Analytics Story: Azure Active Directory Persistence
Description
Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.
Why it matters
Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants.
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Azure AD External Guest User Invited |
Cloud Account |
TTP |
| Azure AD FullAccessAsApp Permission Assigned |
Additional Email Delegate Permissions, Additional Cloud Roles |
TTP |
| Azure AD Global Administrator Role Assigned |
Additional Cloud Roles |
TTP |
| Azure AD Multiple Service Principals Created by SP |
Cloud Account |
Anomaly |
| Azure AD Multiple Service Principals Created by User |
Cloud Account |
Anomaly |
| Azure AD New Custom Domain Added |
Domain or Tenant Policy Modification, Trust Modification |
TTP |
| Azure AD New Federated Domain Added |
Domain or Tenant Policy Modification, Trust Modification |
TTP |
| Azure AD New MFA Method Registered |
Account Manipulation, Device Registration |
TTP |
| Azure AD PIM Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
| Azure AD PIM Role Assignment Activated |
Account Manipulation, Additional Cloud Roles |
TTP |
| Azure AD Privileged Graph API Permission Assigned |
Security Account Manager |
TTP |
| Azure AD Privileged Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
| Azure AD Service Principal Created |
Cloud Account |
TTP |
| Azure AD Service Principal New Client Credentials |
Account Manipulation, Additional Cloud Credentials |
TTP |
| Azure AD Service Principal Owner Added |
Account Manipulation |
TTP |
| Azure AD Tenant Wide Admin Consent Granted |
Account Manipulation, Additional Cloud Roles |
TTP |
| Azure AD User Enabled And Password Reset |
Account Manipulation |
TTP |
| Azure AD User ImmutableId Attribute Updated |
Account Manipulation |
TTP |
| Azure Automation Account Created |
Create Account, Cloud Account |
TTP |
| Azure Automation Runbook Created |
Create Account, Cloud Account |
TTP |
| Azure Runbook Webhook Created |
Valid Accounts, Cloud Accounts |
TTP |
| O365 Application Available To Other Tenants |
Additional Cloud Roles, Account Manipulation |
TTP |
| O365 Cross-Tenant Access Change |
Trust Modification |
TTP |
| O365 External Guest User Invited |
Cloud Account |
TTP |
| O365 External Identity Policy Changed |
Cloud Account |
TTP |
| O365 Privileged Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
| O365 SharePoint Allowed Domains Policy Changed |
Cloud Account |
TTP |
| O365 SharePoint Malware Detection |
Malicious File, User Execution |
TTP |
| Windows Multiple Account Passwords Changed |
Account Manipulation, Valid Accounts |
TTP |
| Windows Multiple Accounts Deleted |
Account Manipulation, Valid Accounts |
TTP |
| Windows Multiple Accounts Disabled |
Account Manipulation, Valid Accounts |
TTP |
Data Sources
References
Source: GitHub | Version: 2
Azure
Windows