{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-network-watcher/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure","Azure Network Watcher"],"_cs_severities":["medium"],"_cs_tags":["azure","network-sniffing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Azure Network Watcher Packet Capture feature is designed for legitimate network traffic inspection and troubleshooting. However, malicious actors can abuse this feature to perform network sniffing and capture sensitive data, including credentials, from unencrypted internal traffic within Azure Virtual Networks (VNets). This can lead to unauthorized access to systems and data. The detection rule focuses on identifying instances where packet capture is initiated successfully, providing an opportunity to detect and respond to potential credential access attempts. The rule leverages Azure activity logs to monitor for specific packet capture operations, ensuring that suspicious activity is flagged for investigation. The scope of this threat is limited to Azure environments that utilize Network Watcher and have not implemented proper network segmentation or encryption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to an Azure account with sufficient privileges to manage Network Watcher and initiate packet captures.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses the compromised account to explore the Azure environment, identifying target VNets and subnets containing potentially valuable data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePacket Capture Configuration:\u003c/strong\u003e The attacker configures the Network Watcher Packet Capture feature to capture traffic from the targeted VNet or subnet. This involves specifying the target VM or network interface and the duration of the capture.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStart Packet Capture:\u003c/strong\u003e The attacker initiates the packet capture process, which begins recording network traffic based on the configured parameters. The \u003ccode\u003eMICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\u003c/code\u003e operation is triggered in the Azure activity logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Acquisition:\u003c/strong\u003e Network traffic, including unencrypted credentials or sensitive data, is captured and stored in a designated storage account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Potential):\u003c/strong\u003e If the attacker has configured the packet capture to store data outside the secure environment, they may exfiltrate the captured data for further analysis or malicious use.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker analyzes the captured network traffic to identify and extract credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation:\u003c/strong\u003e Using the acquired credentials, the attacker attempts to move laterally within the Azure environment, gaining access to additional systems and resources, or escalate privileges to gain higher-level control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the compromise of sensitive data, including user credentials, API keys, and proprietary information. The impact could range from unauthorized access to internal systems and data breaches to complete control over the affected Azure resources. The severity depends on the scope of the captured network traffic and the sensitivity of the data transmitted. Organizations in all sectors utilizing Azure are potentially vulnerable. The number of victims can vary depending on the access level of the compromised account and the targeted resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious packet capture activity in Azure.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for instances of \u003ccode\u003eMICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\u003c/code\u003e, \u003ccode\u003eMICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\u003c/code\u003e, or \u003ccode\u003eMICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\u003c/code\u003e operations with a Success outcome, as identified in the rule query.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations for Response and Remediation provided in the Setup section of the referenced Elastic rule to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure user roles and permissions to ensure that only authorized personnel have the ability to manage Network Watcher and initiate packet captures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T12:00:00Z","date_published":"2024-01-11T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/","summary":"Detection of Azure Network Watcher's Packet Capture feature being enabled, potentially indicating malicious network sniffing for credential access and discovery of sensitive data in unencrypted traffic.","title":"Azure VNet Full Network Packet Capture Enabled","url":"https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Network Watcher"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure Network Watcher is a critical tool for monitoring, diagnosing, and logging network activity within Azure virtual networks. This tool provides crucial insights for maintaining network security and performance. An attacker with sufficient privileges can delete a Network Watcher instance to evade defenses by disabling network monitoring, traffic analysis, and logging capabilities. This event can be triggered through the Azure portal, CLI, or API. The deletion event is recorded in Azure Activity Logs, providing a valuable opportunity for detection. Detecting the unauthorized deletion of Network Watchers is crucial for maintaining visibility into the network environment and responding to potential security incidents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account with sufficient privileges to manage Network Watcher resources, potentially through compromised credentials or exploiting a misconfigured service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure Resource Manager API or uses the Azure portal with the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the target Network Watcher instance within the Azure subscription.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a DELETE request to the Azure Resource Manager API targeting the Network Watcher resource, specifically using the \u0026quot;MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eAzure processes the deletion request, removing the Network Watcher configuration and stopping the associated monitoring and logging activities.\u003c/li\u003e\n\u003cli\u003eThe deletion event is recorded in the Azure Activity Logs with an \u0026quot;event.outcome\u0026quot; of \u0026quot;Success\u0026quot; or \u0026quot;success\u0026quot;.\u003c/li\u003e\n\u003cli\u003eWithout the Network Watcher, the attacker can perform malicious activities within the virtual network with reduced chances of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, lateral movement, or deploying malicious resources, while avoiding network-based monitoring and alerting.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of a Network Watcher can significantly impair an organization's ability to detect and respond to network-based threats within their Azure environment. Successful deletion results in the loss of network traffic analysis, packet capture, and flow logging capabilities provided by Network Watcher. The scope of impact depends on the number of virtual networks and resources monitored by the deleted Network Watcher. This can lead to delayed incident response, increased dwell time for attackers, and greater potential for data breaches or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Network Watcher Deleted\u003c/code\u003e to your SIEM and tune for your environment, using Azure activity logs to detect unauthorized deletions of Network Watchers.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs regularly for \u003ccode\u003eMICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\u003c/code\u003e events to identify potential defense evasion attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and auditing for Azure resources, ensuring only authorized personnel have the ability to delete critical monitoring tools as described in the overview section.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified deletions by examining the associated user identity in the activity logs to confirm authorization, as described in the triage section.\u003c/li\u003e\n\u003cli\u003eRestore deleted Network Watchers by redeploying them in the affected regions to resume monitoring and logging capabilities, as mentioned in the response section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-network-watcher-deletion/","summary":"An adversary may delete an Azure Network Watcher to impair defenses by disabling network monitoring and logging capabilities, as detected by monitoring Azure activity logs for Network Watcher deletion events.","title":"Azure Network Watcher Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-network-watcher-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Network Watcher","version":"https://jsonfeed.org/version/1.1"}