<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure PowerShell - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-powershell/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-powershell/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD PowerShell Authentication Abuse</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azuread-powershell-auth/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azuread-powershell-auth/</guid><description>Adversaries may compromise accounts and leverage successful PowerShell authentication in Azure AD to enumerate cloud resources, escalate privileges, and further exploit the Azure environment.</description><content:encoded><![CDATA[<p>This threat brief focuses on the abuse of successful PowerShell authentication within Azure Active Directory (Azure AD) environments. Attackers who have compromised user accounts or obtained valid credentials may leverage the &quot;Microsoft Azure PowerShell&quot; application to connect to Azure AD. This activity is notable because it's atypical for regular, non-administrative users to authenticate using PowerShell cmdlets. The observed behavior can be indicative of reconnaissance, lateral movement, or privilege escalation attempts. The techniques described here are relevant to defenders responsible for monitoring cloud environments and detecting anomalous authentication patterns. The information is based on observed patterns of abuse and recommended best practices for securing Azure AD.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access through compromised credentials obtained via phishing, password spraying (T1586.003), or other credential access techniques.</li>
<li><strong>Successful Authentication:</strong> The attacker successfully authenticates to Azure AD using the compromised credentials.</li>
<li><strong>PowerShell Authentication:</strong> The attacker authenticates to Azure AD using the Microsoft Azure PowerShell application.</li>
<li><strong>Account Enumeration:</strong> The attacker uses PowerShell cmdlets (e.g., <code>Get-AzureADUser</code>) to enumerate user accounts within the Azure AD tenant.</li>
<li><strong>Group Enumeration:</strong> The attacker uses PowerShell cmdlets (e.g., <code>Get-AzureADGroup</code>) to identify Azure AD groups and their members.</li>
<li><strong>Role Discovery:</strong> The attacker uses PowerShell cmdlets (e.g., <code>Get-AzureADRoleAssignment</code>) to discover assigned roles and permissions.</li>
<li><strong>Resource Discovery:</strong> The attacker identifies Azure resources (VMs, storage accounts, databases) accessible to the compromised account or through discovered roles.</li>
<li><strong>Lateral Movement/Privilege Escalation:</strong> Based on discovered resources and roles, the attacker attempts lateral movement to other systems or privilege escalation to gain higher-level access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack exploiting PowerShell authentication in Azure AD can result in significant damage. Attackers can gain unauthorized access to sensitive data, disrupt cloud services, and compromise critical infrastructure. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. The compromised account's level of access will determine the scope of the damage, but even limited access can provide a foothold for further exploitation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect successful Azure AD PowerShell authentications and investigate any anomalous activity (rules).</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential compromise (T1078.004).</li>
<li>Enforce the principle of least privilege to limit the permissions of user accounts and reduce the potential impact of a successful attack (T1078.004).</li>
<li>Review and restrict user access to the &quot;Microsoft Azure PowerShell&quot; application to only authorized users (rules).</li>
<li>Monitor Azure AD sign-in logs for unusual authentication patterns, such as logins from unfamiliar locations or devices (data_source).</li>
<li>Implement alerting based on the included analytic story &quot;Azure Active Directory Account Takeover&quot; (tags).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azuread</category><category>powershell</category><category>authentication</category><category>cloud</category></item></channel></rss>