|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
Password Spraying
Brute Force
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2023-11-01
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-22
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-07-02
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-05-15
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
Impair Defenses
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
Browser Session Hijacking
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-08-05
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
Steal Application Access Token
Phishing
Spearphishing Link
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-28
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-05-11
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-12
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-29
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
Brute Force
Password Guessing
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-05-29
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
Brute Force
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group
|
2024-08-05
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-05-14
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-05-26
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-20
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-13
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-13
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-05-13
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-05-14
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-05-28
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
Account Manipulation
Device Registration
|
TTP
|
Azure Active Directory Persistence
|
2024-05-16
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-05-29
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-24
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-14
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-25
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Security Account Manager
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-05-20
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
Security Account Manager
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-11
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-29
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-05-31
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-05-21
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-30
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-05-11
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-05-28
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
Brute Force
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-05-26
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-23
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-05-15
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-30
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-05-26
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-05-24
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
Create Account
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-05-24
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
Create Account
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-05-11
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-05-23
|