Entra ID PowerShell Sign-in
Detection of successful sign-ins using the Azure Active Directory PowerShell module to identify potentially unauthorized administrative actions in Entra ID.
The Azure Active Directory PowerShell module is a legitimate tool used by IT professionals and administrators to manage Entra ID (Azure AD) environments via command line. This tool enables them to retrieve data, create, update, and remove objects, and configure directory features. While legitimate, its use can be abused by malicious actors who have compromised valid accounts or are attempting to gain unauthorized access. This detection focuses on identifying successful sign-ins using the Azure Active Directory PowerShell module. Successful sign-ins from unexpected users, devices, or locations could indicate malicious activity and should be investigated. This activity is important for defenders to monitor as it can indicate initial access or lateral movement by an attacker within the cloud environment.
Attack Chain
- An attacker gains initial access to a valid user account through phishing, credential stuffing, or other means (T1078).
- The attacker leverages the compromised account to sign into the Azure portal.
- The attacker authenticates to Entra ID via PowerShell, using the Azure Active Directory PowerShell module.
- Upon successful authentication, the attacker can execute PowerShell commands to enumerate Entra ID objects and configurations.
- The attacker might then modify user permissions or group memberships to elevate their privileges.
- The attacker could create new, unauthorized administrator accounts for persistence.
- The attacker may disable security features or policies to weaken the overall security posture of the organization.
- Finally, the attacker can exfiltrate sensitive data or deploy malicious applications within the Entra ID environment, leveraging their elevated privileges.
Impact
A successful attack leveraging Entra ID PowerShell can lead to significant damage, including data breaches, unauthorized access to sensitive resources, and disruption of business operations. The impact is amplified if the compromised account has administrative privileges. While the source does not explicitly detail the number of victims or sectors targeted, the potential consequences of unauthorized access to Entra ID are widespread. Failure to detect and respond to this type of activity could result in regulatory fines, reputational damage, and financial losses.
Recommendation
- Enable Azure sign-in logs and ensure they are being ingested into your SIEM to trigger the "Entra ID PowerShell Sign-in" rule.
- Deploy the Sigma rule
AzureADPowerShellSignInto detect sign-ins using the Azure Active Directory PowerShell module based on theapp_display_namefield. - Investigate any alerts generated by the
AzureADPowerShellSignInSigma rule by validating the user's activity and source IP address. - Configure alerts for modifications to user permissions, group memberships, or security policies performed via PowerShell within Entra ID.
Detection coverage 2
Azure AD PowerShell Sign-in
lowDetects sign-ins using the Azure Active Directory PowerShell module.
Entra ID PowerShell - High Risk IP Sign-in
mediumDetects Entra ID PowerShell sign-ins from IPs known to be high risk
Detection queries are available on the platform. Get full rules →