{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-active-directory-powershell-module/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID","Azure Active Directory PowerShell module"],"_cs_severities":["low"],"_cs_tags":["azure","entra-id","powershell","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Azure Active Directory PowerShell module is a legitimate tool used by IT professionals and administrators to manage Entra ID (Azure AD) environments via command line. This tool enables them to retrieve data, create, update, and remove objects, and configure directory features. While legitimate, its use can be abused by malicious actors who have compromised valid accounts or are attempting to gain unauthorized access. This detection focuses on identifying successful sign-ins using the Azure Active Directory PowerShell module. Successful sign-ins from unexpected users, devices, or locations could indicate malicious activity and should be investigated. This activity is important for defenders to monitor as it can indicate initial access or lateral movement by an attacker within the cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a valid user account through phishing, credential stuffing, or other means (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to sign into the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Entra ID via PowerShell, using the Azure Active Directory PowerShell module.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker can execute PowerShell commands to enumerate Entra ID objects and configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker might then modify user permissions or group memberships to elevate their privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker could create new, unauthorized administrator accounts for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may disable security features or policies to weaken the overall security posture of the organization.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker can exfiltrate sensitive data or deploy malicious applications within the Entra ID environment, leveraging their elevated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging Entra ID PowerShell can lead to significant damage, including data breaches, unauthorized access to sensitive resources, and disruption of business operations. The impact is amplified if the compromised account has administrative privileges. While the source does not explicitly detail the number of victims or sectors targeted, the potential consequences of unauthorized access to Entra ID are widespread. Failure to detect and respond to this type of activity could result in regulatory fines, reputational damage, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure sign-in logs and ensure they are being ingested into your SIEM to trigger the \u0026quot;Entra ID PowerShell Sign-in\u0026quot; rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzureADPowerShellSignIn\u003c/code\u003e to detect sign-ins using the Azure Active Directory PowerShell module based on the \u003ccode\u003eapp_display_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eAzureADPowerShellSignIn\u003c/code\u003e Sigma rule by validating the user's activity and source IP address.\u003c/li\u003e\n\u003cli\u003eConfigure alerts for modifications to user permissions, group memberships, or security policies performed via PowerShell within Entra ID.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-powershell-signin/","summary":"Detection of successful sign-ins using the Azure Active Directory PowerShell module to identify potentially unauthorized administrative actions in Entra ID.","title":"Entra ID PowerShell Sign-in","url":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-powershell-signin/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Active Directory PowerShell Module","version":"https://jsonfeed.org/version/1.1"}