Azure AD Unusual Scripting Engine Usage

View all detections
Azure AD Unusual Scripting Engine Usage

Triggers

  • An account has executed O365 operations with either tools, scripting engines or command line interfaces which could be\u00a0maliciously used by attackers.
  • The threat score is driven by the quantity of operations executed by the account.
  • The certainty score is driven by the uniqueness of the User Agent reported for the account.

Possible Root Causes

  • An attacker is \”living off the land\” through the misuse of authorized tools (curl, AutoHotKey32, etc.) to extend their attack.
  • An attacker has used a scripting engine (Powershell, Python, and others) to build and execute attack tools.
  • When attacker is not careful, the default User Agent strings are submitted by these tools, indicating that the operation is not done interactively by a legitimate human user.
  • Automation tools and scripts are sometimes used by power users and IT personnel to access O365.

Business Impact

  • Automated tools increase attack speed and volume while reducing human error, and attackers that successfully leverage them have an opportunity to move faster and in some cases with a lower chance of detection.
  • Use of automation tools is a \”force multiplier\” that increases chances of successful breaches and data exfiltration, significantly increasing risks to the enterprise.

Steps to Verify

  • Investigate O365 operation in context of the user, verify if this user would reasonably conduct these types of operations.
  • Investigate tooling or scripting engine to validate if this is an appropriate and approved tool for a user of this type.