/
azure_ad_successful_powershell_authentication.yml
74 lines (74 loc) · 2.89 KB
/
azure_ad_successful_powershell_authentication.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Azure AD Successful PowerShell Authentication
id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb
version: 2
date: '2023-12-20'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
description: The following analytic identifies a successful authentication event against
an Azure AD tenant using PowerShell commandlets. This behavior is not common for
regular, non administrative users. After compromising an account in Azure AD, attackers
and red teams alike will perform enumeration and discovery techniques. One method
of executing these techniques is leveraging the native PowerShell modules.
data_source:
- Azure Active Directory
search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell"
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_powershell_authentication_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
known_false_positives: Administrative users will likely use PowerShell commandlets
to troubleshoot and maintain the environment. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1078/004/
- https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0
- https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure Active Directory
confidence: 90
impact: 60
message: Successful authentication for user $user$
using PowerShell.
mitre_attack_id:
- T1586
- T1586.003
- T1078
- T1078.004
observable:
- name: user
type: User
role:
- Victim
- name: src_ip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- properties.appDisplayName
- category
- user
- src_ip
- properties.appDisplayName
- properties.userAgent
risk_score: 54
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log
source: Azure AD
sourcetype: azure:monitor:aad
update_timestamp: true