Stop an attack in Microsoft Azure AD
attack in Azure AD
Let's see how an analyst using Vectra can detect and respond to attackers targeting Azure AD federated applications and the Azure AD backend.
If you can't use your laptop at the moment, here is the transcript below!
Stop an attack in Azure AD!
Let's see how an analyst using Vectra can detect and respond to attackers targeting Azure AD federated applications and the Azure AD backend.
You can see thatjohn@corp.ai is prioritized as an active compromise with several different Vectra detections correlated to the account.
Let's investigatejohn@corp.ai to understand what might be happening.
You can see the account performed several actions that triggered alerts, including
- A suspicious authentication
- An unusual use of Powershell
- The creation of a new admin accounts
- Changes to account permissions
- Creation of exfiltration channels with M365 Power Automate
Azure AD Suspicious Sign-on
Let's take a deeper look at these alerts by clicking Expand All.
You can see details of a sign-on that could be the start of an account compromise.
This alert was generated by an AI algorithm that considers 20+ different attributes of the sign-in to determine if this is an attacker sign-in.
To understand more about this type of Vectra detection, click ? to review the in-app explanation page.
Review the explainer page and find the details that will help us respond to alerts like the MITRE ATT&CK techniques, actions that trigger the detection, and the impact of the attacker's behavior.
When you are done reviewing, click x to continue investigating the sign-in event.
Account Compromise investigation in Azure AD
Now that we understand how this detection works, let's investigate and understand:
- Was MFA bypassed?
- How did the attacker sign-in?
- Was the login location different than the baseline?
- Was the device different from the baseline?
MFA bypass in Azure AD
The investigation reveals that this was a compromised access event.
The attacker bypassed MFA, and anomalously signed-in from Russia with a Windows device.
Let's investigate deeper to understand more about what the attacker accessed.
Let's investigate the raw logs to see what other actions the attacker has done.
Click Instant Investigation for query-less access to the account's historical activity in Azure AD and M365.
We can complete our investigation by looking at john@corp.ai's historical Azure AD and M365 activity.
Let's focus on the Azure AD Sign-in activity to understand if this compromised account accessed other SaaS services.
This look like the malicious access from before.
Click the row to see all the services accessed.
We can see that the attacker accessed Salesforce and Box in addition to the Powershell module.
We have enough information to stop the attacker by disabling the account and blocking the attacker's access.
Attack Stopped!
Want to start seeing and stopping Azure AD compromises in your environment?
Detect and prevent cyberattack in Azure AD
Vectra not only detects attackers but can also help prevent them.
Let's look at this dashboard to see the normal user access activity related to security controls and validate whether controls put in place are being bypassed.
One security control we can review is who has access to Powershell.
Click AzureAD PowerShell Logins to see who else has access to Powershell and review if we should limit their access.
Prevent a cyberattack in Azure AD
You can see the compromised access from john@corp.ai and a few other users.
We can now block john@corp.ai and the other users' access to Powershell to prevent its use in future attacks.
Attacks Prevented!
Vectra’s detections are more accurate than SIEM’s
“Our alert volume has been reduced by 90% since Vectra’s ML assesses more features and context in the models, which leads to more accurate detections.” - Kevin Kennedy, Senior Vice President, Cybersecurity Blackstone
