Analytics Story: Azure Active Directory Account Takeover

Date: 2022-07-14 ID: 41514c46-7118-4eab-a9bb-f3bfa4e3bea9 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.

Why it matters

Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Azure Active Directory High Risk Sign-in Password Spraying, Cloud Accounts TTP
Azure AD Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Azure AD Block User Consent For Risky Apps Disabled Impair Defenses TTP
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD Device Code Authentication Steal Application Access Token, Spearphishing Link TTP
Azure AD High Number Of Failed Authentications For User Password Guessing TTP
Azure AD High Number Of Failed Authentications From Ip Password Guessing, Password Spraying TTP
Azure AD Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
Azure AD Multi-Source Failed Authentications Spike Password Spraying, Credential Stuffing, Cloud Accounts Hunting
Azure AD Multiple AppIDs and UserAgents Authentication Spike Valid Accounts Anomaly
Azure AD Multiple Denied MFA Requests For User Multi-Factor Authentication Request Generation TTP
Azure AD Multiple Failed MFA Requests For User Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Azure AD Multiple Users Failing To Authenticate From Ip Password Spraying, Credential Stuffing, Cloud Accounts Anomaly
Azure AD New MFA Method Registered For User Multi-Factor Authentication TTP
Azure AD OAuth Application Consent Granted By User Steal Application Access Token TTP
Azure AD Service Principal Authentication Cloud Accounts TTP
Azure AD Successful Authentication From Different Ips Password Guessing, Password Spraying TTP
Azure AD Successful PowerShell Authentication Cloud Accounts, Cloud Accounts TTP
Azure AD Successful Single-Factor Authentication Cloud Accounts, Cloud Accounts TTP
Azure AD Unusual Number of Failed Authentications From Ip Password Spraying, Credential Stuffing, Cloud Accounts Anomaly
Azure AD User Consent Blocked for Risky Application Steal Application Access Token TTP
Azure AD User Consent Denied for OAuth Application Steal Application Access Token TTP
Microsoft Intune Device Health Scripts Software Deployment Tools, Cloud Services, Indirect Command Execution, Ingress Tool Transfer Hunting
Microsoft Intune DeviceManagementConfigurationPolicies Software Deployment Tools, Domain or Tenant Policy Modification, Cloud Services, Disable or Modify Tools, Disable or Modify System Firewall Hunting
Microsoft Intune Manual Device Management Cloud Services, Software Deployment Tools, System Shutdown/Reboot Hunting
Microsoft Intune Mobile Apps Software Deployment Tools, Cloud Services, Indirect Command Execution, Ingress Tool Transfer Hunting
O365 Application Available To Other Tenants Additional Cloud Roles TTP
O365 Email Access By Security Administrator Remote Email Collection, Exfiltration Over Web Service TTP
O365 Threat Intelligence Suspicious File Detected Malicious File TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Consent to application Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Disable Strong Authentication Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Sign-in activity Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Update authorization policy Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD
Azure Monitor Activity Azure icon Azure azure:monitor:activity Azure AD
Office 365 Universal Audit Log N/A o365:management:activity o365

References

Source: GitHub | Version: 2