Query Details

Azure Cloud Account Takeover

Query

//Azure cloud account takeover
//https://www.linkedin.com/feed/update/urn:li:activity:7163049034528481281/

SigninLogs
| where TimeGenerated > ago(90d)
| where UserAgent == "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
| where AppDisplayName == "OfficeHome"

// MITRE ATT&CK Mapping

// Based on the KQL query, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts: The query is filtering sign-in logs, which can be used to detect the use of valid accounts, especially if the user agent is unusual or unexpected for the environment1.
// T1071.001 - Application Layer Protocol: Web Protocols: The specific user agent string indicates web-based access, which falls under the use of web protocols2.
// T1204.002 - User Execution: Malicious File: If the user agent is associated with a known malicious browser or script, it could indicate an attempt to execute malicious files3.

Explanation

This query is designed to identify potential unauthorized access to Azure cloud accounts by analyzing sign-in logs. Here's a simple breakdown:

  1. Data Source: The query examines sign-in logs from the past 90 days.
  2. User Agent Filtering: It specifically looks for sign-ins using a particular web browser (Mozilla/5.0 on Linux with a specific Chrome version).
  3. Application Filtering: The query is focused on sign-ins to the "OfficeHome" application.

The query is linked to certain MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:

  • T1078 - Valid Accounts: This technique involves the use of legitimate credentials to access systems. The query helps detect this by identifying unusual user agents, which might indicate unauthorized access.
  • T1071.001 - Application Layer Protocol: Web Protocols: The query highlights the use of web protocols, as indicated by the specific user agent string, suggesting web-based access.
  • T1204.002 - User Execution: Malicious File: If the user agent is linked to known malicious activity, it could suggest attempts to execute harmful files.

Overall, the query is a tool for detecting suspicious sign-in activities that could indicate account takeovers in Azure environments.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogs

Keywords

SigninLogsUserAgentAppDisplayNameOfficeHome

Operators

SigninLogs|where>ago()==

MITRE Techniques

Actions

GitHub