-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ff5e556
commit 9a4eec3
Showing
1 changed file
with
102 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| # T1539 Potential Entra ID AiTM Phishing from Azure | ||
|
|
||
| Detect possible AiTM phishing attacks originating from Azure infrastructure such as Azure Functions. | ||
|
|
||
| ## Hunt Tags | ||
|
|
||
| **ID:** T1539.Entra.AzureAiTMPhishing | ||
|
|
||
| **Author:** [Nicola Suter](https://nicolasuter.ch) | ||
|
|
||
| **License:** [MIT License](https://github.com/nicolonsky/ITDR/blob/main/LICENSE) | ||
|
|
||
| **References:** [Link to medium post](https://nicolasuter.medium.com) | ||
|
|
||
| ## ATT&CK Tags | ||
|
|
||
| **Tactic:** Credential Access (TA0006) / Phishing (T1566) | ||
|
|
||
| **Technique:** Steal Web Session Cookie (T1539) | ||
|
|
||
| ## Technical description of the attack | ||
|
|
||
| Attackers can host AiTM phishing kits directly on Azure and leverage Microsoft provided public ip addresses for internet connectivity. It is also possible to deploy Azure Functions or app services to conduct the attack. During the attack the session cookies will be captured and allow replay. | ||
|
|
||
| ## Permission required to execute the technique | ||
|
|
||
| None. | ||
|
|
||
| ## Detection description | ||
|
|
||
| The detection is based on the Entra Sign-In Logs and the following assumptions: | ||
|
|
||
| * Empty Entra Device IDs | ||
| * Sign-In originating not from a named or trusted location | ||
| * The application name matches OfficeHome | ||
| * The Sign-In IP address originates from the Microsoft Azure IP address ranges | ||
|
|
||
|
|
||
| ## Utilized Data Source | ||
|
|
||
| | Event ID | Event Name | Log Provider | ATT&CK Data Source | | ||
| | -------- | ----------------------------- | ------------ | ------------------ | | ||
| | - | SignInLogs | Entra ID | Cloud Service | | ||
|
|
||
| ## Hunt details | ||
|
|
||
| ### KQL | ||
|
|
||
| **FP Rate:** _Medium_ | ||
|
|
||
| **Source:** _Entra ID_ | ||
|
|
||
| **Description:** _Hunt for interactive sign-in logs that originated from Azure Service Tags / Endpoints._ | ||
|
|
||
| **Query:** | ||
|
|
||
| ```kusto | ||
| let AzureIPInfo = externaldata(changeNumber: int, cloud: string, values: dynamic)[h"https://stsecopsn01.blob.core.windows.net/watchlists/ServiceTags_Public_20240311.json"] with (format = 'multijson') | ||
| | project-away changeNumber, cloud | ||
| | mv-expand parse_json(values) | ||
| | extend Name = values.name | ||
| | extend AddressPrefixes = values.properties.addressPrefixes | ||
| | extend Platform = values.properties.platform | ||
| | summarize make_list(AddressPrefixes); | ||
| SigninLogs | ||
| | where TimeGenerated > ago(90d) | ||
| | where ResultType == 0 | ||
| | where DeviceDetail.trustType == '' | ||
| // Match with Azure IPs | ||
| | where ipv4_is_in_any_range(IPAddress, toscalar(AzureIPInfo)) | ||
| // Assuming the IPs have not been added as named or trusted locations | ||
| | extend ConfidenceScoreNetwork = iif(NetworkLocationDetails == '[]', 1.0, 0.1) | ||
| // OfficeHome is most often used in phishing kits | ||
| | extend ConfidenceScoreApp = iif(AppDisplayName =~ 'OfficeHome', 1.0, 0.75) | ||
| | extend ConfidenceScore = ConfidenceScoreApp * ConfidenceScoreNetwork | ||
| | where ConfidenceScore > 0.5 | ||
| | distinct | ||
| TimeGenerated, | ||
| UserPrincipalName = '{PII Removed}', | ||
| UserAgent, | ||
| AppDisplayName, | ||
| IPAddress, | ||
| ConfidenceScore, | ||
| RiskDetail | ||
| ``` | ||
|
|
||
| ## Considerations | ||
|
|
||
| - The Azure IP Address ranges must be available on a storage account or watchlist. Official download link: <https://www.microsoft.com/en-gb/download/details.aspx?id=56519> | ||
|
|
||
| ## False Positives | ||
|
|
||
| The IP address from Microsoft Azure IP ranges could be legitimate, e.g. from virtual machines that do not have explicit outbound connectivity methods via NAT gateway or firewall. | ||
|
|
||
|
|
||
| ## Detection Blind Spots | ||
|
|
||
| - Mismatch of assumptions or phishing from a named location | ||
|
|
||
| ## References | ||
|
|
||
| - <https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign> |