Users are attempting to access the local Device Identity Key, which could indicate reconnaissance or privilege escalation efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversaries gathering system-specific information for further exploitation.
KQL Query
// Activities:
// 5058 - Key file operation
// 5061 - Cryptographic operation (Event does not provide enough information to filter out potential false positives)
// KeyType:
// %%2499 -> Machine Key
// Operation:
// %%2458 -> Read persisted key from file
// %%2480 -> Open Key
// Machine Keys:
// f686aace6942fb7f7ceb231212eef4a4 -> TSSECKeySet1
let filterList = dynamic(["TSSecKeySet1", "iisCngWasKey", "iisCngConfigurationKey", "ConfigMgrPrimaryKey"]);
SecurityEvent
| where Activity == '5058 - Key file operation.'
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)
| where KeyType == '%%2499' and SubjectLogonId !in ('0x3e7', '0x3e4')
| where KeyFilePath has 'Microsoft\\Crypto\\Keys\\'
| where KeyName !in (filterList)
| extend ProcessId = ClientProcessId, KeyName = tostring(KeyName), SubjectLogonId = tostring(SubjectLogonId)id: 9feddda0-6f46-43b4-a54f-5921e2b136b8
name: Users Opening and Reading the Local Device Identity Key
description: |
'This detection uses Windows security events to look for users reading the local Device Identity Key (Machine Key).
This information can be correlated with other events for additional context and get to use-cases where a
machine key with a transport key together can be used to impersonate an Entra ID joined or registered machine.
Reference: https://o365blog.com/post/deviceidentity/'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Credential Access
relevantTechniques:
- T1552
tags:
- SimuLand
- ATR
- AADInternals
query: |
// Activities:
// 5058 - Key file operation
// 5061 - Cryptographic operation (Event does not provide enough information to filter out potential false positives)
// KeyType:
// %%2499 -> Machine Key
// Operation:
// %%2458 -> Read persisted key from file
// %%2480 -> Open Key
// Machine Keys:
// f686aace6942fb7f7ceb231212eef4a4 -> TSSECKeySet1
let filterList = dynamic(["TSSecKeySet1", "iisCngWasKey", "iisCngConfigurationKey", "ConfigMgrPrimaryKey"]);
SecurityEvent
| where Activity == '5058 - Key file operation.'
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)
| where KeyType == '%%2499' and SubjectLogonId !in ('0x3e7', '0x3e4')
| where KeyFilePath has 'Microsoft\\Crypto\\Keys\\'
| where KeyName !in (filterList)
| extend ProcessId = ClientProcessId, KeyName = tostring(KeyName), SubjectLogonId = tostring(SubjectLogonId)| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: System Administrator Reading Device Identity Key for Troubleshooting
Description: A system administrator is using PowerShell or Windows Management Instrumentation (WMI) to read device information for troubleshooting purposes.
Filter/Exclusion: Exclude events where the user is a member of the Administrators group and the event occurred during a known maintenance window or when using tools like PowerShell or WMI.
Scenario: Scheduled Job Accessing Device Identity Key for Compliance Reporting
Description: A scheduled task (e.g., ComplianceReportJob) is configured to access device information as part of a compliance or audit process.
Filter/Exclusion: Exclude events where the event source is a scheduled task or the process name matches known compliance tools like Microsoft Intune or Microsoft Endpoint Manager.
Scenario: User Accessing Device Identity Key via Group Policy Management Console (GPMC)
Description: An administrator is using the Group Policy Management Console (GPMC) to review device information as part of a configuration audit.
Filter/Exclusion: Exclude events where the user is using GPMC or the process name is gpmc.msc or gpedit.msc.
Scenario: Security Software Scanning Device Identity Key for Threat Detection
Description: A security tool like Microsoft Defender or CrowdStrike is scanning system files and accessing device information as part of its threat detection process.
Filter/Exclusion: Exclude events where the process name matches known security tools (e.g., MsMpEng.exe, CrowdStrike or SolarWinds processes).
Scenario: User Accessing Device Identity Key via Local Group Policy Editor for Configuration Review
Description: A user is using the **Local Group Policy Editor