From 5fdaefc77d9755b8ce3effa79beaad4d04275726 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Sun, 10 Oct 2021 16:06:28 +0400 Subject: [PATCH 1/3] Azure Security Operations for Priveleged Accounts --- .DS_Store | Bin 0 -> 8196 bytes rules/cloud/azure/azure_account_lockout.yml | 18 ++++++++++++++ .../azure_change_to_authentication_method.yml | 19 +++++++++++++++ .../azure/azure_login_to_disabled_account.yml | 19 +++++++++++++++ rules/cloud/azure/azure_mfa_interrupted.yml | 22 ++++++++++++++++++ ...er_login_blocked_by_conditional_access.yml | 18 ++++++++++++++ 6 files changed, 96 insertions(+) create mode 100644 .DS_Store create mode 100644 rules/cloud/azure/azure_account_lockout.yml create mode 100644 rules/cloud/azure/azure_change_to_authentication_method.yml create mode 100644 rules/cloud/azure/azure_login_to_disabled_account.yml create mode 100644 rules/cloud/azure/azure_mfa_interrupted.yml create mode 100644 rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..30ea1bff625721dfd93203ca5da6e267b24ba887 GIT binary patch literal 8196 zcmeHMzl#$=6n=B&mnhuXNXivNZS=g-ZtsY#%^`@5n#++BlG~7MY_!qz4($??I%x2&04>=nVb|%ccW!`)9ee+GS%i9o<+L#a4h`L17L1(*i z3`0p{KleggvNNY)74m5`T-)4=#*;#%pYRHJ1-t@Y0k42p;D1p7&ung;is!!Z`q3-k z6{w{Ge18bg*@o68#_C%K23-QcHZZLlu2=X1Hn29dHZc|+G-Xm@O{%gbhBE1x4{Tg$ zZDOoRCuNHdWs#MwP?Sc;`hgB76&mYDuYgyer~udQ4Z1)>x=pdH-__Mu-=uFG^?LnL z)W=-s&5g$g-M!E2u7B`H|70h7H=wTTR|M@8mv(4QeTfcI%UC@ZAvv6Su=M5UuTRXO z5S1~hj*@)rJ*!Py6wxllG=&;DKEpE_$%&AB?mvxFO>*muql`~=l*{J{z^DZlW4eX2 z*`}GJ&g$N?ykBy8ai^VXRK++vR(~*$CRB-WM%y%XShV){U9aTuVfkpvLF7vY z%ibo@%H(BV7D+hncfVVF>y`NHZy!ngMMU;nE01vS_3<(V-@F2~Q{af%ahL0V z{L-u5|JP0zzhSRHofJ@w-ezwDJ609D=2|;IzlqL`;}Tof2}{S^2OW??@L literal 0 HcmV?d00001 diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml new file mode 100644 index 000000000..12ac71626 --- /dev/null +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -0,0 +1,18 @@ +title: Account Lockout +id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 50053 + condition: selection +level: medium +tags: + - attack.credential_access + - attack.t1110 diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml new file mode 100644 index 000000000..171932f3a --- /dev/null +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -0,0 +1,19 @@ +title: Change to Authentication Method +id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: AuditLogs +detection: + selection: + LoggedByService: 'Authentication Methods' + Category: 'UserManagement' + OperationName: 'User registered security info' + condition: selection +level: medium +tags: + - attack.credential_access diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml new file mode 100644 index 000000000..a89c07d55 --- /dev/null +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -0,0 +1,19 @@ +title: Login to Disabled Account +id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect failed attempts to sign in to disabled accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 50057 + ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' + condition: selection +level: medium +tags: + - attack.initial_access + - attack.t1078 diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml new file mode 100644 index 000000000..2f3812522 --- /dev/null +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -0,0 +1,22 @@ +title: Multifactor Authentication Interupted +id: 5496ff55-42ec-4369-81cb-00f417029e25 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 50074 + ResultDescription|contains: 'Strong Auth required' + selection1: + ResultType: 500121 + ResultDescription|contains: 'Authentication failed during strong authentication request' + condition: selection or selection1 +level: medium +tags: + - attack.initial_access + - attack.t1078.004 diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml new file mode 100644 index 000000000..3ac01e8cb --- /dev/null +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -0,0 +1,18 @@ +title: User Access Blocked by Azure Conditional Access +id: 9a60e676-26ac-44c3-814b-0c2a8b977adf +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + service: SigninLogs +detection: + selection: + ResultType: 53003 + condition: selection +level: medium +tags: + - attack.credential_access + - attack.t1110 From 7c01710d9d29e14789cda6945bf7314270f5a473 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Wed, 13 Oct 2021 15:12:36 +0400 Subject: [PATCH 2/3] Change the service to the form service: azure._a_name_ and add falsepositives field --- rules/cloud/azure/azure_account_lockout.yml | 4 +++- rules/cloud/azure/azure_change_to_authentication_method.yml | 4 +++- rules/cloud/azure/azure_login_to_disabled_account.yml | 4 +++- rules/cloud/azure/azure_mfa_interrupted.yml | 4 +++- .../azure/azure_user_login_blocked_by_conditional_access.yml | 4 +++- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml index 12ac71626..c2abe63cd 100644 --- a/rules/cloud/azure/azure_account_lockout.yml +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -7,12 +7,14 @@ description: Identifies user account which has been locked because the user trie references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 50053 condition: selection level: medium +falsepositives: + - Unknown tags: - attack.credential_access - attack.t1110 diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml index 171932f3a..a6d43f7dc 100644 --- a/rules/cloud/azure/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -7,7 +7,7 @@ description: Change to authentication method could be an indicated of an attacke references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: AuditLogs + service: azure.auditlogs detection: selection: LoggedByService: 'Authentication Methods' @@ -15,5 +15,7 @@ detection: OperationName: 'User registered security info' condition: selection level: medium +falsepositives: + - Unknown tags: - attack.credential_access diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml index a89c07d55..48a1b501b 100644 --- a/rules/cloud/azure/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -7,13 +7,15 @@ description: Detect failed attempts to sign in to disabled accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 50057 ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' condition: selection level: medium +falsepositives: + - Unknown tags: - attack.initial_access - attack.t1078 diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 2f3812522..22d5e37cb 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -7,7 +7,7 @@ description: Identifies user login with multifactor authentication failures, whi references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 50074 @@ -17,6 +17,8 @@ detection: ResultDescription|contains: 'Authentication failed during strong authentication request' condition: selection or selection1 level: medium +falsepositives: + - Unknown tags: - attack.initial_access - attack.t1078.004 diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml index 3ac01e8cb..9dff5f2da 100644 --- a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -7,12 +7,14 @@ description: Detect access has been blocked by Conditional Access policies. The references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: - service: SigninLogs + service: azure.signinlogs detection: selection: ResultType: 53003 condition: selection level: medium +falsepositives: + - Unknown tags: - attack.credential_access - attack.t1110 From a7e6eb576c1b1e4142e6bfa212ed721a67d2158b Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Thu, 14 Oct 2021 15:55:05 +0400 Subject: [PATCH 3/3] Delete .DS_Store file --- .DS_Store | Bin 8196 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 30ea1bff625721dfd93203ca5da6e267b24ba887..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHMzl#$=6n=B&mnhuXNXivNZS=g-ZtsY#%^`@5n#++BlG~7MY_!qz4($??I%x2&04>=nVb|%ccW!`)9ee+GS%i9o<+L#a4h`L17L1(*i z3`0p{KleggvNNY)74m5`T-)4=#*;#%pYRHJ1-t@Y0k42p;D1p7&ung;is!!Z`q3-k z6{w{Ge18bg*@o68#_C%K23-QcHZZLlu2=X1Hn29dHZc|+G-Xm@O{%gbhBE1x4{Tg$ zZDOoRCuNHdWs#MwP?Sc;`hgB76&mYDuYgyer~udQ4Z1)>x=pdH-__Mu-=uFG^?LnL z)W=-s&5g$g-M!E2u7B`H|70h7H=wTTR|M@8mv(4QeTfcI%UC@ZAvv6Su=M5UuTRXO z5S1~hj*@)rJ*!Py6wxllG=&;DKEpE_$%&AB?mvxFO>*muql`~=l*{J{z^DZlW4eX2 z*`}GJ&g$N?ykBy8ai^VXRK++vR(~*$CRB-WM%y%XShV){U9aTuVfkpvLF7vY z%ibo@%H(BV7D+hncfVVF>y`NHZy!ngMMU;nE01vS_3<(V-@F2~Q{af%ahL0V z{L-u5|JP0zzhSRHofJ@w-ezwDJ609D=2|;IzlqL`;}Tof2}{S^2OW??@L