Azure AD Unusual Scripting Engine Usage
Detection overview
Triggers
- An account has executed O365 operations with either tools, scripting engines or command line interfaces which could be\u00a0maliciously used by attackers.
Possible Root Causes
- An attacker is \”living off the land\” through the misuse of authorized tools (curl, AutoHotKey32, etc.) to extend their attack.
- An attacker has used a scripting engine (Powershell, Python, and others) to build and execute attack tools.
- When attacker is not careful, the default User Agent strings are submitted by these tools, indicating that the operation is not done interactively by a legitimate human user.
- Automation tools and scripts are sometimes used by power users and IT personnel to access O365.
Business Impact
- Automated tools increase attack speed and volume while reducing human error, and attackers that successfully leverage them have an opportunity to move faster and in some cases with a lower chance of detection.
- Use of automation tools is a \”force multiplier\” that increases chances of successful breaches and data exfiltration, significantly increasing risks to the enterprise.
Steps to Verify
- Investigate O365 operation in context of the user, verify if this user would reasonably conduct these types of operations.
- Investigate tooling or scripting engine to validate if this is an appropriate and approved tool for a user of this type.
Azure AD Unusual Scripting Engine Usage
Possible root causes
Malicious Detection
Benign Detection
Azure AD Unusual Scripting Engine Usage
Example scenarios
Azure AD Unusual Scripting Engine Usage
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Unusual Scripting Engine Usage
Steps to investigate
Azure AD Unusual Scripting Engine Usage
MITRE ATT&CK techniques covered
Azure AD Unusual Scripting Engine Usage
Related detections
No items found.