Azure Cloud Account Takeover
Query
//Azure cloud account takeover
//https://www.linkedin.com/feed/update/urn:li:activity:7163049034528481281/
SigninLogs
| where TimeGenerated > ago(90d)
| where UserAgent == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
| where AppDisplayName == "OfficeHome"
// MITRE ATT&CK Mapping
// Based on the KQL query, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts: The query is filtering sign-in logs, which can be used to detect the use of valid accounts, especially if the user agent is unusual or unexpected for the environment1.
// T1071.001 - Application Layer Protocol: Web Protocols: The specific user agent string indicates web-based access, which falls under the use of web protocols2.
// T1204.002 - User Execution: Malicious File: If the user agent is associated with a known malicious browser or script, it could indicate an attempt to execute malicious files3.Explanation
This query is designed to identify potential unauthorized access to Azure cloud accounts by analyzing sign-in logs. Here's a simple breakdown:
- Data Source: The query examines sign-in logs from the past 90 days.
- User Agent Filtering: It specifically looks for sign-ins using a particular web browser (Mozilla/5.0 on Linux with a specific Chrome version).
- Application Filtering: The query is focused on sign-ins to the "OfficeHome" application.
The query is linked to certain MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
- T1078 - Valid Accounts: This technique involves the use of legitimate credentials to access systems. The query helps detect this by identifying unusual user agents, which might indicate unauthorized access.
- T1071.001 - Application Layer Protocol: Web Protocols: The query highlights the use of web protocols, as indicated by the specific user agent string, suggesting web-based access.
- T1204.002 - User Execution: Malicious File: If the user agent is linked to known malicious activity, it could suggest attempts to execute harmful files.
Overall, the query is a tool for detecting suspicious sign-in activities that could indicate account takeovers in Azure environments.
