From 0454541c41e2b5fce1bcc0cf6fbebe4019a4edbc Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Mon, 6 Jan 2025 16:19:32 +1000 Subject: [PATCH 01/11] Uploading new detections --- ...azure_ad_azurehound_useragent_detected.yml | 64 +++++++++++++++++ ...azure_ad_service_principal_enumeration.yml | 68 +++++++++++++++++++ ...service_principal_privilege_escalation.yml | 58 ++++++++++++++++ ...ntune_new_device_health_script_created.yml | 49 +++++++++++++ ...service_principal_privilege_escalation.yml | 61 +++++++++++++++++ macros/azure_monitor_activity.yml | 4 ++ 6 files changed, 304 insertions(+) create mode 100644 detections/cloud/azure_ad_azurehound_useragent_detected.yml create mode 100644 detections/cloud/azure_ad_service_principal_enumeration.yml create mode 100644 detections/cloud/azure_ad_service_principal_privilege_escalation.yml create mode 100644 detections/cloud/azure_intune_new_device_health_script_created.yml create mode 100644 detections/cloud/o365_service_principal_privilege_escalation.yml create mode 100644 macros/azure_monitor_activity.yml diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml new file mode 100644 index 0000000000..62d1f62095 --- /dev/null +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -0,0 +1,64 @@ +name: Azure AD AzureHound UserAgent Detected +id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3 +version: 1 +date: '2025-01-06' +author: Dean Luxton +data_sources: +- Azure Active Directory NonInteractiveUserSignInLogs +- Azure Active Directory MicrosoftGraphActivityLogs +type: TTP +status: production +description: This detection looks for the default AzureHound useragent string within Graph Activity logs and NonInteractive SignIn Logs. +search: >- + `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound* + | eval createdDateTime=strptime('properties.createdDateTime',"%Y-%m-%dT%H:%M:%S.%7Q%z") + | stats min(createdDateTime) as _time values(user_agent) as user_agent values(user) as user count values(src_category) as src_category by src tenantId + | iplocation src + | `azure_ad_azurehound_useragent_detected_filter` +how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest NonInteractiveUserSignInLogs and MicrosoftGraphActivityLogs via an Azure EventHub. See reference for links for further details. +known_false_positives: None +references: +- https://github.com/SpecterOps/AzureHound +- https://splunkbase.splunk.com/app/3110 +- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install +tags: + analytic_story: + - Azure Active Directory Privilege Escalation + - Compromised User Account + asset_type: Azure Tenant + confidence: 100 + impact: 80 + message: AzureHound UserAgent String $user_agent$ Detected on Tenant $tenantId$ + mitre_attack_id: + - T1087.004 + - T1526 + observable: + - name: src + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Attacker + - name: user_agent + type: User Agent + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - src + - category + - properties.userAgent + - tenantId + risk_score: 80 + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: UPDATE SOURCETYPE + source: UPDATE SOURCE diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml new file mode 100644 index 0000000000..15ac90e51e --- /dev/null +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -0,0 +1,68 @@ +name: Azure AD Service Principal Enumeration +id: 3f0647ce-add5-4436-8039-cbd1abe74563 +version: 1 +date: '2025-01-06' +author: Dean Luxton +data_source: +- Azure Active Directory MicrosoftGraphActivityLogs +type: TTP +status: production +description: >- + This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. + This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools. +search: >- + `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) + | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P.*?)\/" + | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P.*?)\/" + | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent + | rename properties.userAgent as user_agent + | where spn_count>9 | `azure_ad_service_principal_enumeration_filter` +how_to_implement: Run this detection over historical data to identify then tune out any known services which may be performing this action. Thresholds can be lowered or raised to meet requirements. +The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest MicrosoftGraphActivityLogs via Azure EventHub. See reference for links for further details on how to onboard this log source. +known_false_positives: Unknown +references: +- https://github.com/SpecterOps/AzureHound +- https://github.com/dirkjanm/ROADtools +- https://splunkbase.splunk.com/app/3110 +- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install +tags: + analytic_story: + - Azure Active Directory Privilege Escalation + - Compromised User Account + asset_type: Azure Tenant + confidence: 100 + impact: 80 + message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$ + mitre_attack_id: + - T1087.004 + - T1526 + observable: + - name: src + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Attacker + - name: user_agent + type: User Agent + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - category + - properties.requestUri + - src + - user + risk_score: 80 + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: UPDATE SOURCETYPE + source: UPDATE SOURCE diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml new file mode 100644 index 0000000000..8c376df49f --- /dev/null +++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml @@ -0,0 +1,58 @@ +name: Azure AD Service Principal Privilege Escalation +id: 29eb39d3-2bc8-49cc-99b3-35593191a588 +version: 1 +date: '2025-01-06' +author: Dean Luxton +data_sources: [] +type: TTP +status: production +description: UPDATE_DESCRIPTION +search: "`azure_monitor_aad` category=AuditLogs operationName=\"Add app role assignment\ + \ to service principal\" properties.initiatedBy.app.displayName=* properties.result=Success\ + \ \n| spath path=properties{}.targetResources{}.modifiedProperties{} output=targetResources\n\ + | stats min(_time) as _time values(eval(mvfilter(match(targetResources, \"AppRole.Value\"\ + )))) as appRole, values(eval(mvfilter(match(targetResources, \"ServicePrincipal.DisplayName\"\ + )))) as targetServicePrincipal values(eval(mvindex('properties.targetResources{}.displayName',0)))\ + \ as targetAppContext values(user_agent) as user_agent values(identity) as servicePrincipal\ + \ values(properties.initiatedBy.app.servicePrincipalId) as servicePrincipalId by\ + \ operationName tenantId correlationId\n| spath input=appRole path=newValue output=appRole\n\ + | spath input=targetServicePrincipal path=newValue output=targetServicePrincipal\n\ + | eval appRole=trim(replace(appRole, \"\\\"\", \"\")), targetServicePrincipal=trim(replace(targetServicePrincipal,\ + \ \"\\\"\", \"\"))\n| where servicePrincipal=targetServicePrincipal\n| table _time\ + \ operationName servicePrincipal servicePrincipalId targetServicePrincipal appRole\ + \ targetAppContext user_agent tenantId correlationId\n | `azure_ad_service_principal_privilege_escalation_filter`" +how_to_implement: UPDATE_HOW_TO_IMPLEMENT +known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +references: +- REFERENCE +tags: + analytic_story: + - UPDATE_STORY_NAME + asset_type: UPDATE asset_type + confidence: UPDATE value between 1-100 + impact: UPDATE value between 1-100 + message: UPDATE message + mitre_attack_id: + - T1098.001 + - T1098 + observable: + - name: UPDATE + type: UPDATE + role: + - UPDATE + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - UPDATE + risk_score: UPDATE (impact * confidence)/100 + security_domain: identity + cve: + - UPDATE WITH CVE(S) IF APPLICABLE +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: UPDATE SOURCETYPE + source: UPDATE SOURCE diff --git a/detections/cloud/azure_intune_new_device_health_script_created.yml b/detections/cloud/azure_intune_new_device_health_script_created.yml new file mode 100644 index 0000000000..53314fdeb2 --- /dev/null +++ b/detections/cloud/azure_intune_new_device_health_script_created.yml @@ -0,0 +1,49 @@ +name: Azure Intune New Device Health Script Created +id: 6fe42e07-15b1-4caa-b547-7885666cb1bd +version: 1 +date: '2025-01-06' +author: Dean Luxton +data_sources: [] +type: Hunting +status: production +description: Intune Remediation Scripts can be used to move laterally to intune managed devices. This detection identifies when a new device health script has been created. +search: >- + `azure_monitor_activity` operationName="createDeviceHealthScript DeviceHealthScript" + | rename identity as user, properties.TargetObjectIds{} as TargetObjectId + | table _time correlationId resultType user TargetObjectId + | `azure_intune_new_device_health_script_created_filter` +how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic setting & send events to the activity audit event hub. +known_false_positives: False positives are expected from this detection. +references: +- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d +tags: + analytic_story: + - Azure Active Directory Account Takeover + asset_type: Azure Tenant + confidence: 20 + impact: 100 + message: Intune device health script $TargetObjectId$ was created by user $user$ + mitre_attack_id: + - T1072 + - T1021.007 + observable: + - name: user + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - operationName + - identity + - properties.TargetObjectIds{} + risk_score: 20 + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: UPDATE SOURCETYPE + source: UPDATE SOURCE diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml new file mode 100644 index 0000000000..219b18d33b --- /dev/null +++ b/detections/cloud/o365_service_principal_privilege_escalation.yml @@ -0,0 +1,61 @@ +name: O365 Service Principal Privilege Escalation +id: b686d0bd-cca7-44ca-ae07-87f6465131d9 +version: 1 +date: '2025-01-06' +author: Dean Luxton +data_sources: [] +type: TTP +status: production +description: This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment. +search: >- + `o365_management_activity` Operation="Add app role assignment to service principal." "Actor{}.ID"=ServicePrincipal ResultStatus=Success + | spath path=ModifiedProperties{} output=targetResources + | stats min(_time) as _time values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(object) as targetAppContext values(user_agent) as user_agent values(user) as servicePrincipal values(UserId) as servicePrincipalId by Operation InterSystemsId tenant_id + | spath input=appRole path=NewValue output=appRole + | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal + | where servicePrincipal=targetServicePrincipal + | table _time Operation servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId +how_to_implement: The Splunk Add-on for Microsoft Office 365 add-on is required to ingest EntraID audit logs via the 365 API. See references for links for further details on how to onboard this log source. +known_false_positives: Unknown +references: +- https://splunkbase.splunk.com/app/4055 +tags: + analytic_story: + - Azure Active Directory Privilege Escalation + asset_type: Azure Tenant + confidence: 100 + impact: 100 + message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ + mitre_attack_id: + - T1098.001 + - T1098 + observable: + - name: servicePrincipal + type: User + role: + - Attacker + - name: user_agent + type: User Agent + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - user_agent + - Actor{}.ID + - ResultStatus + - Operation + - ModifiedProperties{} + - user + - InterSystemsId + - tenant_id + risk_score: 100 + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + sourcetype: UPDATE SOURCETYPE + source: UPDATE SOURCE diff --git a/macros/azure_monitor_activity.yml b/macros/azure_monitor_activity.yml new file mode 100644 index 0000000000..66b90df794 --- /dev/null +++ b/macros/azure_monitor_activity.yml @@ -0,0 +1,4 @@ +definition: sourcetype=azure:monitor:activity +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: azure_monitor_activity \ No newline at end of file From cba33c32df9fbeefb49c60b4eb419dae2c6e2fbf Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Mon, 6 Jan 2025 16:35:41 +1000 Subject: [PATCH 02/11] Uploading new detections --- ...service_principal_privilege_escalation.yml | 72 +++++++++++-------- 1 file changed, 41 insertions(+), 31 deletions(-) diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml index 8c376df49f..b2a0b698f8 100644 --- a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml +++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml @@ -3,53 +3,63 @@ id: 29eb39d3-2bc8-49cc-99b3-35593191a588 version: 1 date: '2025-01-06' author: Dean Luxton -data_sources: [] +data_sources: +- Azure Active Directory Add app role assignment to service principal type: TTP status: production -description: UPDATE_DESCRIPTION -search: "`azure_monitor_aad` category=AuditLogs operationName=\"Add app role assignment\ - \ to service principal\" properties.initiatedBy.app.displayName=* properties.result=Success\ - \ \n| spath path=properties{}.targetResources{}.modifiedProperties{} output=targetResources\n\ - | stats min(_time) as _time values(eval(mvfilter(match(targetResources, \"AppRole.Value\"\ - )))) as appRole, values(eval(mvfilter(match(targetResources, \"ServicePrincipal.DisplayName\"\ - )))) as targetServicePrincipal values(eval(mvindex('properties.targetResources{}.displayName',0)))\ - \ as targetAppContext values(user_agent) as user_agent values(identity) as servicePrincipal\ - \ values(properties.initiatedBy.app.servicePrincipalId) as servicePrincipalId by\ - \ operationName tenantId correlationId\n| spath input=appRole path=newValue output=appRole\n\ - | spath input=targetServicePrincipal path=newValue output=targetServicePrincipal\n\ - | eval appRole=trim(replace(appRole, \"\\\"\", \"\")), targetServicePrincipal=trim(replace(targetServicePrincipal,\ - \ \"\\\"\", \"\"))\n| where servicePrincipal=targetServicePrincipal\n| table _time\ - \ operationName servicePrincipal servicePrincipalId targetServicePrincipal appRole\ - \ targetAppContext user_agent tenantId correlationId\n | `azure_ad_service_principal_privilege_escalation_filter`" -how_to_implement: UPDATE_HOW_TO_IMPLEMENT -known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +description: This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment. +search: >- + `azure_monitor_aad` category=AuditLogs operationName="Add app role assignment to service principal" properties.initiatedBy.app.displayName=* properties.result=Success + | spath path=properties{}.targetResources{}.modifiedProperties{} output=targetResources + | stats min(_time) as _time values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(eval(mvindex('properties.targetResources{}.displayName',0))) as targetAppContext values(user_agent) as user_agent values(identity) as servicePrincipal values(properties.initiatedBy.app.servicePrincipalId) as servicePrincipalId by operationName tenantId correlationId + | spath input=appRole path=newValue output=appRole + | spath input=targetServicePrincipal path=newValue output=targetServicePrincipal + | eval appRole=trim(replace(appRole, "\"", "")), targetServicePrincipal=trim(replace(targetServicePrincipal, "\"", "")) + | where servicePrincipal=targetServicePrincipal + | table _time operationName servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenantId correlationId + | `azure_ad_service_principal_privilege_escalation_filter` +how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest EntraID audit logs via Azure EventHub. See reference for links for further details on how to onboard this log source. +known_false_positives: Unknown references: -- REFERENCE +- https://splunkbase.splunk.com/app/3110 +- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install tags: analytic_story: - - UPDATE_STORY_NAME - asset_type: UPDATE asset_type - confidence: UPDATE value between 1-100 - impact: UPDATE value between 1-100 - message: UPDATE message + - Azure Active Directory Privilege Escalation + asset_type: Azure Tenant + confidence: 100 + impact: 100 + message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ mitre_attack_id: - T1098.001 - T1098 observable: - - name: UPDATE - type: UPDATE + - name: servicePrincipal + type: User role: - - UPDATE + - Attacker + - name: user_agent + type: User Agent + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud required_fields: - - UPDATE - risk_score: UPDATE (impact * confidence)/100 + - user_agent + - identity + - properties.initiatedBy.app.servicePrincipalId + - operationName + - tenantId + - correlationId + - category + - properties.initiatedBy.app.displayName + - properties.result + - properties{}.targetResources{}.modifiedProperties{} + - properties.targetResources{}.displayName + risk_score: 100 security_domain: identity - cve: - - UPDATE WITH CVE(S) IF APPLICABLE tests: - name: True Positive Test attack_data: From b33f7b034cd3c4e99e2089bb7657aaa565bcceb3 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:47:35 +1000 Subject: [PATCH 03/11] Adding intune detections & updating dataset links --- ...azure_ad_azurehound_useragent_detected.yml | 5 +- ...azure_ad_service_principal_enumeration.yml | 5 +- ...service_principal_privilege_escalation.yml | 10 +-- ...ntune_new_device_health_script_created.yml | 49 -------------- ...microsoft_intune_device_health_scripts.yml | 62 ++++++++++++++++++ ..._devicemanagementconfigurationpolicies.yml | 65 +++++++++++++++++++ ...rosoft_intune_manual_device_management.yml | 63 ++++++++++++++++++ .../cloud/microsoft_intune_mobile_apps.yml | 62 ++++++++++++++++++ ...service_principal_privilege_escalation.yml | 12 ++-- 9 files changed, 270 insertions(+), 63 deletions(-) delete mode 100644 detections/cloud/azure_intune_new_device_health_script_created.yml create mode 100644 detections/cloud/microsoft_intune_device_health_scripts.yml create mode 100644 detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml create mode 100644 detections/cloud/microsoft_intune_manual_device_management.yml create mode 100644 detections/cloud/microsoft_intune_mobile_apps.yml diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index 62d1f62095..7f8e4abc5b 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -59,6 +59,5 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log + sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 15ac90e51e..98b4101d28 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -63,6 +63,5 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log + sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml index b2a0b698f8..0b8b5fbd36 100644 --- a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml +++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml @@ -23,6 +23,9 @@ known_false_positives: Unknown references: - https://splunkbase.splunk.com/app/3110 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install +- https://github.com/mvelazc0/BadZure +- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html +- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc tags: analytic_story: - Azure Active Directory Privilege Escalation @@ -31,7 +34,7 @@ tags: impact: 100 message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ mitre_attack_id: - - T1098.001 + - T1098.003 - T1098 observable: - name: servicePrincipal @@ -63,6 +66,5 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log + sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_intune_new_device_health_script_created.yml b/detections/cloud/azure_intune_new_device_health_script_created.yml deleted file mode 100644 index 53314fdeb2..0000000000 --- a/detections/cloud/azure_intune_new_device_health_script_created.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Azure Intune New Device Health Script Created -id: 6fe42e07-15b1-4caa-b547-7885666cb1bd -version: 1 -date: '2025-01-06' -author: Dean Luxton -data_sources: [] -type: Hunting -status: production -description: Intune Remediation Scripts can be used to move laterally to intune managed devices. This detection identifies when a new device health script has been created. -search: >- - `azure_monitor_activity` operationName="createDeviceHealthScript DeviceHealthScript" - | rename identity as user, properties.TargetObjectIds{} as TargetObjectId - | table _time correlationId resultType user TargetObjectId - | `azure_intune_new_device_health_script_created_filter` -how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic setting & send events to the activity audit event hub. -known_false_positives: False positives are expected from this detection. -references: -- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d -tags: - analytic_story: - - Azure Active Directory Account Takeover - asset_type: Azure Tenant - confidence: 20 - impact: 100 - message: Intune device health script $TargetObjectId$ was created by user $user$ - mitre_attack_id: - - T1072 - - T1021.007 - observable: - - name: user - type: User - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - operationName - - identity - - properties.TargetObjectIds{} - risk_score: 20 - security_domain: audit -tests: -- name: True Positive Test - attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE diff --git a/detections/cloud/microsoft_intune_device_health_scripts.yml b/detections/cloud/microsoft_intune_device_health_scripts.yml new file mode 100644 index 0000000000..f0856e8e7b --- /dev/null +++ b/detections/cloud/microsoft_intune_device_health_scripts.yml @@ -0,0 +1,62 @@ +name: Microsoft Intune Device Health Scripts +id: 6fe42e07-15b1-4caa-b547-7885666cb1bd +version: 1 +date: '2025-01-06' +author: Dean Luxton +data_sources: [] +type: Hunting +status: production +description: >- + Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. + This detection identifies when a new device health script has been added, updated or deleted. +search: >- + `azure_monitor_activity` operationName="*DeviceHealthScript*" + | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin + | rex field="operationName" "^(?P\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action + | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId + | `microsoft_intune_device_health_scripts_filter` +how_to_implement: >- + The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. + To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. + Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. +known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection. +references: +- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d +- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ +- https://posts.specterops.io/maestro-9ed71d38d546 +tags: + analytic_story: + - Azure Active Directory Account Takeover + asset_type: Azure Tenant + confidence: 40 + impact: 100 + message: Intune device health script $TargetObjectId$ was $action$ by user $user$ + mitre_attack_id: + - T1072 + - T1021.007 + - T1202 + - T1105 + observable: + - name: user + type: User + role: + - Attacker + - name: TargetObjectId + type: TargetObjectId + role: + - Object + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - operationName + - identity + - properties.TargetObjectIds{} + risk_score: 40 + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log + sourcetype: azure:monitor:activity \ No newline at end of file diff --git a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml new file mode 100644 index 0000000000..847aab8897 --- /dev/null +++ b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml @@ -0,0 +1,65 @@ +name: Microsoft Intune DeviceManagementConfigurationPolicies +id: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c +version: 1 +date: '2025-01-07' +author: Dean Luxton +data_sources: [] +type: Hunting +status: production +description: >- + Microsoft Intune device management configuration policies are a tool administrators can use to remotely manage policies and settings on intune managed devices. + This functionality can also be abused to disable defences & evade detection. + This detection identifies when a new device management configuration policy has been created. +search: >- + `azure_monitor_activity` operationName="* DeviceManagementConfigurationPolicy*" + | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin + | eval details=mvzip('properties.Targets{}.ModifiedProperties{}.Name','properties.Targets{}.ModifiedProperties{}.New',": ") + | rex field="operationName" "^(?P\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action + | eval action=if(match(operationName ,"Assignment$"),"assigned",'action') + | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId details status tenantId correlationId | `microsoft_intune_devicemanagementconfigurationpolicies_filter` +how_to_implement: >- + The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. + To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. + Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. +known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection. +references: +- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d +- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ +- https://posts.specterops.io/maestro-9ed71d38d546 +tags: + analytic_story: + - Azure Active Directory Account Takeover + asset_type: Azure Tenant + confidence: 40 + impact: 100 + message: Intune device management policy $TargetObjectId$ has been $action$ by user $user$ + mitre_attack_id: + - T1072 + - T1484 + - T1021.007 + - T1562.001 + - T1562.004 + observable: + - name: user + type: User + role: + - Attacker + - name: TargetObjectId + type: TargetObjectId + role: + - Object + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - operationName + - identity + - properties.TargetObjectIds{} + risk_score: 40 + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log + sourcetype: azure:monitor:activity diff --git a/detections/cloud/microsoft_intune_manual_device_management.yml b/detections/cloud/microsoft_intune_manual_device_management.yml new file mode 100644 index 0000000000..401345194e --- /dev/null +++ b/detections/cloud/microsoft_intune_manual_device_management.yml @@ -0,0 +1,63 @@ +name: Microsoft Intune Manual Device Management +id: 5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822 +version: 1 +date: '2025-01-07' +author: Dean Luxton +data_sources: [] +type: Hunting +status: production +description: >- + Microsoft Intune device management configuration policies, scripts & apps are a all tools administrators can use to remotely manage intune managed devices. + Instead of waiting for the devices to poll for changes to polciies, the policies can be manually pushed to expidite delivery. + This may be useful in a pinch, it may also be a sign of an impatient attacker trying to speed up the delivery of their payload. + This detection identifies when a device management configuration policy sync events, on-demand remediation scripts are triggered or when devices are remotely restarted. +search: >- + `azure_monitor_activity` operationName="*ManagedDevice*" + | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin + | rex field="operationName" "^(?P\w+)\s" + | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId + | `microsoft_intune_manual_device_management_filter` +how_to_implement: >- + The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. + To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. + Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. +known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection. +references: +- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d +- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ +- https://posts.specterops.io/maestro-9ed71d38d546 +tags: + analytic_story: + - Azure Active Directory Account Takeover + asset_type: Azure Tenant + confidence: 70 + impact: 20 + message: Microsoft Intune device management configuration policy action $action$ was performed on $TargetObjectId$ by user $user$ + mitre_attack_id: + - T1021.007 + - T1072 + - T1529 + observable: + - name: user + type: User + role: + - Attacker + - name: TargetObjectId + type: TargetObjectId + role: + - Object + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - operationName + - identity + - properties.TargetObjectIds{} + risk_score: 14 + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log + sourcetype: azure:monitor:activity diff --git a/detections/cloud/microsoft_intune_mobile_apps.yml b/detections/cloud/microsoft_intune_mobile_apps.yml new file mode 100644 index 0000000000..6df133b455 --- /dev/null +++ b/detections/cloud/microsoft_intune_mobile_apps.yml @@ -0,0 +1,62 @@ +name: Microsoft Intune Mobile Apps +id: 98e6b389-2806-4426-a580-8a92cb0d9710 +version: 1 +date: '2025-01-07' +author: Dean Luxton +data_sources: [] +type: Hunting +status: experimental +description: >- + Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. + This detection identifies when a new packaged application has been added, updated or deleted. +search: >- + `azure_monitor_activity` operationName="*MobileApp*" + | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin + | rex field="operationName" "^(?P\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action + | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId + | `microsoft_intune_mobile_apps_filter` +how_to_implement: >- + The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. + To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. + Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. +known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection. +references: +- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d +- https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ +- https://posts.specterops.io/maestro-9ed71d38d546 +tags: + analytic_story: + - Azure Active Directory Account Takeover + asset_type: Azure Tenant + confidence: 40 + impact: 100 + message: Intune packed application $TargetDisplayName$ $TargetObjectId$ was $action$ by user $user$ + mitre_attack_id: + - T1072 + - T1021.007 + - T1202 + - T1105 + observable: + - name: user + type: User + role: + - Attacker + - name: TargetObjectId + type: TargetObjectId + role: + - Object + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - operationName + - identity + - properties.TargetObjectIds{} + risk_score: 40 + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log + sourcetype: azure:monitor:activity diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml index 219b18d33b..0bcb538d01 100644 --- a/detections/cloud/o365_service_principal_privilege_escalation.yml +++ b/detections/cloud/o365_service_principal_privilege_escalation.yml @@ -15,19 +15,24 @@ search: >- | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal | where servicePrincipal=targetServicePrincipal | table _time Operation servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId + | `o365_service_principal_privilege_escalation_filter how_to_implement: The Splunk Add-on for Microsoft Office 365 add-on is required to ingest EntraID audit logs via the 365 API. See references for links for further details on how to onboard this log source. known_false_positives: Unknown references: - https://splunkbase.splunk.com/app/4055 +- https://github.com/mvelazc0/BadZure +- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html +- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc tags: analytic_story: - Azure Active Directory Privilege Escalation + - Office 365 Account Takeover asset_type: Azure Tenant confidence: 100 impact: 100 message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$ mitre_attack_id: - - T1098.001 + - T1098.003 - T1098 observable: - name: servicePrincipal @@ -56,6 +61,5 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log + sourcetype: o365:management:activity From 0a1c14df72b2f37e191d3644899515359317e03f Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 7 Jan 2025 16:51:06 +1000 Subject: [PATCH 04/11] fixing syntax & updating macro --- detections/cloud/azure_ad_service_principal_enumeration.yml | 5 +++-- macros/ms_defender.yml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 98b4101d28..12c36d8654 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -17,8 +17,9 @@ search: >- | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent | rename properties.userAgent as user_agent | where spn_count>9 | `azure_ad_service_principal_enumeration_filter` -how_to_implement: Run this detection over historical data to identify then tune out any known services which may be performing this action. Thresholds can be lowered or raised to meet requirements. -The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest MicrosoftGraphActivityLogs via Azure EventHub. See reference for links for further details on how to onboard this log source. +how_to_implement: >- + Run this detection over historical data to identify then tune out any known services which may be performing this action. Thresholds can be lowered or raised to meet requirements. + The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest MicrosoftGraphActivityLogs via Azure EventHub. See reference for links for further details on how to onboard this log source. known_false_positives: Unknown references: - https://github.com/SpecterOps/AzureHound diff --git a/macros/ms_defender.yml b/macros/ms_defender.yml index ad8e782902..bed2e5be4f 100644 --- a/macros/ms_defender.yml +++ b/macros/ms_defender.yml @@ -1,4 +1,4 @@ -definition: source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" +definition: ( source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. name: ms_defender From fa6f09b059eeec8d5ff6015d201046aed7e80444 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 7 Jan 2025 11:58:59 -0800 Subject: [PATCH 05/11] fixing up yamls for testing --- ...azure_ad_azurehound_useragent_detected.yml | 20 ++++++++++++++----- ...azure_ad_service_principal_enumeration.yml | 14 +++++++++++-- ...service_principal_privilege_escalation.yml | 14 +++++++++++-- ...microsoft_intune_device_health_scripts.yml | 9 +++++---- ..._devicemanagementconfigurationpolicies.yml | 7 ++++--- ...rosoft_intune_manual_device_management.yml | 7 ++++--- .../cloud/microsoft_intune_mobile_apps.yml | 5 +++-- ...service_principal_privilege_escalation.yml | 16 ++++++++++++--- 8 files changed, 68 insertions(+), 24 deletions(-) diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index 7f8e4abc5b..4134d171e3 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -21,6 +21,15 @@ references: - https://github.com/SpecterOps/AzureHound - https://splunkbase.splunk.com/app/3110 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Azure Active Directory Privilege Escalation @@ -33,16 +42,16 @@ tags: - T1087.004 - T1526 observable: - - name: src - type: IP Address - role: - - Attacker - name: user type: User role: + - Victim + - name: src + type: IP Address + role: - Attacker - name: user_agent - type: User Agent + type: Other role: - Attacker product: @@ -61,3 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log sourcetype: azure:monitor:aad + source: Azure AD diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 12c36d8654..68d649de94 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -26,6 +26,15 @@ references: - https://github.com/dirkjanm/ROADtools - https://splunkbase.splunk.com/app/3110 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Azure Active Directory Privilege Escalation @@ -45,9 +54,9 @@ tags: - name: user type: User role: - - Attacker + - Victim - name: user_agent - type: User Agent + type: Other role: - Attacker product: @@ -66,3 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log sourcetype: azure:monitor:aad + source: Azure AD diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml index 0b8b5fbd36..76e2a13097 100644 --- a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml +++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml @@ -26,6 +26,15 @@ references: - https://github.com/mvelazc0/BadZure - https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html - https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc +drilldown_searches: +- name: View the detection results for - "$servicePrincipal$" + search: '%original_detection_search% | search servicePrincipal = "$servicePrincipal$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$servicePrincipal$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Azure Active Directory Privilege Escalation @@ -40,9 +49,9 @@ tags: - name: servicePrincipal type: User role: - - Attacker + - Victim - name: user_agent - type: User Agent + type: Other role: - Attacker product: @@ -68,3 +77,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log sourcetype: azure:monitor:aad + source: Azure AD diff --git a/detections/cloud/microsoft_intune_device_health_scripts.yml b/detections/cloud/microsoft_intune_device_health_scripts.yml index f0856e8e7b..936a80669b 100644 --- a/detections/cloud/microsoft_intune_device_health_scripts.yml +++ b/detections/cloud/microsoft_intune_device_health_scripts.yml @@ -40,11 +40,11 @@ tags: - name: user type: User role: - - Attacker + - Victim - name: TargetObjectId - type: TargetObjectId + type: Other role: - - Object + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -59,4 +59,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log - sourcetype: azure:monitor:activity \ No newline at end of file + sourcetype: azure:monitor:activity + source: Azure AD \ No newline at end of file diff --git a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml index 847aab8897..5080a09fdd 100644 --- a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml +++ b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml @@ -43,11 +43,11 @@ tags: - name: user type: User role: - - Attacker + - Victim - name: TargetObjectId - type: TargetObjectId + type: Other role: - - Object + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -63,3 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log sourcetype: azure:monitor:activity + source: Azure AD diff --git a/detections/cloud/microsoft_intune_manual_device_management.yml b/detections/cloud/microsoft_intune_manual_device_management.yml index 401345194e..20a28e3c95 100644 --- a/detections/cloud/microsoft_intune_manual_device_management.yml +++ b/detections/cloud/microsoft_intune_manual_device_management.yml @@ -41,11 +41,11 @@ tags: - name: user type: User role: - - Attacker + - Victim - name: TargetObjectId - type: TargetObjectId + type: Other role: - - Object + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -61,3 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log sourcetype: azure:monitor:activity + source: Azure AD diff --git a/detections/cloud/microsoft_intune_mobile_apps.yml b/detections/cloud/microsoft_intune_mobile_apps.yml index 6df133b455..6d62c4b459 100644 --- a/detections/cloud/microsoft_intune_mobile_apps.yml +++ b/detections/cloud/microsoft_intune_mobile_apps.yml @@ -42,9 +42,9 @@ tags: role: - Attacker - name: TargetObjectId - type: TargetObjectId + type: Other role: - - Object + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -60,3 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log sourcetype: azure:monitor:activity + source: Azure AD diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml index 0bcb538d01..68279a49cd 100644 --- a/detections/cloud/o365_service_principal_privilege_escalation.yml +++ b/detections/cloud/o365_service_principal_privilege_escalation.yml @@ -15,7 +15,7 @@ search: >- | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal | where servicePrincipal=targetServicePrincipal | table _time Operation servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId - | `o365_service_principal_privilege_escalation_filter + | `o365_service_principal_privilege_escalation_filter` how_to_implement: The Splunk Add-on for Microsoft Office 365 add-on is required to ingest EntraID audit logs via the 365 API. See references for links for further details on how to onboard this log source. known_false_positives: Unknown references: @@ -23,6 +23,15 @@ references: - https://github.com/mvelazc0/BadZure - https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html - https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc +drilldown_searches: +- name: View the detection results for - "$servicePrincipal$" + search: '%original_detection_search% | search servicePrincipal = "$servicePrincipal$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$servicePrincipal$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Azure Active Directory Privilege Escalation @@ -38,9 +47,9 @@ tags: - name: servicePrincipal type: User role: - - Attacker + - Victim - name: user_agent - type: User Agent + type: Other role: - Attacker product: @@ -63,3 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log sourcetype: o365:management:activity + source: Office 365 \ No newline at end of file From c4d5915f22c0f0730265d231f5e9aa900a501a13 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 7 Jan 2025 12:14:10 -0800 Subject: [PATCH 06/11] updating risk --- detections/cloud/azure_ad_azurehound_useragent_detected.yml | 2 +- detections/cloud/azure_ad_service_principal_enumeration.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index 4134d171e3..2ba392d517 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -42,7 +42,7 @@ tags: - T1087.004 - T1526 observable: - - name: user + - name: tenantId type: User role: - Victim diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 68d649de94..ec27ce7b0c 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -51,7 +51,7 @@ tags: type: IP Address role: - Attacker - - name: user + - name: tenantId type: User role: - Victim From e66bb09cf4e2c067a6b6d2bf47446220cdd04b07 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 7 Jan 2025 12:15:23 -0800 Subject: [PATCH 07/11] updating macro --- macros/ms_defender.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/ms_defender.yml b/macros/ms_defender.yml index bed2e5be4f..62b3d7beaa 100644 --- a/macros/ms_defender.yml +++ b/macros/ms_defender.yml @@ -1,4 +1,4 @@ -definition: ( source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" +definition: source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. name: ms_defender From b97cf5714e60021681d6f0b5fdabed31f624371f Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 7 Jan 2025 13:14:24 -0800 Subject: [PATCH 08/11] udpating SPL --- .../cloud/azure_ad_azurehound_useragent_detected.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index 2ba392d517..68fe9f4144 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -2,17 +2,18 @@ name: Azure AD AzureHound UserAgent Detected id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3 version: 1 date: '2025-01-06' -author: Dean Luxton +author: Dean Luxton data_sources: - Azure Active Directory NonInteractiveUserSignInLogs - Azure Active Directory MicrosoftGraphActivityLogs type: TTP status: production -description: This detection looks for the default AzureHound useragent string within Graph Activity logs and NonInteractive SignIn Logs. +description: This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment. search: >- - `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound* - | eval createdDateTime=strptime('properties.createdDateTime',"%Y-%m-%dT%H:%M:%S.%7Q%z") - | stats min(createdDateTime) as _time values(user_agent) as user_agent values(user) as user count values(src_category) as src_category by src tenantId + `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound* + | stats count min(_time) as firstTime max(_time) as lastTime values(properties.userAgent) as user_agent values(properties.userId) as user values(src_category) as src_category by src tenantId + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | iplocation src | `azure_ad_azurehound_useragent_detected_filter` how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest NonInteractiveUserSignInLogs and MicrosoftGraphActivityLogs via an Azure EventHub. See reference for links for further details. From 3d8919f1c678a1b8c71497379eb587472fc616d8 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 8 Jan 2025 15:11:19 +1000 Subject: [PATCH 09/11] reverting macro change --- macros/ms_defender.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/ms_defender.yml b/macros/ms_defender.yml index 62b3d7beaa..ad8e782902 100644 --- a/macros/ms_defender.yml +++ b/macros/ms_defender.yml @@ -1,4 +1,4 @@ -definition: source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" +definition: source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. name: ms_defender From d64e5c9063bf5e5994a37207ab66aa597effe6e6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 13 Jan 2025 10:36:45 -0800 Subject: [PATCH 10/11] Update o365_service_principal_privilege_escalation.yml --- .../cloud/o365_service_principal_privilege_escalation.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml index 68279a49cd..85576e00a7 100644 --- a/detections/cloud/o365_service_principal_privilege_escalation.yml +++ b/detections/cloud/o365_service_principal_privilege_escalation.yml @@ -3,7 +3,8 @@ id: b686d0bd-cca7-44ca-ae07-87f6465131d9 version: 1 date: '2025-01-06' author: Dean Luxton -data_sources: [] +data_sources: +- O365 Add app role assignment grant to user type: TTP status: production description: This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment. @@ -72,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log sourcetype: o365:management:activity - source: Office 365 \ No newline at end of file + source: Office 365 From ff5a16bd970996665890be8f58e88dbb2167b1c3 Mon Sep 17 00:00:00 2001 From: research-bot Date: Mon, 13 Jan 2025 12:18:01 -0800 Subject: [PATCH 11/11] updating data sources --- data_sources/azure_monitor_activity.yml | 96 +++++++++++++++++++ ...microsoft_intune_device_health_scripts.yml | 3 +- ..._devicemanagementconfigurationpolicies.yml | 3 +- ...rosoft_intune_manual_device_management.yml | 3 +- .../cloud/microsoft_intune_mobile_apps.yml | 3 +- 5 files changed, 104 insertions(+), 4 deletions(-) create mode 100644 data_sources/azure_monitor_activity.yml diff --git a/data_sources/azure_monitor_activity.yml b/data_sources/azure_monitor_activity.yml new file mode 100644 index 0000000000..4a4eb3f0b0 --- /dev/null +++ b/data_sources/azure_monitor_activity.yml @@ -0,0 +1,96 @@ +name: Azure Monitor Activity +id: 1997a515-a61a-4f78-ada9-54af34c764f2 +version: 1 +date: '2025-01-13' +author: Bhavin Patel, Splunk +description: Data source object for Azure Monitor Activity. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. +source: Azure AD +sourcetype: azure:monitor:activity +separator: operationName +supported_TA: +- name: Splunk Add-on for Microsoft Cloud Services + url: https://splunkbase.splunk.com/app/3110 + version: 5.4.1 +fields: +- column +- action +- category +- change_type +- command +- correlationId +- dataset_name +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dvc +- eventtype +- host +- identity +- image_id +- index +- instance_type +- linecount +- object +- object_attrs +- object_category +- object_id +- object_path +- operationName +- properties.ActivityDate +- properties.ActivityResultStatus +- properties.ActivityType +- properties.Actor.ActorType +- properties.Actor.Application +- properties.Actor.ApplicationName +- properties.Actor.IsDelegatedAdmin +- properties.Actor.Name +- properties.Actor.ObjectId +- properties.Actor.PartnerTenantId +- properties.Actor.UPN +- properties.Actor.UserPermissions{} +- properties.AdditionalDetails +- properties.AuditEventId +- properties.Category +- properties.RelationId +- properties.TargetDisplayNames{} +- properties.TargetObjectIds{} +- properties.Targets{}.ModifiedProperties{}.Name +- properties.Targets{}.ModifiedProperties{}.New +- properties.Targets{}.ModifiedProperties{}.Old +- properties.Targets{}.Name +- punct +- resourceId +- resource_provider +- response_body +- result +- resultDescription +- resultType +- result_id +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- status +- tag +- tag::action +- tag::eventtype +- tag::object_category +- tenantId +- time +- timeendpos +- timestartpos +- user +- user_name +- user_type +- vendor_account +- vendor_product +- vendor_region +- _time +example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "brian.cove@frothlydev.onmicrosoft.com"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": [""], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "brian.cove@frothlydev.onmicrosoft.com"}' diff --git a/detections/cloud/microsoft_intune_device_health_scripts.yml b/detections/cloud/microsoft_intune_device_health_scripts.yml index 936a80669b..0ded33699f 100644 --- a/detections/cloud/microsoft_intune_device_health_scripts.yml +++ b/detections/cloud/microsoft_intune_device_health_scripts.yml @@ -3,7 +3,8 @@ id: 6fe42e07-15b1-4caa-b547-7885666cb1bd version: 1 date: '2025-01-06' author: Dean Luxton -data_sources: [] +data_sources: +- Azure Monitor Activity type: Hunting status: production description: >- diff --git a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml index 5080a09fdd..5d4fff9411 100644 --- a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml +++ b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml @@ -3,7 +3,8 @@ id: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c version: 1 date: '2025-01-07' author: Dean Luxton -data_sources: [] +data_sources: +- Azure Monitor Activity type: Hunting status: production description: >- diff --git a/detections/cloud/microsoft_intune_manual_device_management.yml b/detections/cloud/microsoft_intune_manual_device_management.yml index 20a28e3c95..567d368706 100644 --- a/detections/cloud/microsoft_intune_manual_device_management.yml +++ b/detections/cloud/microsoft_intune_manual_device_management.yml @@ -3,7 +3,8 @@ id: 5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822 version: 1 date: '2025-01-07' author: Dean Luxton -data_sources: [] +data_sources: +- Azure Monitor Activity type: Hunting status: production description: >- diff --git a/detections/cloud/microsoft_intune_mobile_apps.yml b/detections/cloud/microsoft_intune_mobile_apps.yml index 6d62c4b459..f1da77ec86 100644 --- a/detections/cloud/microsoft_intune_mobile_apps.yml +++ b/detections/cloud/microsoft_intune_mobile_apps.yml @@ -3,7 +3,8 @@ id: 98e6b389-2806-4426-a580-8a92cb0d9710 version: 1 date: '2025-01-07' author: Dean Luxton -data_sources: [] +data_sources: +- Azure Monitor Activity type: Hunting status: experimental description: >-