<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Event Hub - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-event-hub/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-event-hub/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Event Hub Deletion for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-azure-eventhub-deletion/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-azure-eventhub-deletion/</guid><description>Detection of Azure Event Hub deletion, indicative of defense evasion by adversaries seeking to disrupt data flow and evade detection by erasing log evidence.</description><content:encoded><![CDATA[<p>This alert identifies the deletion of an Azure Event Hub, a critical event processing service for ingesting and processing large volumes of data in real-time. Attackers may target Event Hubs for deletion in an attempt to evade detection by erasing evidence of their activities or to disrupt data flow. The rule focuses on identifying successful deletion operations within Azure activity logs, specifically looking for the &quot;MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE&quot; event. The monitoring of Event Hub deletion is crucial because successful deletion can lead to data loss, service disruption, and an increased dwell time for attackers due to the removal of forensic data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker escalates privileges within the Azure environment to obtain the necessary permissions to manage Event Hubs.</li>
<li>The attacker identifies Event Hubs within the target environment that contain valuable log data.</li>
<li>The attacker initiates a deletion request for a specific Event Hub using the Azure portal, CLI, or API.</li>
<li>Azure processes the deletion request, logging the event with the operation name &quot;MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE&quot;.</li>
<li>The Event Hub is successfully deleted, resulting in the removal of associated log data and potentially disrupting data streams.</li>
<li>The attacker attempts to cover their tracks by deleting or modifying other related logs within the Azure environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of Azure Event Hubs can lead to a significant loss of log data, hindering incident response and forensic investigations. This can allow attackers to operate undetected for longer periods, increasing the potential for further damage. Service disruption can also occur if the deleted Event Hub was critical for real-time data processing. While the exact number of victims is unknown, organizations relying on Azure Event Hubs for security monitoring and data analytics are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule to detect Event Hub deletions (see <code>rules</code> section) in your SIEM, and tune for your environment.</li>
<li>Review Azure RBAC permissions to ensure only authorized personnel have Event Hub deletion rights.</li>
<li>Enable multi-factor authentication (MFA) for all Azure accounts to prevent unauthorized access (reference: <a href="https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about">https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about</a>).</li>
<li>Implement additional monitoring and alerting for Azure Event Hub operations to detect and respond to unauthorized activities promptly.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>defense-evasion</category></item><item><title>Azure Event Hub Authorization Rule Created or Updated</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-event-hub-auth-rule-modification/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-event-hub-auth-rule-modification/</guid><description>Creation or modification of Azure Event Hub authorization rules can indicate unauthorized access or privilege escalation by adversaries using cryptographic keys to manage access to event hubs.</description><content:encoded><![CDATA[<p>The creation or modification of Azure Event Hub authorization rules can be an indicator of malicious activity. Event Hub authorization rules manage access via cryptographic keys, similar to administrative credentials. Attackers may target these rules to gain unauthorized access or escalate privileges, potentially leading to data exfiltration or other malicious actions within the Azure environment. The default <code>RootManageSharedAccessKey</code> rule, created with each Event Hub namespace, provides administrative access and is a particularly attractive target. This activity is detected via Azure Activity Logs, providing insight into potential misuse of these powerful access controls. The rule monitors for successful creation or modification events.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure account, possibly through compromised credentials or an exposed service principal.</li>
<li>The attacker enumerates existing Event Hub namespaces within the Azure subscription to identify potential targets.</li>
<li>The attacker attempts to create a new authorization rule with elevated privileges (e.g., <code>manage</code> permissions) on a target Event Hub namespace.</li>
<li>Alternatively, the attacker modifies an existing authorization rule, such as adding or changing the associated cryptographic keys.</li>
<li>The attacker uses the newly created or modified authorization rule to generate a Shared Access Signature (SAS) token.</li>
<li>The SAS token is then used to authenticate to the Event Hub and perform unauthorized actions, such as reading or writing event data.</li>
<li>The attacker exfiltrates sensitive data from the Event Hub using the compromised authorization rule.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging unauthorized Event Hub authorization rule modification can lead to significant data breaches and operational disruption. The severity depends on the sensitivity of the data within the Event Hubs. A compromised <code>RootManageSharedAccessKey</code> could grant an attacker full control over the Event Hub namespace and its data. The impact can include exfiltration of sensitive data, denial of service, or further compromise of other Azure resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Event Hub Authorization Rule Created or Updated&quot; to your SIEM and tune for your environment to detect suspicious authorization rule modifications.</li>
<li>Review Azure Activity Logs (referenced in the rule) for unauthorized or unexpected creation or modification of Event Hub authorization rules, paying close attention to the user or service principal associated with the operation.</li>
<li>Implement conditional access policies to restrict access to Event Hub Authorization Rules based on user roles and network locations, as suggested in the overview.</li>
<li>Regularly rotate the cryptographic keys associated with Event Hub Authorization Rules, especially the <code>RootManageSharedAccessKey</code>, as outlined in the response recommendations.</li>
<li>Monitor for access patterns or data transfers from the affected Event Hubs following a rule change to detect potential data exfiltration, referencing the overview.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>persistence</category><category>account-manipulation</category></item></channel></rss>