Incident Response in Azure AD

Red James

I’m using this post as a notepad for the SANS Cyber Defense Summit talk based on Monitoring and Incident Response in Azure AD. Check it out!

Common Attacks on Azure

  • Password Sprays
  • Privileged Accounts and Actions
  • Malicious App Consent
  • Infrastructure Pieces
  • Summary and Go-Dos
Password Sprays

1 common password was tested again with multiple user names

  • Define normal – Define thresholds for alerts
  • What is normal for users, groups, src location, out-of-hours, etc?
  • Failed authentication requests (from the same IP)
  • Failed attacks –  password is correct by MFA failed
  • Review smart lockout counters – ADFS
  • Failed auths using legacy authentication
Privileged Accounts and Actions
  • Monitor all activity on all privileged accounts
  • Sign ins
  • MFA +failed
  • Password changes
  • Actors enable MFA for an account to lock out CIRTs
  • Tenant-level changes (eg. addition or a new trusted tenant)
  • Elevation not occurring on PAW/SAW device
  • Break Glass Accounts – Create at least 2 emergency accounts
  • Secure BGA using PAMs
  • Monitor ALL usage – threshold = 0. NEVER to be used
  • Standard + Strict processes held for break glass accounts (tickets/RFC)
  • Non-standard naming conventions for new accounts
Malicious App Consent
  • Attackers use current events for their attack subjects
  • The app takes over the mailbox, downloads all mail, encrypts the content, and requests ransom to regain data
  • The attacker has gained persistence in your tenant even if the app is deleted

How to find illicit consent?

  • POWERSHELL! Duh!
  • Detect all applications and their granted permissions
  • Filter on high-risk apps
  • Microsoft Cloud App Security
  • OOTB anomaly detection policies
    • Misleading OAuth App Name – Typos in App names
    • Misleading publisher name for an OAuth app – spoofing publisher
    • Malicious OAuth app consent
    • OAuth app file download activities (Anomaly Detection)

What to do?

  • Remove and minimize permissions for apps
  • Hunt for typos in app names
  • Hunt for Out-of-hours activity
  • Hunt for new applications

Infrastructure

  • All on-prem AuthN components need to be treated as Control Plane roles
  • Make sure to leverage Defender for Id for DCs and ADFS
  • Ensure that synced objects hold no privileges beyond a user in Microsoft 365
  • MFA! ALL DAY!
  • Hardening on-prem
  • Monitoring and leverage automation tools
  • Keep all agents up to date with the current release
  • Monitor for changes in conditional access policies
  • Hunt / monitor for new connected domains
  • Changes to global settings such as MFA, B2b, subscription access for GA, consent policies

Review IR Playbooks