GitHub Repo

Analytics Story: Azure Active Directory Persistence

Date: 2024-09-24 ID: dca983db-6334-4a0d-be32-80611ca1396c Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.

Why it matters

Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Azure AD External Guest User Invited Cloud Account TTP
Azure AD FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
Azure AD Global Administrator Role Assigned Additional Cloud Roles TTP
Azure AD Multiple Service Principals Created by SP Cloud Account Anomaly
Azure AD Multiple Service Principals Created by User Cloud Account Anomaly
Azure AD New Custom Domain Added Trust Modification TTP
Azure AD New Federated Domain Added Trust Modification TTP
Azure AD New MFA Method Registered Device Registration TTP
Azure AD PIM Role Assigned Additional Cloud Roles TTP
Azure AD PIM Role Assignment Activated Additional Cloud Roles TTP
Azure AD Privileged Graph API Permission Assigned Security Account Manager TTP
Azure AD Privileged Role Assigned Additional Cloud Roles TTP
Azure AD Service Principal Created Cloud Account TTP
Azure AD Service Principal New Client Credentials Additional Cloud Credentials TTP
Azure AD Service Principal Owner Added Account Manipulation TTP
Azure AD Tenant Wide Admin Consent Granted Additional Cloud Roles TTP
Azure AD User Enabled And Password Reset Account Manipulation TTP
Azure AD User ImmutableId Attribute Updated Account Manipulation TTP
Azure Automation Account Created Cloud Account TTP
Azure Automation Runbook Created Cloud Account TTP
Azure Runbook Webhook Created Cloud Accounts TTP
O365 Application Available To Other Tenants Additional Cloud Roles TTP
O365 Cross-Tenant Access Change Trust Modification TTP
O365 External Guest User Invited Cloud Account TTP
O365 External Identity Policy Changed Cloud Account TTP
O365 Privileged Role Assigned Additional Cloud Roles TTP
O365 SharePoint Allowed Domains Policy Changed Cloud Account TTP
O365 SharePoint Malware Detection Malicious File TTP
Windows Azure PowerShell Module Installation Via PowerShell Script Valid Accounts, Cloud Services, Cloud Account, Account Manipulation, Cloud Groups Anomaly
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Domain Trust Discovery, Valid Accounts, Exploitation for Credential Access, Web Protocols TTP
Windows Entra User Management Via Azure CLI Create Account, Cloud Accounts, Account Manipulation Anomaly
Windows Multiple Account Passwords Changed Account Manipulation, Valid Accounts TTP
Windows Multiple Accounts Deleted Account Manipulation, Valid Accounts TTP
Windows Multiple Accounts Disabled Account Manipulation, Valid Accounts TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Add member to role Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Add owner to application Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Add service principal Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Add unverified domain Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Consent to application Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Enable account Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Invite external user Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Reset password (by admin) Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Set domain authentication Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Update application Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Update user Azure icon Azure azure:monitor:aad Azure AD
Azure Audit Create or Update an Azure Automation Runbook Azure icon Azure mscs:azure:audit mscs:azure:audit
Azure Audit Create or Update an Azure Automation account Azure icon Azure mscs:azure:audit mscs:azure:audit
Azure Audit Create or Update an Azure Automation webhook Azure icon Azure mscs:azure:audit mscs:azure:audit
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Office 365 Universal Audit Log Other o365:management:activity o365
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4724 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4725 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4726 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2