O365 FullAccessAsApp Permission Assigned: identityO365 Tenantrisk_score:482024-09-30version:3
The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required.
Azure AD Multi-Source Failed Authentications Spike: identityAzure Tenantrisk_score:422024-10-17version:5
The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure.
Schtasks scheduling job on remote system: endpointEndpointrisk_score:632024-11-28version:10
The following analytic detects the use of 'schtasks.exe' to create a scheduled task on a remote system, indicating potential lateral movement or remote code execution. It leverages process data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments and flags. This activity is significant as it may signify an adversary's attempt to persist or execute code remotely. If confirmed malicious, this could allow attackers to maintain access, execute arbitrary commands, or further infiltrate the network, posing a severe security risk.
O365 Added Service Principal: threatO365 Tenantrisk_score:422024-09-30version:5
The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the `o365_management_activity` dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization's environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise.
Detect Outbound SMB Traffic: networkEndpointrisk_score:252024-10-16version:6
The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.
Supernova Webshell: networkWeb Serverrisk_score:252024-10-17version:3
The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.
Azure AD Multiple Service Principals Created by User: identityAzure Active Directoryrisk_score:422024-09-30version:4
The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.
O365 ApplicationImpersonation Role Assigned: threatO365 Tenantrisk_score:562024-09-30version:3
The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization.
O365 Tenant Wide Admin Consent Granted: identityO365 Tenantrisk_score:452024-09-30version:3
The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.
Azure AD Privileged Graph API Permission Assigned: identityAzure Active Directoryrisk_score:542024-09-30version:3
The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.
Azure AD Service Principal Authentication: identityAzure Active Directoryrisk_score:252024-09-30version:4
The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting "Sign-in activity" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.
Azure AD Privileged Role Assigned to Service Principal: identityAzure Active Directoryrisk_score:352024-09-30version:5
The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.
Azure AD Multiple Service Principals Created by SP: identityAzure Active Directoryrisk_score:422024-09-30version:4
The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.
Sunburst Correlation DLL and Network Event: endpointWindowsrisk_score:252024-10-17version:3
The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.
O365 Multiple Mailboxes Accessed via API: threatO365 Tenantrisk_score:422024-09-30version:4
The following analytic detects when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. This activity is significant as it may indicate unauthorized mass email access, potentially signaling data exfiltration or account compromise. If confirmed malicious, attackers could gain access to sensitive information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment.
Azure AD Service Principal Owner Added: auditAzure Active Directoryrisk_score:542024-09-30version:6
The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.
First Time Seen Running Windows Service: endpointEndpointrisk_score:252024-10-17version:6
The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.
O365 Privileged Graph API Permission Assigned: identityO365 Tenantrisk_score:542024-09-30version:3
The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.
O365 Multiple Users Failing To Authenticate From Ip: identityO365 Tenantrisk_score:632024-09-30version:5
The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures.
Detect Rundll32 Inline HTA Execution: endpointEndpointrisk_score:562024-09-30version:4
The following analytic detects the execution of "rundll32.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.
Anomalous usage of 7zip: endpointEndpointrisk_score:642024-09-30version:5
The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.
Azure AD Admin Consent Bypassed by Service Principal: identityAzure Active Directoryrisk_score:542024-09-30version:4
The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the "Add app role assignment to service principal" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.
O365 OAuth App Mailbox Access via Graph API: threatO365 Tenantrisk_score:422024-09-30version:4
The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization’s network.
O365 Service Principal New Client Credentials: identityO365 Tenantrisk_score:352024-09-30version:4
The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.
Azure AD Privileged Role Assigned: auditAzure Active Directoryrisk_score:632024-09-30version:5
The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the "Add member to role" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.
O365 Multiple Service Principals Created by User: identityO365 Tenantrisk_score:422024-09-30version:3
The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information.
Azure AD FullAccessAsApp Permission Assigned: threatAzure Active Directoryrisk_score:482024-09-30version:3
The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration.
Windows AdFind Exe: endpointEndpointrisk_score:252024-10-17version:6
The following analytic identifies the execution of `adfind.exe` with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement.
O365 Application Registration Owner Added: identityO365 Tenantrisk_score:302024-09-30version:3
The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.
Malicious PowerShell Process - Encoded Command: endpointEndpointrisk_score:352024-10-17version:11
The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts.
Scheduled Task Deleted Or Created via CMD: endpointEndpointrisk_score:562024-09-30version:8
The following analytic identifies the creation or deletion of scheduled tasks using the schtasks.exe utility with the -create or -delete flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it can indicate unauthorized system manipulation or malicious intent, often associated with threat actors like Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this activity could allow attackers to execute code, escalate privileges, or persist within the environment, posing a significant security risk.
Azure AD Tenant Wide Admin Consent Granted: identityAzure Tenantrisk_score:452024-09-30version:4
The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.
Detect Prohibited Applications Spawning cmd exe: endpointEndpointrisk_score:802024-10-17version:9
The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.
Azure AD Service Principal New Client Credentials: threatAzure Active Directoryrisk_score:352024-09-30version:5
The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the "Update application*Certificates and secrets management" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.
Azure AD High Number Of Failed Authentications From Ip: identityAzure Tenantrisk_score:352024-09-30version:6
The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.
O365 OAuth App Mailbox Access via EWS: threatO365 Tenantrisk_score:422024-09-30version:4
The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information.
O365 Multi-Source Failed Authentications Spike: identityO365 Tenantrisk_score:422024-10-17version:4
The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats.
TOR Traffic: networkEndpointrisk_score:802024-09-30version:5
The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network.
O365 Multiple Service Principals Created by SP: identityO365 Tenantrisk_score:422024-09-30version:3
The following analytic identifies instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in the Office 365 Azure Active Directory environment. This activity is significant as it may indicate a compromised or malicious service principal attempting to expand control or access within the network. If confirmed malicious, this could lead to unauthorized access and potential lateral movement within the environment, posing a significant security risk.
Sc exe Manipulating Windows Services: endpointEndpointrisk_score:562024-09-30version:6
The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.
Azure AD Service Principal Created: threatAzure Active Directoryrisk_score:452024-09-30version:3
The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the "Add service principal" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.
