in order to effectively utilize the method outlined in this discourse, one must have Microsoft Sentinel configured and in possession of the necessary logs. Additionally, it is of paramount importance to ensure that the appropriate connection strings have been properly established. Be aware that this is but one technique for detecting Adversary-in-the-Middle Phishing attacks, and there are other methods and approaches that may be employed to detect and thwart Advanced Persistent Threats. Indeed, it is always advisable to adopt a multifaceted approach, utilizing a variety of techniques in one's threat-hunting program for maximum efficacy.

I do hope that this post shall prove useful in identifying basic Adversary-in-the-Middle Phishing activity. Your feedback and experiences in the comments section would be greatly appreciated.