Skip to content
Threat Feed
low advisory

Entra ID PowerShell Sign-in

Detection of successful sign-ins using the Azure Active Directory PowerShell module to identify potentially unauthorized administrative actions in Entra ID.

The Azure Active Directory PowerShell module is a legitimate tool used by IT professionals and administrators to manage Entra ID (Azure AD) environments via command line. This tool enables them to retrieve data, create, update, and remove objects, and configure directory features. While legitimate, its use can be abused by malicious actors who have compromised valid accounts or are attempting to gain unauthorized access. This detection focuses on identifying successful sign-ins using the Azure Active Directory PowerShell module. Successful sign-ins from unexpected users, devices, or locations could indicate malicious activity and should be investigated. This activity is important for defenders to monitor as it can indicate initial access or lateral movement by an attacker within the cloud environment.

Attack Chain

  1. An attacker gains initial access to a valid user account through phishing, credential stuffing, or other means (T1078).
  2. The attacker leverages the compromised account to sign into the Azure portal.
  3. The attacker authenticates to Entra ID via PowerShell, using the Azure Active Directory PowerShell module.
  4. Upon successful authentication, the attacker can execute PowerShell commands to enumerate Entra ID objects and configurations.
  5. The attacker might then modify user permissions or group memberships to elevate their privileges.
  6. The attacker could create new, unauthorized administrator accounts for persistence.
  7. The attacker may disable security features or policies to weaken the overall security posture of the organization.
  8. Finally, the attacker can exfiltrate sensitive data or deploy malicious applications within the Entra ID environment, leveraging their elevated privileges.

Impact

A successful attack leveraging Entra ID PowerShell can lead to significant damage, including data breaches, unauthorized access to sensitive resources, and disruption of business operations. The impact is amplified if the compromised account has administrative privileges. While the source does not explicitly detail the number of victims or sectors targeted, the potential consequences of unauthorized access to Entra ID are widespread. Failure to detect and respond to this type of activity could result in regulatory fines, reputational damage, and financial losses.

Recommendation

  • Enable Azure sign-in logs and ensure they are being ingested into your SIEM to trigger the "Entra ID PowerShell Sign-in" rule.
  • Deploy the Sigma rule AzureADPowerShellSignIn to detect sign-ins using the Azure Active Directory PowerShell module based on the app_display_name field.
  • Investigate any alerts generated by the AzureADPowerShellSignIn Sigma rule by validating the user's activity and source IP address.
  • Configure alerts for modifications to user permissions, group memberships, or security policies performed via PowerShell within Entra ID.

Detection coverage 2

Azure AD PowerShell Sign-in

low

Detects sign-ins using the Azure Active Directory PowerShell module.

sigma tactics: execution, initial_access techniques: T1059.001, T1078.004 sources: network_connection, azure

Entra ID PowerShell - High Risk IP Sign-in

medium

Detects Entra ID PowerShell sign-ins from IPs known to be high risk

sigma tactics: execution, initial_access techniques: T1059.001, T1078.004 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →