Sigma rules for CVE-2025-20286
47 rules · scoped to cve · back to CVE-2025-20286
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1589
- attack.reconnaissance
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'leakedCredentials'
condition: selection
falsepositives:
- A rare hash collision.
level: high
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'investigationsThreatIntelligence'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'Administrative'
OperationName: 'Assigns the caller to user access admin'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
service: audit
product: m365
detection:
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: User Access Blocked by Azure Conditional Access
id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
status: test
description: |
Detect access has been blocked by Conditional Access policies.
The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.credential-access
- attack.initial-access
- attack.stealth
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
condition: selection
falsepositives:
- Unknown
level: medium
title: Azure Unusual Authentication Interruption
id: 8366030e-7216-476b-9927-271d79f13cf3
status: test
description: Detects when there is a interruption in the authentication process.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_50097:
ResultType: 50097
ResultDescription: 'Device authentication is required'
selection_50155:
ResultType: 50155
ResultDescription: 'DeviceAuthenticationFailed'
selection_50158:
ResultType: 50158
ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Users Authenticating To Other Azure AD Tenants
id: 5f521e4b-0105-4b72-845b-2198a54487b9
status: test
description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-06-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
HomeTenantId: 'HomeTenantID'
filter:
ResourceTenantId|contains: 'HomeTenantID'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
title: App Assigned To Azure RBAC/Microsoft Entra Role
id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
status: test
description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-19
modified: 2024-11-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: azure
service: auditlogs
detection:
selection:
targetResources.type: 'Service Principal'
properties.message:
- Add member to role
- Add eligible member to role
- Add scoped member to role
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: medium
title: Azure Domain Federation Settings Modified
id: 352a54e1-74ba-4929-9d47-8193d67aba1e
status: test
description: Identifies when an user or application modified the federation settings on the domain.
references:
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
author: Austin Songer
date: 2021-09-06
modified: 2022-06-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
ActivityDisplayName: Set federation settings on domain
condition: selection
falsepositives:
- Federation Settings being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
status: test
description: |
Identifies when a virtual network device is being modified or deleted.
This can be a network interface, network virtual appliance, virtual hub, or virtual router.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
- MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
- MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
- MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE
condition: selection
falsepositives:
- Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
status: test
description: Identifies when secrets are modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
status: test
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-impairment
- attack.t1686.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
falsepositives:
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Firewall Rule Configuration Modified or Deleted
id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
status: test
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE
condition: selection
falsepositives:
- Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
status: test
description: Identifies when a firewall is created, modified, or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-impairment
- attack.t1686.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
falsepositives:
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Point-to-site VPN Modified or Deleted
id: d9557b75-267b-4b43-922f-a775e2d1f792
status: test
description: Identifies when a Point-to-site VPN is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
status: test
description: Identifies the deletion of Azure Kubernetes Pods.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Virtual Network Modified or Deleted
id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f
status: test
description: Identifies when a Virtual Network is modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/
- MICROSOFT.NETWORK/VIRTUALNETWORKS/
operationName|endswith:
- /WRITE
- /DELETE
condition: selection
falsepositives:
- Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
status: test
description: Identifies when a application gateway is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
falsepositives:
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes CronJob
id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
status: test
description: |
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-18
tags:
- attack.persistence
- attack.t1053.003
- attack.privilege-escalation
- attack.execution
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
- '/CRONJOBS/WRITE'
- '/JOBS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.t1003
- attack.credential-access
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
falsepositives:
- Valid change
level: medium
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
status: test
description: Identifies when a device or device configuration in azure is modified or deleted.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
- attack.t1565.001
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Delete device
- Delete device configuration
- Update device
- Update device configuration
condition: selection
falsepositives:
- Device or device configuration being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure VPN Connection Modified or Deleted
id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3
status: test
description: Identifies when a VPN connection is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE
condition: selection
falsepositives:
- VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Suppression Rule Created
id: 92cc3e5d-eb57-419d-8c16-5c63f325a401
status: test
description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
condition: selection
falsepositives:
- Suppression Rule being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1531
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Network Security Configuration Modified or Deleted
id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
status: test
description: Identifies when a network security configuration is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Service Principal Created
id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
status: test
description: Identifies when a service principal is created in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2022-10-09
tags:
- attack.stealth
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: 'Add service principal'
condition: selection
falsepositives:
- Service principal being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Owner Removed From Application or Service Principal
id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
status: test
description: Identifies when a owner is was removed from a application or service principal in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.stealth
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Remove owner from service principal
- Remove owner from application
condition: selection
falsepositives:
- Owner being removed may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
status: test
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
status: test
description: Identifies when DNS zone is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.t1565.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'
operationName|endswith:
- '/WRITE'
- '/DELETE'
condition: selection
falsepositives:
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Network Firewall Policy Modified or Deleted
id: 83c17918-746e-4bd9-920b-8e098bf88c23
status: test
description: Identifies when a Firewall Policy is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-impairment
- attack.t1686.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
condition: selection
falsepositives:
- Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
status: test
description: Identifies when a Keyvault Key is modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
falsepositives:
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578.003
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- Legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium
title: Azure New CloudShell Created
id: 72af37e2-ec32-47dc-992b-bc288a2708cb
status: test
description: Identifies when a new cloudshell is created inside of Azure portal.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-09-21
modified: 2022-08-23
tags:
- attack.execution
- attack.t1059
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
condition: selection
falsepositives:
- A new cloudshell may be created by a system administrator.
level: medium
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
status: test
description: User Added to an Administrator's Azure AD Role
references:
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
author: Raphaël CALVET, @MetallicHack
date: 2021-10-04
modified: 2022-10-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1098.003
- attack.t1078
logsource:
product: azure
service: activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: test
description: |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Device No Longer Managed or Compliant
id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
status: test
description: Identifies when a device in azure is no longer managed or compliant
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Device no longer compliant
- Device no longer managed
condition: selection
falsepositives:
- Administrator may have forgotten to review the device.
level: medium
title: Azure Key Vault Modified or Deleted
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
status: test
description: Identifies when a key vault is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
falsepositives:
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
status: test
description: Identifies when a application security group is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
falsepositives:
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
status: test
description: Identifies when a application is deleted in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Delete application
- Hard Delete application
condition: selection
falsepositives:
- Application being deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Service Principal Removed
id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
status: test
description: Identifies when a service principal was removed in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.stealth
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: Remove service principal
condition: selection
falsepositives:
- Service principal being removed may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure AD Health Service Agents Registry Keys Access
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium