{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-event-hub/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Event Hub"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies the deletion of an Azure Event Hub, a critical event processing service for ingesting and processing large volumes of data in real-time. Attackers may target Event Hubs for deletion in an attempt to evade detection by erasing evidence of their activities or to disrupt data flow. The rule focuses on identifying successful deletion operations within Azure activity logs, specifically looking for the \u0026quot;MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\u0026quot; event. The monitoring of Event Hub deletion is crucial because successful deletion can lead to data loss, service disruption, and an increased dwell time for attackers due to the removal of forensic data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Azure environment to obtain the necessary permissions to manage Event Hubs.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies Event Hubs within the target environment that contain valuable log data.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a deletion request for a specific Event Hub using the Azure portal, CLI, or API.\u003c/li\u003e\n\u003cli\u003eAzure processes the deletion request, logging the event with the operation name \u0026quot;MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe Event Hub is successfully deleted, resulting in the removal of associated log data and potentially disrupting data streams.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting or modifying other related logs within the Azure environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Azure Event Hubs can lead to a significant loss of log data, hindering incident response and forensic investigations. This can allow attackers to operate undetected for longer periods, increasing the potential for further damage. Service disruption can also occur if the deleted Event Hub was critical for real-time data processing. While the exact number of victims is unknown, organizations relying on Azure Event Hubs for security monitoring and data analytics are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect Event Hub deletions (see \u003ccode\u003erules\u003c/code\u003e section) in your SIEM, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview Azure RBAC permissions to ensure only authorized personnel have Event Hub deletion rights.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all Azure accounts to prevent unauthorized access (reference: \u003ca href=\"https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about\"\u003ehttps://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for Azure Event Hub operations to detect and respond to unauthorized activities promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-eventhub-deletion/","summary":"Detection of Azure Event Hub deletion, indicative of defense evasion by adversaries seeking to disrupt data flow and evade detection by erasing log evidence.","title":"Azure Event Hub Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-eventhub-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Event Hub"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","persistence","account-manipulation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation or modification of Azure Event Hub authorization rules can be an indicator of malicious activity. Event Hub authorization rules manage access via cryptographic keys, similar to administrative credentials. Attackers may target these rules to gain unauthorized access or escalate privileges, potentially leading to data exfiltration or other malicious actions within the Azure environment. The default \u003ccode\u003eRootManageSharedAccessKey\u003c/code\u003e rule, created with each Event Hub namespace, provides administrative access and is a particularly attractive target. This activity is detected via Azure Activity Logs, providing insight into potential misuse of these powerful access controls. The rule monitors for successful creation or modification events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or an exposed service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Event Hub namespaces within the Azure subscription to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new authorization rule with elevated privileges (e.g., \u003ccode\u003emanage\u003c/code\u003e permissions) on a target Event Hub namespace.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies an existing authorization rule, such as adding or changing the associated cryptographic keys.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created or modified authorization rule to generate a Shared Access Signature (SAS) token.\u003c/li\u003e\n\u003cli\u003eThe SAS token is then used to authenticate to the Event Hub and perform unauthorized actions, such as reading or writing event data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the Event Hub using the compromised authorization rule.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging unauthorized Event Hub authorization rule modification can lead to significant data breaches and operational disruption. The severity depends on the sensitivity of the data within the Event Hubs. A compromised \u003ccode\u003eRootManageSharedAccessKey\u003c/code\u003e could grant an attacker full control over the Event Hub namespace and its data. The impact can include exfiltration of sensitive data, denial of service, or further compromise of other Azure resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Event Hub Authorization Rule Created or Updated\u0026quot; to your SIEM and tune for your environment to detect suspicious authorization rule modifications.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs (referenced in the rule) for unauthorized or unexpected creation or modification of Event Hub authorization rules, paying close attention to the user or service principal associated with the operation.\u003c/li\u003e\n\u003cli\u003eImplement conditional access policies to restrict access to Event Hub Authorization Rules based on user roles and network locations, as suggested in the overview.\u003c/li\u003e\n\u003cli\u003eRegularly rotate the cryptographic keys associated with Event Hub Authorization Rules, especially the \u003ccode\u003eRootManageSharedAccessKey\u003c/code\u003e, as outlined in the response recommendations.\u003c/li\u003e\n\u003cli\u003eMonitor for access patterns or data transfers from the affected Event Hubs following a rule change to detect potential data exfiltration, referencing the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-event-hub-auth-rule-modification/","summary":"Creation or modification of Azure Event Hub authorization rules can indicate unauthorized access or privilege escalation by adversaries using cryptographic keys to manage access to event hubs.","title":"Azure Event Hub Authorization Rule Created or Updated","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-event-hub-auth-rule-modification/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Event Hub","version":"https://jsonfeed.org/version/1.1"}