{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/az.resources/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","MSOnline","Az.Resources","AADInternals","PowerShell"],"_cs_severities":["high"],"_cs_tags":["azure","powershell","module-installation","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the risk associated with the unauthorized installation of Azure PowerShell modules, such as AADInternals, Az.Resources, AzureAD, and MSOnline, using PowerShell scripts. These modules are powerful tools for managing Azure Active Directory (Azure AD) and cloud resources, granting extensive access to critical objects, user accounts, service principals, and tenant configurations. Adversaries often leverage these modules post-compromise to conduct reconnaissance, escalate privileges, establish persistence, or move laterally within the Azure environment. The use of PowerShell Script Block Logging provides an opportunity to detect such malicious activity, identifying potential threats before they can significantly impact the organization. This activity is often seen after an initial foothold has been established in the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges on the compromised system to gain higher-level access.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a PowerShell script designed to install specific Azure AD and cloud management modules.\u003c/li\u003e\n\u003cli\u003eModule Installation: The PowerShell script utilizes the \u003ccode\u003eInstall-Module\u003c/code\u003e cmdlet to install modules like AADInternals, Az.Resources, AzureAD, or MSOnline.\u003c/li\u003e\n\u003cli\u003eReconnaissance: After installing the modules, the attacker uses them to gather information about the Azure AD environment, including user accounts, groups, and permissions.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Armed with the gathered information, the attacker attempts to move laterally within the Azure environment, targeting other systems or resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence mechanisms within Azure AD to maintain access, such as creating new user accounts or modifying existing ones.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full-scale compromise of the Azure AD environment, potentially impacting numerous users, applications, and resources. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and even take complete control of the organization\u0026rsquo;s cloud infrastructure. The broad access granted by these modules makes them a prime target for attackers seeking to establish a persistent foothold and conduct further malicious activities within the Azure environment. The impact can range from data breaches and financial losses to reputational damage and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the execution of PowerShell scripts, enabling detection via the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious Azure PowerShell Module Installation\u003c/code\u003e to identify instances of suspicious Azure PowerShell module installations, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eReview and audit PowerShell script execution within your environment to identify any unauthorized or suspicious activity, using process creation logs.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for Azure AD accounts to prevent unauthorized access and module installations.\u003c/li\u003e\n\u003cli\u003eMonitor the installation of PowerShell modules across your environment, looking for unexpected installations of Azure-related modules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-powershell-module-install/","summary":"Detection of Azure AD and cloud management modules installation via PowerShell Script Block Logging, potentially indicating reconnaissance, privilege escalation, or persistence operations by adversaries.","title":"Suspicious Azure PowerShell Module Installation via PowerShell Script","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-powershell-module-install/"}],"language":"en","title":"CraftedSignal Threat Feed — Az.Resources","version":"https://jsonfeed.org/version/1.1"}