<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Network Watcher - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-network-watcher/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 11 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-network-watcher/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure VNet Full Network Packet Capture Enabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/</link><pubDate>Thu, 11 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/</guid><description>Detection of Azure Network Watcher's Packet Capture feature being enabled, potentially indicating malicious network sniffing for credential access and discovery of sensitive data in unencrypted traffic.</description><content:encoded><![CDATA[<p>The Azure Network Watcher Packet Capture feature is designed for legitimate network traffic inspection and troubleshooting. However, malicious actors can abuse this feature to perform network sniffing and capture sensitive data, including credentials, from unencrypted internal traffic within Azure Virtual Networks (VNets). This can lead to unauthorized access to systems and data. The detection rule focuses on identifying instances where packet capture is initiated successfully, providing an opportunity to detect and respond to potential credential access attempts. The rule leverages Azure activity logs to monitor for specific packet capture operations, ensuring that suspicious activity is flagged for investigation. The scope of this threat is limited to Azure environments that utilize Network Watcher and have not implemented proper network segmentation or encryption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains access to an Azure account with sufficient privileges to manage Network Watcher and initiate packet captures.</li>
<li><strong>Discovery:</strong> The attacker uses the compromised account to explore the Azure environment, identifying target VNets and subnets containing potentially valuable data.</li>
<li><strong>Packet Capture Configuration:</strong> The attacker configures the Network Watcher Packet Capture feature to capture traffic from the targeted VNet or subnet. This involves specifying the target VM or network interface and the duration of the capture.</li>
<li><strong>Start Packet Capture:</strong> The attacker initiates the packet capture process, which begins recording network traffic based on the configured parameters. The <code>MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION</code> operation is triggered in the Azure activity logs.</li>
<li><strong>Data Acquisition:</strong> Network traffic, including unencrypted credentials or sensitive data, is captured and stored in a designated storage account.</li>
<li><strong>Data Exfiltration (Potential):</strong> If the attacker has configured the packet capture to store data outside the secure environment, they may exfiltrate the captured data for further analysis or malicious use.</li>
<li><strong>Credential Access:</strong> The attacker analyzes the captured network traffic to identify and extract credentials or other sensitive information.</li>
<li><strong>Lateral Movement/Privilege Escalation:</strong> Using the acquired credentials, the attacker attempts to move laterally within the Azure environment, gaining access to additional systems and resources, or escalate privileges to gain higher-level control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to the compromise of sensitive data, including user credentials, API keys, and proprietary information. The impact could range from unauthorized access to internal systems and data breaches to complete control over the affected Azure resources. The severity depends on the scope of the captured network traffic and the sensitivity of the data transmitted. Organizations in all sectors utilizing Azure are potentially vulnerable. The number of victims can vary depending on the access level of the compromised account and the targeted resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious packet capture activity in Azure.</li>
<li>Review Azure activity logs for instances of <code>MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION</code>, <code>MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION</code>, or <code>MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE</code> operations with a Success outcome, as identified in the rule query.</li>
<li>Implement the recommendations for Response and Remediation provided in the Setup section of the referenced Elastic rule to improve detection and response capabilities.</li>
<li>Regularly audit Azure user roles and permissions to ensure that only authorized personnel have the ability to manage Network Watcher and initiate packet captures.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>network-sniffing</category><category>credential-access</category></item><item><title>Azure Network Watcher Deletion for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-network-watcher-deletion/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-network-watcher-deletion/</guid><description>An adversary may delete an Azure Network Watcher to impair defenses by disabling network monitoring and logging capabilities, as detected by monitoring Azure activity logs for Network Watcher deletion events.</description><content:encoded><![CDATA[<p>Azure Network Watcher is a critical tool for monitoring, diagnosing, and logging network activity within Azure virtual networks. This tool provides crucial insights for maintaining network security and performance. An attacker with sufficient privileges can delete a Network Watcher instance to evade defenses by disabling network monitoring, traffic analysis, and logging capabilities. This event can be triggered through the Azure portal, CLI, or API. The deletion event is recorded in Azure Activity Logs, providing a valuable opportunity for detection. Detecting the unauthorized deletion of Network Watchers is crucial for maintaining visibility into the network environment and responding to potential security incidents.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an Azure account with sufficient privileges to manage Network Watcher resources, potentially through compromised credentials or exploiting a misconfigured service principal.</li>
<li>The attacker authenticates to the Azure Resource Manager API or uses the Azure portal with the compromised account.</li>
<li>The attacker identifies the target Network Watcher instance within the Azure subscription.</li>
<li>The attacker issues a DELETE request to the Azure Resource Manager API targeting the Network Watcher resource, specifically using the &quot;MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE&quot; operation.</li>
<li>Azure processes the deletion request, removing the Network Watcher configuration and stopping the associated monitoring and logging activities.</li>
<li>The deletion event is recorded in the Azure Activity Logs with an &quot;event.outcome&quot; of &quot;Success&quot; or &quot;success&quot;.</li>
<li>Without the Network Watcher, the attacker can perform malicious activities within the virtual network with reduced chances of detection.</li>
<li>The attacker achieves their objective, such as data exfiltration, lateral movement, or deploying malicious resources, while avoiding network-based monitoring and alerting.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of a Network Watcher can significantly impair an organization's ability to detect and respond to network-based threats within their Azure environment. Successful deletion results in the loss of network traffic analysis, packet capture, and flow logging capabilities provided by Network Watcher. The scope of impact depends on the number of virtual networks and resources monitored by the deleted Network Watcher. This can lead to delayed incident response, increased dwell time for attackers, and greater potential for data breaches or other malicious activities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Network Watcher Deleted</code> to your SIEM and tune for your environment, using Azure activity logs to detect unauthorized deletions of Network Watchers.</li>
<li>Review Azure activity logs regularly for <code>MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE</code> events to identify potential defense evasion attempts.</li>
<li>Implement stricter access controls and auditing for Azure resources, ensuring only authorized personnel have the ability to delete critical monitoring tools as described in the overview section.</li>
<li>Investigate any identified deletions by examining the associated user identity in the activity logs to confirm authorization, as described in the triage section.</li>
<li>Restore deleted Network Watchers by redeploying them in the affected regions to resume monitoring and logging capabilities, as mentioned in the response section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>defense-evasion</category></item></channel></rss>