{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-powershell/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Azure PowerShell"],"_cs_severities":["high"],"_cs_tags":["azuread","powershell","authentication","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of successful PowerShell authentication within Azure Active Directory (Azure AD) environments. Attackers who have compromised user accounts or obtained valid credentials may leverage the \u0026quot;Microsoft Azure PowerShell\u0026quot; application to connect to Azure AD. This activity is notable because it's atypical for regular, non-administrative users to authenticate using PowerShell cmdlets. The observed behavior can be indicative of reconnaissance, lateral movement, or privilege escalation attempts. The techniques described here are relevant to defenders responsible for monitoring cloud environments and detecting anomalous authentication patterns. The information is based on observed patterns of abuse and recommended best practices for securing Azure AD.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through compromised credentials obtained via phishing, password spraying (T1586.003), or other credential access techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication:\u003c/strong\u003e The attacker successfully authenticates to Azure AD using the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Authentication:\u003c/strong\u003e The attacker authenticates to Azure AD using the Microsoft Azure PowerShell application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Enumeration:\u003c/strong\u003e The attacker uses PowerShell cmdlets (e.g., \u003ccode\u003eGet-AzureADUser\u003c/code\u003e) to enumerate user accounts within the Azure AD tenant.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGroup Enumeration:\u003c/strong\u003e The attacker uses PowerShell cmdlets (e.g., \u003ccode\u003eGet-AzureADGroup\u003c/code\u003e) to identify Azure AD groups and their members.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRole Discovery:\u003c/strong\u003e The attacker uses PowerShell cmdlets (e.g., \u003ccode\u003eGet-AzureADRoleAssignment\u003c/code\u003e) to discover assigned roles and permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Discovery:\u003c/strong\u003e The attacker identifies Azure resources (VMs, storage accounts, databases) accessible to the compromised account or through discovered roles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation:\u003c/strong\u003e Based on discovered resources and roles, the attacker attempts lateral movement to other systems or privilege escalation to gain higher-level access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting PowerShell authentication in Azure AD can result in significant damage. Attackers can gain unauthorized access to sensitive data, disrupt cloud services, and compromise critical infrastructure. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. The compromised account's level of access will determine the scope of the damage, but even limited access can provide a foothold for further exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect successful Azure AD PowerShell authentications and investigate any anomalous activity (rules).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential compromise (T1078.004).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the permissions of user accounts and reduce the potential impact of a successful attack (T1078.004).\u003c/li\u003e\n\u003cli\u003eReview and restrict user access to the \u0026quot;Microsoft Azure PowerShell\u0026quot; application to only authorized users (rules).\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD sign-in logs for unusual authentication patterns, such as logins from unfamiliar locations or devices (data_source).\u003c/li\u003e\n\u003cli\u003eImplement alerting based on the included analytic story \u0026quot;Azure Active Directory Account Takeover\u0026quot; (tags).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-powershell-auth/","summary":"Adversaries may compromise accounts and leverage successful PowerShell authentication in Azure AD to enumerate cloud resources, escalate privileges, and further exploit the Azure environment.","title":"Azure AD PowerShell Authentication Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-powershell-auth/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure PowerShell","version":"https://jsonfeed.org/version/1.1"}