Azure Active Directory Persistence

Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication
• Last Updated: 2022-08-17
• Author: Mauricio Velazco, Splunk
• ID: dca983db-6334-4a0d-be32-80611ca1396c

Narrative

Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants.

Detections

Name	Technique	Type
Azure AD External Guest User Invited	Cloud Account	TTP
Azure AD FullAccessAsApp Permission Assigned	Additional Email Delegate Permissions, Additional Cloud Roles	TTP
Azure AD Global Administrator Role Assigned	Additional Cloud Roles	TTP
Azure AD Multiple Service Principals Created by SP	Cloud Account	Anomaly
Azure AD Multiple Service Principals Created by User	Cloud Account	Anomaly
Azure AD New Custom Domain Added	Domain Policy Modification, Domain Trust Modification	TTP
Azure AD New Federated Domain Added	Domain Policy Modification, Domain Trust Modification	TTP
Azure AD New MFA Method Registered	Account Manipulation, Device Registration	TTP
Azure AD PIM Role Assigned	Account Manipulation, Additional Cloud Roles	TTP
Azure AD PIM Role Assignment Activated	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Privileged Graph API Permission Assigned	Security Account Manager	TTP
Azure AD Privileged Role Assigned	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Service Principal Created	Cloud Account	TTP
Azure AD Service Principal New Client Credentials	Account Manipulation, Additional Cloud Credentials	TTP
Azure AD Service Principal Owner Added	Account Manipulation	TTP
Azure AD Tenant Wide Admin Consent Granted	Account Manipulation, Additional Cloud Roles	TTP
Azure AD User Enabled And Password Reset	Account Manipulation	TTP
Azure AD User ImmutableId Attribute Updated	Account Manipulation	TTP
Azure Automation Account Created	Create Account, Cloud Account	TTP
Azure Automation Runbook Created	Create Account, Cloud Account	TTP
Azure Runbook Webhook Created	Valid Accounts, Cloud Accounts	TTP
Windows Multiple Account Passwords Changed	Account Manipulation, Valid Accounts	TTP
Windows Multiple Accounts Deleted	Account Manipulation, Valid Accounts	TTP
Windows Multiple Accounts Disabled	Account Manipulation, Valid Accounts	TTP

Reference

• https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
• https://azure.microsoft.com/en-us/services/active-directory/#overview
• https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad
• https://attack.mitre.org/tactics/TA0003/
• https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/

source | version: 1