Tag
Malicious Usage of AWS IMDS Credentials Outside of Expected Services
2 rules 3 TTPsCompromised EC2 instances may be leveraged to exfiltrate and misuse AWS Instance Metadata Service (IMDS) credentials to perform actions outside of the expected AWS Simple Systems Manager (SSM) service, indicating potential lateral movement or data exfiltration.
Azure AD Sign-in from New Country/Region
2 rules 1 TTPDetection of Azure AD sign-ins originating from countries or regions not previously associated with a user, indicating potential account compromise or anomalous activity.
Azure AD Authentication to Important Apps Using Single-Factor Authentication
2 rules 3 TTPsDetection of successful Azure AD authentications to critical applications that only required single-factor authentication, potentially indicating a security lapse or policy violation leading to unauthorized access.
Detection of Azure Subscription Permission Elevation
2 rules 1 TTPDetection of a user being assigned the 'User Access Administrator' role, which grants the ability to manage all Azure Subscriptions, potentially leading to privilege escalation and unauthorized access.
Azure AD Successful Authentication Increase
2 rules 1 TTPThis detection identifies a statistically significant (10% or greater) increase in successful sign-ins to Azure Active Directory, potentially indicating credential compromise or account takeover attempts.
Azure AD User Added to Administrator Role
2 rules 4 TTPsAn adversary adds a user to an Azure Active Directory administrative role to gain initial access, persist in the environment, escalate privileges, and potentially operate stealthily.
Azure PIM - Role Assignment Outside of Privileged Identity Management
2 rules 4 TTPsDetection of privilege role assignments outside of Azure Privileged Identity Management (PIM) can indicate potential attacker activity related to initial access, stealth, persistence, or privilege escalation within the Azure environment.