https://feed.craftedsignal.io/tags/account-compromise/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 18:21:00 +0000https://feed.craftedsignal.io/briefs/2024-01-azure-atypical-travel/Tue, 02 Jan 2024 18:21:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azure-atypical-travel/The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.The Atypical Travel detection in Azure Identity Protection is designed to identify instances where a user signs in from two geographically distant locations within a time frame that makes legitimate travel improbable. This anomaly indicates that an attacker may have compromised a user’s credentials and is attempting to access resources from a different location. The alert is triggered by the ‘unlikelyTravel’ risk event type within Azure’s risk detection service. This capability helps defenders identify compromised accounts and prevent further damage such as data exfiltration or lateral movement within the environment. The detection is based on comparing current sign-in locations against the user’s historical sign-in patterns, making it more accurate and less prone to false positives compared to simple geo-location based alerts.

Attack Chain

1. Credential Compromise: An attacker obtains a user’s credentials through phishing, credential stuffing, or malware.
2. Initial Access (Location A): The attacker uses the compromised credentials to sign in from a location that may be atypical for the user.
3. Successful Authentication (Location A): The attacker successfully authenticates and gains access to Azure resources.
4. Privilege Escalation (Optional): If the compromised account has sufficient permissions, the attacker attempts to escalate privileges within the Azure environment.
5. Lateral Movement (Optional): The attacker uses the compromised account to move laterally to other resources or accounts within the Azure environment.
6. Second Sign-in (Location B): Within a short timeframe, the attacker (or another attacker using the same credentials) signs in from a geographically distant location (Location B).
7. Atypical Travel Alert: Azure Identity Protection detects the unlikely travel scenario based on the two geographically improbable sign-ins.
8. Resource Access/Data Exfiltration: The attacker accesses sensitive resources or exfiltrates data from the environment.

Impact

A successful Atypical Travel attack can lead to unauthorized access to sensitive data, privilege escalation, lateral movement within the Azure environment, and potentially data exfiltration. The number of victims depends on the scope of the compromised user’s access and the attacker’s objectives. Organizations in all sectors are potentially at risk, as attackers often target user accounts with elevated privileges or access to critical data. The financial impact can include the cost of incident response, data breach notifications, and potential regulatory fines.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect Atypical Travel events (logsource: azure, service: riskdetection).
• Investigate flagged sessions in the context of other sign-ins from the user, as suggested by the false positives guidance.
• Implement multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.
• Review and enforce conditional access policies to restrict access based on location and other factors.
• Monitor user accounts for unusual activity, such as changes in sign-in patterns or resource access.
• Implement account lockout policies to prevent brute-force attacks against user accounts.

]]>highadvisoryazureidentity-protectionatypical-travelaccount-compromisecredential-thefthttps://feed.craftedsignal.io/briefs/2024-01-impossible-travel/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-impossible-travel/This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.This rule detects “impossible travel” events within Azure Active Directory (Azure AD), a common indicator of account compromise. The scenario involves a user account exhibiting login activity from two geographically distant locations in a timeframe that makes physical travel between them impossible. This anomalous behavior often signifies that an attacker has gained unauthorized access to the account and is operating from a different location than the legitimate user. The rule leverages Azure AD Identity Protection’s risk detection capabilities to identify such instances. This detection is crucial for defenders as it highlights potential breaches and enables swift remediation actions to prevent further damage.

Attack Chain

1. An attacker gains initial access to a user’s credentials, potentially through phishing (T1566), credential stuffing, or malware.
2. The attacker authenticates to Azure AD from a geographic location different from the legitimate user’s typical location.
3. Shortly after the initial authentication, the legitimate user authenticates to Azure AD from their usual location.
4. Azure AD Identity Protection flags the activity as “impossible travel” due to the conflicting geographic locations and the short timeframe between the authentications.
5. The “impossibleTravel” risk event is logged within Azure AD’s risk detection logs.
6. The attacker may attempt to escalate privileges within the compromised account (T1068) to gain broader access to resources.
7. The attacker may move laterally within the organization (T1021) to access sensitive data or systems.
8. The attacker’s ultimate goal could be data exfiltration, financial theft, or disruption of services, depending on the organization’s profile.

Impact

A successful “impossible travel” attack can lead to a full compromise of the user’s account, granting the attacker access to sensitive data, internal systems, and other resources accessible to the user. Depending on the user’s role and permissions, the impact could range from data breaches to financial losses and significant reputational damage. Organizations in all sectors are vulnerable, with a higher risk for those handling sensitive data or operating critical infrastructure. The number of affected users depends on the attacker’s ability to move laterally and escalate privileges after compromising the initial account.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect “impossible travel” events flagged by Azure AD Identity Protection, focusing on the riskEventType: 'impossibleTravel' (logsource: azure, service: riskdetection).
• Investigate any triggered alerts promptly, focusing on the user account involved and the geographic locations of the login attempts (logsource: azure, service: riskdetection).
• Review and enhance user training programs to educate employees on the risks of phishing and credential compromise (T1566).
• Implement multi-factor authentication (MFA) for all users to mitigate the risk of unauthorized access even if credentials are compromised (T1110).
• Review and adjust the sensitivity of Azure AD Identity Protection’s risk detection policies to align with your organization’s risk tolerance.
• Consider implementing conditional access policies that restrict access based on geographic location or require MFA for logins from unfamiliar locations.

]]>highadvisoryazureadidentity-protectionimpossible-travelaccount-compromiselateral-movement