Branch was auto-updated.

Author: patel-bhavin

data_sources/azure_monitor_activity.yml

@@ -0,0 +1,96 @@
+name: Azure Monitor Activity
+id: 1997a515-a61a-4f78-ada9-54af34c764f2
+version: 1
+date: '2025-01-13'
+author: Bhavin Patel, Splunk
+description: Data source object for Azure Monitor Activity.  The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.  To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. 
+source: Azure AD
+sourcetype: azure:monitor:activity
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.4.1
+fields:
+- column
+- action
+- category
+- change_type
+- command
+- correlationId
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventtype
+- host
+- identity
+- image_id
+- index
+- instance_type
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- object_path
+- operationName
+- properties.ActivityDate
+- properties.ActivityResultStatus
+- properties.ActivityType
+- properties.Actor.ActorType
+- properties.Actor.Application
+- properties.Actor.ApplicationName
+- properties.Actor.IsDelegatedAdmin
+- properties.Actor.Name
+- properties.Actor.ObjectId
+- properties.Actor.PartnerTenantId
+- properties.Actor.UPN
+- properties.Actor.UserPermissions{}
+- properties.AdditionalDetails
+- properties.AuditEventId
+- properties.Category
+- properties.RelationId
+- properties.TargetDisplayNames{}
+- properties.TargetObjectIds{}
+- properties.Targets{}.ModifiedProperties{}.Name
+- properties.Targets{}.ModifiedProperties{}.New
+- properties.Targets{}.ModifiedProperties{}.Old
+- properties.Targets{}.Name
+- punct
+- resourceId
+- resource_provider
+- response_body
+- result
+- resultDescription
+- resultType
+- result_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- status
+- tag
+- tag::action
+- tag::eventtype
+- tag::object_category
+- tenantId
+- time
+- timeendpos
+- timestartpos
+- user
+- user_name
+- user_type
+- vendor_account
+- vendor_product
+- vendor_region
+- _time
+example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "[email protected]"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "[email protected]"}'

detections/cloud/azure_ad_azurehound_useragent_detected.yml

@@ -0,0 +1,74 @@
+name: Azure AD AzureHound UserAgent Detected
+id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
+version: 1
+date: '2025-01-06'
+author: Dean Luxton 
+data_sources:
+- Azure Active Directory NonInteractiveUserSignInLogs
+- Azure Active Directory MicrosoftGraphActivityLogs
+type: TTP
+status: production
+description: This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.
+search: >-
+ `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound* 
+  | stats  count min(_time) as firstTime max(_time) as lastTime values(properties.userAgent) as user_agent values(properties.userId) as user values(src_category) as src_category by src tenantId 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | iplocation src
+  | `azure_ad_azurehound_useragent_detected_filter`
+how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest NonInteractiveUserSignInLogs and MicrosoftGraphActivityLogs via an Azure EventHub. See reference for links for further details. 
+known_false_positives: None
+references:
+- https://github.com/SpecterOps/AzureHound
+- https://splunkbase.splunk.com/app/3110
+- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Azure Active Directory Privilege Escalation
+  - Compromised User Account
+  asset_type: Azure Tenant
+  confidence: 100
+  impact: 80
+  message: AzureHound UserAgent String $user_agent$ Detected on Tenant $tenantId$
+  mitre_attack_id:
+  - T1087.004
+  - T1526
+  observable:
+  - name: tenantId
+    type: User
+    role:
+    - Victim
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: user_agent
+    type: Other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - src
+  - category
+  - properties.userAgent
+  - tenantId
+  risk_score: 80
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
+    sourcetype: azure:monitor:aad
+    source: Azure AD

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -0,0 +1,78 @@
+name: Azure AD Service Principal Enumeration
+id: 3f0647ce-add5-4436-8039-cbd1abe74563
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_source:
+- Azure Active Directory MicrosoftGraphActivityLogs
+type: TTP
+status: production
+description: >-
+  This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. 
+  This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
+search: >-
+  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
+  | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
+  | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
+  | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent
+  | rename properties.userAgent as user_agent
+  | where spn_count>9 | `azure_ad_service_principal_enumeration_filter`
+how_to_implement: >-
+  Run this detection over historical data to identify then tune out any known services which may be performing this action. Thresholds can be lowered or raised to meet requirements. 
+  The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest MicrosoftGraphActivityLogs via Azure EventHub. See reference for links for further details on how to onboard this log source. 
+known_false_positives: Unknown
+references:
+- https://github.com/SpecterOps/AzureHound
+- https://github.com/dirkjanm/ROADtools
+- https://splunkbase.splunk.com/app/3110
+- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Azure Active Directory Privilege Escalation
+  - Compromised User Account
+  asset_type: Azure Tenant
+  confidence: 100
+  impact: 80
+  message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$
+  mitre_attack_id:
+  - T1087.004
+  - T1526
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: tenantId
+    type: User
+    role:
+    - Victim
+  - name: user_agent
+    type: Other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - category
+  - properties.requestUri
+  - src
+  - user
+  risk_score: 80
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
+    sourcetype: azure:monitor:aad
+    source: Azure AD

detections/cloud/azure_ad_service_principal_privilege_escalation.yml

@@ -0,0 +1,80 @@
+name: Azure AD Service Principal Privilege Escalation
+id: 29eb39d3-2bc8-49cc-99b3-35593191a588
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_sources:
+- Azure Active Directory Add app role assignment to service principal
+type: TTP
+status: production
+description: This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.
+search: >-
+  `azure_monitor_aad` category=AuditLogs operationName="Add app role assignment to service principal" properties.initiatedBy.app.displayName=* properties.result=Success 
+  | spath path=properties{}.targetResources{}.modifiedProperties{} output=targetResources
+  | stats min(_time) as _time values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(eval(mvindex('properties.targetResources{}.displayName',0))) as targetAppContext values(user_agent) as user_agent values(identity) as servicePrincipal values(properties.initiatedBy.app.servicePrincipalId) as servicePrincipalId by operationName tenantId correlationId
+  | spath input=appRole path=newValue output=appRole
+  | spath input=targetServicePrincipal path=newValue output=targetServicePrincipal
+  | eval appRole=trim(replace(appRole, "\"", "")), targetServicePrincipal=trim(replace(targetServicePrincipal, "\"", ""))
+  | where servicePrincipal=targetServicePrincipal
+  | table _time operationName servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenantId correlationId
+  | `azure_ad_service_principal_privilege_escalation_filter`
+how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest EntraID audit logs via Azure EventHub. See reference for links for further details on how to onboard this log source. 
+known_false_positives: Unknown
+references:
+- https://splunkbase.splunk.com/app/3110
+- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+- https://github.com/mvelazc0/BadZure
+- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html
+- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
+drilldown_searches:
+- name: View the detection results for - "$servicePrincipal$"
+  search: '%original_detection_search% | search  servicePrincipal = "$servicePrincipal$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$servicePrincipal$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Azure Active Directory Privilege Escalation
+  asset_type: Azure Tenant
+  confidence: 100
+  impact: 100
+  message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$
+  mitre_attack_id:
+  - T1098.003
+  - T1098
+  observable:
+  - name: servicePrincipal
+    type: User
+    role:
+    - Victim
+  - name: user_agent
+    type: Other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - user_agent
+  - identity
+  - properties.initiatedBy.app.servicePrincipalId
+  - operationName
+  - tenantId 
+  - correlationId
+  - category
+  - properties.initiatedBy.app.displayName
+  - properties.result
+  - properties{}.targetResources{}.modifiedProperties{}
+  - properties.targetResources{}.displayName
+  risk_score: 100
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log
+    sourcetype: azure:monitor:aad
+    source: Azure AD

detections/cloud/microsoft_intune_device_health_scripts.yml

@@ -0,0 +1,64 @@
+name: Microsoft Intune Device Health Scripts
+id: 6fe42e07-15b1-4caa-b547-7885666cb1bd
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_sources:
+- Azure Monitor Activity
+type: Hunting
+status: production
+description: >-
+  Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. 
+  This detection identifies when a new device health script has been added, updated or deleted. 
+search: >-
+  `azure_monitor_activity` operationName="*DeviceHealthScript*" 
+  | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
+  | rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action
+  | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
+  | `microsoft_intune_device_health_scripts_filter`
+how_to_implement: >-
+  The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. 
+  To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. 
+  Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. 
+known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection. 
+references:
+- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
+- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/
+- https://posts.specterops.io/maestro-9ed71d38d546
+tags:
+  analytic_story:
+  - Azure Active Directory Account Takeover
+  asset_type: Azure Tenant
+  confidence: 40
+  impact: 100
+  message: Intune device health script $TargetObjectId$ was $action$ by user $user$
+  mitre_attack_id:
+  - T1072
+  - T1021.007
+  - T1202
+  - T1105
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: TargetObjectId
+    type: Other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - operationName
+  - identity
+  - properties.TargetObjectIds{}
+  risk_score: 40
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
+    sourcetype: azure:monitor:activity
+    source: Azure AD