{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/risk-detection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","threat-intelligence","risk-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure AD Threat Intelligence identifies suspicious user activities that deviate from established patterns or align with known attack tactics. These alerts, surfaced within the Azure AD Identity Protection framework, are crucial for detecting stealthy maneuvers, persistence attempts, unauthorized privilege escalations, and initial access attempts. The alerts are triggered by unusual sign-ins, potentially originating from unfamiliar locations or devices. Defenders should prioritize investigation into these alerts as they can be indicative of compromised accounts or malicious actors attempting to gain unauthorized access to resources within the Azure environment. Successfully identifying and mitigating these threats prevents further lateral movement, data exfiltration, and potential damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises user credentials through phishing, credential stuffing, or other means (Initial Access).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to sign in to Azure AD using the compromised credentials, potentially from an unusual location or device.\u003c/li\u003e\n\u003cli\u003eAzure AD Threat Intelligence detects the unusual sign-in activity based on risk indicators and flags it as \u0026lsquo;investigationsThreatIntelligence\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker, if successful in the initial sign-in, attempts to access sensitive resources or applications within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by modifying user profiles or application settings.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges by exploiting vulnerabilities or misconfigurations within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other resources and accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting Azure AD can compromise user accounts and lead to unauthorized access to sensitive data and resources. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Organizations relying heavily on Azure AD for identity and access management are particularly vulnerable. The number of affected users and the extent of the damage will depend on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;investigationsThreatIntelligence\u0026rsquo; events within Azure AD risk detection logs (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by the detection, correlating with other sign-in events from the same user to identify potential false positives or confirm malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of compromised credentials and unauthorized sign-ins.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other risk factors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-azuread-threatintel/","summary":"This brief focuses on detecting unusual user activity and sign-in patterns flagged by Azure AD Threat Intelligence, which may indicate stealthy attacks, persistence attempts, privilege escalation, or initial access.","title":"Azure AD Threat Intelligence Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-threatintel/"}],"language":"en","title":"CraftedSignal Threat Feed — Risk-Detection","version":"https://jsonfeed.org/version/1.1"}