Azure AD Successful Authentication Increase

This alert identifies a potentially malicious increase in successful sign-ins within an Azure Active Directory environment. An attacker who has compromised credentials may attempt to leverage them repeatedly, resulting in a higher-than-normal volume of successful authentications. While not definitive proof of compromise, a sudden spike warrants further investigation. This behavior is typically observed during the initial access, persistence, privilege escalation, or stealth phases of an attack. This detection focuses on identifying increases of 10% or greater, providing a starting point for identifying anomalous activity. Defenders should investigate the source of the increase, focusing on specific users, applications, or geographic locations involved.

Attack Chain

1. Credential Compromise: The attacker obtains valid user credentials through phishing, brute-force, or credential stuffing attacks against Azure AD.
2. Initial Access: The attacker uses the compromised credentials to successfully authenticate to Azure AD, gaining initial access to the environment (T1078).
3. Enumeration: The attacker enumerates available resources, applications, and user accounts within the Azure AD environment.
4. Privilege Escalation: The attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities in Azure AD or related applications. This may involve authenticating to multiple resources.
5. Persistence: The attacker establishes persistence mechanisms, such as creating new accounts or modifying existing ones, to maintain access to the environment. This may involve repeatedly authenticating to refresh tokens or maintain sessions.
6. Lateral Movement: The attacker uses the compromised account to access other resources or accounts within the Azure AD environment, potentially triggering further successful sign-ins.
7. Data Exfiltration or Damage: The attacker uses the compromised access to exfiltrate sensitive data or disrupt business operations.
8. Covering Tracks: The attacker attempts to cover their tracks by disabling logging or deleting audit trails to avoid detection.

Impact

A successful attack following a measurable increase in authentications can lead to unauthorized access to sensitive data, financial loss, reputational damage, and disruption of business operations. The specific impact depends on the level of access gained by the attacker and the resources they are able to compromise. For example, an attacker gaining access to an administrator account could potentially take control of the entire Azure AD environment.

Recommendation

• Deploy the “Measurable Increase Of Successful Authentications” Sigma rule to your SIEM and tune for your environment. This rule detects increases of 10% or greater in successful sign-ins (rule, logsource: azure, service: signinlogs).
• Investigate any alerts generated by the Sigma rule, focusing on identifying the source of the increased authentications and the users/applications involved.
• Review the Microsoft Entra ID Protection reports for unusual sign-in activity, as referenced in the source material: https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins.
• Implement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.
• Monitor for other suspicious activities, such as unusual sign-in locations, access to sensitive resources, or changes to user accounts.