Azure Active Directory Account Takeover

Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Account Takover attacks against Azure Active Directory tenants.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• Last Updated: 2022-07-14
• Author: Mauricio Velazco, Splunk
• ID: 41514c46-7118-4eab-a9bb-f3bfa4e3bea9

Narrative

Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.

Detections

Name	Technique	Type
AWS New MFA Method Registered For User	Modify Authentication Process, Multi-Factor Authentication	TTP
Azure AD Authentication Failed During MFA Challenge	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
Azure AD Concurrent Sessions From Different Ips	Browser Session Hijacking	TTP
Azure AD High Number Of Failed Authentications For User	Brute Force, Password Guessing	TTP
Azure AD High Number Of Failed Authentications From Ip	Brute Force, Password Guessing, Password Spraying	TTP
Azure AD Multi-Factor Authentication Disabled	Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication	TTP
Azure AD Multiple Failed MFA Requests For User	Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts	TTP
Azure AD Multiple Users Failing To Authenticate From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
Azure AD New MFA Method Registered For User	Modify Authentication Process, Multi-Factor Authentication	TTP
Azure AD Successful Authentication From Different Ips	Brute Force, Password Guessing, Password Spraying	TTP
Azure AD Successful PowerShell Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts	TTP
Azure AD Successful Single-Factor Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts	TTP
Azure AD Unusual Number of Failed Authentications From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
Azure Active Directory High Risk Sign-in	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying	TTP

Reference

• https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
• https://azure.microsoft.com/en-us/services/active-directory/#overview
• https://attack.mitre.org/techniques/T1586/
• https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad
• https://www.imperva.com/learn/application-security/account-takeover-ato/
• https://www.varonis.com/blog/azure-active-directory
• https://www.barracuda.com/glossary/account-takeover

source | version: 2