Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Azure AD Detections #2799

Closed
wants to merge 91 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
4e10322
adding new detection
mvelazc0 Aug 3, 2023
66b96a2
Branch was auto-updated.
srv-rr-gh-researchbt Aug 7, 2023
10610a9
Branch was auto-updated.
srv-rr-gh-researchbt Aug 7, 2023
e25a5bb
Branch was auto-updated.
srv-rr-gh-researchbt Aug 7, 2023
730671f
Branch was auto-updated.
srv-rr-gh-researchbt Aug 7, 2023
eabcdde
Branch was auto-updated.
srv-rr-gh-researchbt Aug 8, 2023
62d4818
update detections/cloud/azure_ad_device_code_authentication.yml
gowthamarajr Aug 8, 2023
b72645a
Branch was auto-updated.
srv-rr-gh-researchbt Aug 9, 2023
a19575a
Edit SPL
gowthamarajr Aug 9, 2023
d3c33ff
Merge branch 'TR_3232_azure_ad' of https://github.com/splunk/security…
gowthamarajr Aug 9, 2023
92b7f39
Update SPL
gowthamarajr Aug 9, 2023
881722c
Update required fields
gowthamarajr Aug 9, 2023
b0b9f93
Update SPL
gowthamarajr Aug 9, 2023
00e0bef
Add info
gowthamarajr Aug 10, 2023
4baee1c
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
67d0a05
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
5def886
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
185c123
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
930e559
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
6ce8631
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
8fa5bb6
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
78802d8
Branch was auto-updated.
srv-rr-gh-researchbt Aug 17, 2023
66a28c6
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
c2bd3a5
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
4b845c2
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
7f31e22
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
49c90e2
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
050cc96
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
098abff
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
1852d8b
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
7505c95
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
678eeec
Branch was auto-updated.
srv-rr-gh-researchbt Aug 18, 2023
d46df79
Branch was auto-updated.
srv-rr-gh-researchbt Aug 28, 2023
5f6fd0d
Branch was auto-updated.
srv-rr-gh-researchbt Aug 28, 2023
e3305cd
Branch was auto-updated.
srv-rr-gh-researchbt Aug 28, 2023
9e06eec
Branch was auto-updated.
srv-rr-gh-researchbt Aug 29, 2023
91709f4
Branch was auto-updated.
srv-rr-gh-researchbt Aug 29, 2023
a0127be
Branch was auto-updated.
srv-rr-gh-researchbt Aug 29, 2023
4c583c6
Branch was auto-updated.
srv-rr-gh-researchbt Aug 29, 2023
ec0bb82
Branch was auto-updated.
srv-rr-gh-researchbt Aug 29, 2023
480dfdb
Branch was auto-updated.
srv-rr-gh-researchbt Aug 29, 2023
7e3bea8
Branch was auto-updated.
srv-rr-gh-researchbt Aug 30, 2023
80389b2
Branch was auto-updated.
srv-rr-gh-researchbt Aug 30, 2023
b3cc397
Branch was auto-updated.
srv-rr-gh-researchbt Aug 30, 2023
dce66c8
Branch was auto-updated.
srv-rr-gh-researchbt Sep 1, 2023
cbbe67b
Branch was auto-updated.
srv-rr-gh-researchbt Sep 5, 2023
ff47f5e
Branch was auto-updated.
srv-rr-gh-researchbt Sep 6, 2023
5497c4b
new detection
mvelazc0 Sep 14, 2023
9538d20
Branch was auto-updated.
srv-rr-gh-researchbt Sep 20, 2023
b13135b
Branch was auto-updated.
srv-rr-gh-researchbt Sep 20, 2023
1cc51a8
Branch was auto-updated.
srv-rr-gh-researchbt Oct 4, 2023
ddd9780
Branch was auto-updated.
srv-rr-gh-researchbt Oct 4, 2023
dd2b96f
Branch was auto-updated.
srv-rr-gh-researchbt Oct 4, 2023
de995b1
Branch was auto-updated.
srv-rr-gh-researchbt Oct 4, 2023
2b140c0
Branch was auto-updated.
srv-rr-gh-researchbt Oct 5, 2023
053e651
Branch was auto-updated.
srv-rr-gh-researchbt Oct 13, 2023
166eb75
Branch was auto-updated.
srv-rr-gh-researchbt Oct 18, 2023
cb95a59
Branch was auto-updated.
srv-rr-gh-researchbt Oct 18, 2023
5d86414
Branch was auto-updated.
srv-rr-gh-researchbt Oct 18, 2023
321c040
Branch was auto-updated.
srv-rr-gh-researchbt Oct 25, 2023
d68a917
adding new detection
mvelazc0 Oct 25, 2023
706f713
update macro
mvelazc0 Oct 25, 2023
92cf159
updating detections
mvelazc0 Oct 26, 2023
dcc7081
adding new detection
mvelazc0 Oct 26, 2023
792e695
Branch was auto-updated.
srv-rr-gh-researchbt Oct 26, 2023
095838e
Branch was auto-updated.
srv-rr-gh-researchbt Oct 27, 2023
b5acee8
adding detection
mvelazc0 Oct 27, 2023
b4356da
updating macro. adding new detection.
mvelazc0 Oct 27, 2023
15453d5
update sourcetype
mvelazc0 Oct 27, 2023
cff4168
new detection
mvelazc0 Oct 30, 2023
a62bde4
updates
mvelazc0 Oct 30, 2023
d2e1de3
adding detection
mvelazc0 Oct 31, 2023
31d2d20
adding detection
mvelazc0 Oct 31, 2023
77b591f
update detection
mvelazc0 Oct 31, 2023
1ff4ed0
Update azure_ad_multiple_denied_mfa_requests_for_user.yml
mvelazc0 Oct 31, 2023
8a0f56b
Branch was auto-updated.
srv-rr-gh-researchbt Nov 1, 2023
1741f91
updating detections
mvelazc0 Nov 1, 2023
43f748d
Merge branch 'TR_3232_azure_ad' of github.com:splunk/security_content…
mvelazc0 Nov 1, 2023
5f61268
Branch was auto-updated.
srv-rr-gh-researchbt Nov 1, 2023
7b501ac
Update azure_ad_multiple_failed_mfa_requests_for_user.yml
mvelazc0 Nov 1, 2023
e7b504d
Merge branch 'TR_3232_azure_ad' of github.com:splunk/security_content…
mvelazc0 Nov 1, 2023
a08846e
add some testing
pyth0n1c Nov 8, 2023
304ae9a
can't run poetry shell in github
pyth0n1c Nov 8, 2023
7c76a97
forgot to add checkout
pyth0n1c Nov 8, 2023
96d7006
fix spacing
pyth0n1c Nov 8, 2023
51a3b86
Fix observable issues, unicode characters,
pyth0n1c Nov 8, 2023
6d6a603
More minor testing fixes
pyth0n1c Nov 8, 2023
f77422a
fix pathing
pyth0n1c Nov 8, 2023
7776ce8
adding new detection
mvelazc0 Nov 9, 2023
5070105
update detection
mvelazc0 Nov 9, 2023
8c0c057
updating hunting query
mvelazc0 Nov 9, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/contentctl_test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Initial contentctl test workflow

# Trigger the workflow on pull request
on:
push:
pull_request:
types: [opened, reopened]

jobs:
contentctl_test:
name: run contentctl test
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v4
with:
python-version: '3.9' #Available versions here - https://github.com/actions/python-versions/releases easy to change/make a matrix/use pypy
architecture: 'x64' # optional x64 or x86. Defaults to x64 if not specified

- name: Check out the repository code
uses: actions/checkout@v3

- name: Everything
run: |
git clone https://github.com/splunk/contentctl
cd contentctl
git checkout diff_test_cli_support
git pull
python -m pip install poetry
poetry install
poetry run contentctl -p ../ validate
poetry run contentctl -p ../ test --mode changes --target_branch develop --test_branch TR_3232_azure_ad
6 changes: 3 additions & 3 deletions contentctl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ build_ssa:
build_api:
path_root: 'dist/api'
enrichments:
attack_enrichment: true
cve_enrichment: true
splunk_app_enrichment: false
attack_enrichment: false
cve_enrichment: false
splunk_app_enrichment: false
25 changes: 24 additions & 1 deletion contentctl_test.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
version_control_config: {}
version_control_config:
repo_path: ../
repo_url: https://github.com/splunk/security_content

infrastructure_config:
infrastructure_type: container
full_image_path: registry.hub.docker.com/splunk/splunk:latest
Expand All @@ -18,6 +21,26 @@ apps:
splunkbase_path: null
environment_path: ENVIRONMENT_PATH_NOT_SET
force_local: false
- uid: 3110
appid: Splunk_TA_linux_sysmon
title: Add-on for Linux Sysmon
description: null
release: 1.0.4
local_path: null
http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-cloud-services_510.tgz
splunkbase_path: null
environment_path: ENVIRONMENT_PATH_NOT_SET
force_local: false
- uid: 4055
appid: Splunk_TA_linux_sysmon
title: Add-on for Linux Sysmon
description: null
release: 1.0.4
local_path: null
http_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-office-365_430.tgz
splunkbase_path: null
environment_path: ENVIRONMENT_PATH_NOT_SET
force_local: false
- uid: 742
appid: Splunk_TA_windows
title: Splunk Add-on for Microsoft Windows
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: Azure AD Block User Consent For Risky Apps Disabled
id: 875de3d7-09bc-4916-8c0a-0929f4ced3d8
version: 1
date: '2023-10-26'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source: []
description: This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization
search: >-
`azure_monitor_aad` operationName="Update authorization policy"
| rename properties.* as *
| eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps"), -1)
| search index_number >= 0
| eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number)
| search AllowUserConsentForRiskyApps = "[true]"
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_block_user_consent_for_risky_apps_disabled_filter`
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.
known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization
references:
- https://attack.mitre.org/techniques/T1562/
- https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/
- https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure AD
confidence: 50
impact: 60
message: User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting.
mitre_attack_id:
- T1562
observable:
- name: user
type: User
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 30
required_fields:
- _time
- operationName
- properties.targetResources{}.modifiedProperties{}.displayName
- properties.targetResources{}.modifiedProperties{}.newValue
- user
- src_ip
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log
source: Azure Ad
sourcetype: azure:monitor:aad
74 changes: 74 additions & 0 deletions detections/cloud/azure_ad_device_code_authentication.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Azure AD Device Code Authentication
id: d68d8732-6f7e-4ee5-a6eb-737f2b990b91
version: 1
date: '2023-08-03'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
data_source: []
description: The following analytic identifies the execution of the Azure Device Code Phishing attack,
which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically
focusing on authentication requests to identify the attack. This technique involves creating malicious
infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs).
The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick
the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result
in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA).
This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others.
It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches.
search: '`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_device_code_authentication_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
known_false_positives: In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1528
- https://github.com/rvrsh3ll/TokenTactics
- https://embracethered.com/blog/posts/2022/device-code-phishing/
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure AD
confidence: 50
impact: 70
message: Device code requested for $user$ from $src_ip$
mitre_attack_id:
- T1528
- T1566
- T1566.002
observable:
- name: user
type: User
role:
- Victim
- name: src_ip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 35
required_fields:
- _time
- category
- user
- properties.authenticationProtocol
- properties.ipAddress
- properties.status.additionalDetails
- properties.appDisplayName
- properties.userAgent
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log
source: Azure AD
sourcetype: azure:monitor:aad
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Azure AD Multi-Source Failed Authentications Spike
id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7
version: 1
date: '2023-11-08'
author: Mauricio Velazco, Splunk
status: production
type: Hunting
data_source: []
description: This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure.
search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=5m _time
| eval uniqueIPUserCombo = src_ip . "-" . user
| stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(location.countryOrRegion) as uniqueCountries values(user) as users, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries by _time
| where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20
| `azure_ad_multi_source_failed_authentications_spike_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.
known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure AD
atomic_guid: []
confidence: 60
impact: 70
message: An anomalous multi source authentication spike ocurred at $_time$
mitre_attack_id:
- T1586
- T1586.003
- T1110
- T1110.003
- T1110.004
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 42
required_fields:
- _time
- category
- properties.authenticationDetails{}.succeeded
- properties.location.countryOrRegion
- user_agent
- src_ip
- user
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
source: Azure AD
sourcetype: azure:monitor:aad
Loading
Loading