<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Active Directory PowerShell Module - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-active-directory-powershell-module/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-active-directory-powershell-module/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID PowerShell Sign-in</title><link>https://feed.craftedsignal.io/briefs/2024-01-entra-id-powershell-signin/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-entra-id-powershell-signin/</guid><description>Detection of successful sign-ins using the Azure Active Directory PowerShell module to identify potentially unauthorized administrative actions in Entra ID.</description><content:encoded><![CDATA[<p>The Azure Active Directory PowerShell module is a legitimate tool used by IT professionals and administrators to manage Entra ID (Azure AD) environments via command line. This tool enables them to retrieve data, create, update, and remove objects, and configure directory features. While legitimate, its use can be abused by malicious actors who have compromised valid accounts or are attempting to gain unauthorized access. This detection focuses on identifying successful sign-ins using the Azure Active Directory PowerShell module. Successful sign-ins from unexpected users, devices, or locations could indicate malicious activity and should be investigated. This activity is important for defenders to monitor as it can indicate initial access or lateral movement by an attacker within the cloud environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a valid user account through phishing, credential stuffing, or other means (T1078).</li>
<li>The attacker leverages the compromised account to sign into the Azure portal.</li>
<li>The attacker authenticates to Entra ID via PowerShell, using the Azure Active Directory PowerShell module.</li>
<li>Upon successful authentication, the attacker can execute PowerShell commands to enumerate Entra ID objects and configurations.</li>
<li>The attacker might then modify user permissions or group memberships to elevate their privileges.</li>
<li>The attacker could create new, unauthorized administrator accounts for persistence.</li>
<li>The attacker may disable security features or policies to weaken the overall security posture of the organization.</li>
<li>Finally, the attacker can exfiltrate sensitive data or deploy malicious applications within the Entra ID environment, leveraging their elevated privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging Entra ID PowerShell can lead to significant damage, including data breaches, unauthorized access to sensitive resources, and disruption of business operations. The impact is amplified if the compromised account has administrative privileges. While the source does not explicitly detail the number of victims or sectors targeted, the potential consequences of unauthorized access to Entra ID are widespread. Failure to detect and respond to this type of activity could result in regulatory fines, reputational damage, and financial losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Azure sign-in logs and ensure they are being ingested into your SIEM to trigger the &quot;Entra ID PowerShell Sign-in&quot; rule.</li>
<li>Deploy the Sigma rule <code>AzureADPowerShellSignIn</code> to detect sign-ins using the Azure Active Directory PowerShell module based on the <code>app_display_name</code> field.</li>
<li>Investigate any alerts generated by the <code>AzureADPowerShellSignIn</code> Sigma rule by validating the user's activity and source IP address.</li>
<li>Configure alerts for modifications to user permissions, group memberships, or security policies performed via PowerShell within Entra ID.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>entra-id</category><category>powershell</category><category>initial-access</category></item></channel></rss>