From 34d06708e5e8984728ec2f3a875283530f3c80ca Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 25 May 2022 19:13:26 -0700 Subject: [PATCH 1/7] Create azure_app_credential_added.yml App Credential Add rule --- .../azure/azure_app_credential_added.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/cloud/azure/azure_app_credential_added.yml diff --git a/rules/cloud/azure/azure_app_credential_added.yml b/rules/cloud/azure/azure_app_credential_added.yml new file mode 100644 index 000000000..f5a0e30d1 --- /dev/null +++ b/rules/cloud/azure/azure_app_credential_added.yml @@ -0,0 +1,20 @@ +title: Added credentials to existing application +id: cbb67ecc-fb70-4467-9350-c910bdf7c628 +description: Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +author: Mark Morowczynski, @markmorow +date: 2022/04/21 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Update Application-Certificates and secrets management + - Update Service principal/Update Application + condition: 1 of selection +falsepositives: + - When credentials are added/removed as part of the normal working hours/workflows +level: High +status: expiramental \ No newline at end of file From 46808867b1d5ad944666b895ed0ee83e8ffb4e3f Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 25 May 2022 19:20:17 -0700 Subject: [PATCH 2/7] Update .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 00a055620..e585f4439 100644 --- a/.gitignore +++ b/.gitignore @@ -98,3 +98,5 @@ settings.json # sigma2attack heatmap.json +rules/cloud/.DS_Store +.DS_Store From 443e6e2d8e828e54a06dd0261eebbc80e6b2ef04 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 25 May 2022 19:38:48 -0700 Subject: [PATCH 3/7] Revert "Update .gitignore" This reverts commit 46808867b1d5ad944666b895ed0ee83e8ffb4e3f. --- .gitignore | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitignore b/.gitignore index e585f4439..00a055620 100644 --- a/.gitignore +++ b/.gitignore @@ -98,5 +98,3 @@ settings.json # sigma2attack heatmap.json -rules/cloud/.DS_Store -.DS_Store From 68836f3050627cb4066730debd16985fe0b3ad4c Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 25 May 2022 19:59:00 -0700 Subject: [PATCH 4/7] Update .gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 00a055620..d324b0006 100644 --- a/.gitignore +++ b/.gitignore @@ -57,6 +57,9 @@ local_settings.py instance/ .webassets-cache +# MacOS Finder +.DS_Store + # Scrapy stuff: .scrapy From 97efeada5f0e895085787bd6e4cbf2d013eb4300 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Thu, 26 May 2022 09:39:00 -0700 Subject: [PATCH 5/7] Update .gitignore --- rules/cloud/azure/azure_app_credential_added.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_app_credential_added.yml b/rules/cloud/azure/azure_app_credential_added.yml index f5a0e30d1..a4af21c20 100644 --- a/rules/cloud/azure/azure_app_credential_added.yml +++ b/rules/cloud/azure/azure_app_credential_added.yml @@ -13,7 +13,7 @@ detection: properties.message: - Update Application-Certificates and secrets management - Update Service principal/Update Application - condition: 1 of selection + condition: selection falsepositives: - When credentials are added/removed as part of the normal working hours/workflows level: High From 5229c05cab0de3980d4c21e70613eb93e1c845fc Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Thu, 26 May 2022 12:36:38 -0700 Subject: [PATCH 6/7] Update azure_app_credential_added.yml Changes based on Sigma template rules --- rules/cloud/azure/azure_app_credential_added.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/cloud/azure/azure_app_credential_added.yml b/rules/cloud/azure/azure_app_credential_added.yml index a4af21c20..8c6668f3b 100644 --- a/rules/cloud/azure/azure_app_credential_added.yml +++ b/rules/cloud/azure/azure_app_credential_added.yml @@ -1,8 +1,8 @@ -title: Added credentials to existing application +title: Added Credentials to Existing Application id: cbb67ecc-fb70-4467-9350-c910bdf7c628 -description: Any additional credentials added outside of expected processes could be a malicious actor using those credentials. -author: Mark Morowczynski, @markmorow -date: 2022/04/21 +description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/05/26 references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials logsource: @@ -16,5 +16,8 @@ detection: condition: selection falsepositives: - When credentials are added/removed as part of the normal working hours/workflows -level: High -status: expiramental \ No newline at end of file +level: high +status: experimental +tags: +-attack.t1098 +-attack.persistence \ No newline at end of file From 32e6a82cf2e1f7a659472dea72cb8ba46c888af7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 27 May 2022 06:56:07 +0200 Subject: [PATCH 7/7] Update azure_app_credential_added.yml --- rules/cloud/azure/azure_app_credential_added.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_app_credential_added.yml b/rules/cloud/azure/azure_app_credential_added.yml index 8c6668f3b..0942ad419 100644 --- a/rules/cloud/azure/azure_app_credential_added.yml +++ b/rules/cloud/azure/azure_app_credential_added.yml @@ -19,5 +19,5 @@ falsepositives: level: high status: experimental tags: --attack.t1098 --attack.persistence \ No newline at end of file + - attack.t1098 + - attack.persistence