Query Details

Token Replay From Workload Identity With Privileges In Microsoft Azure Workload Identity Info

Query

let azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)
  ["https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json"] with(format='multijson')
  | mv-expand values
  | mv-expand values.properties.addressPrefixes
  | mv-expand values_properties_addressPrefixes
  | summarize by tostring(values_properties_addressPrefixes)
  | extend isipv4 = parse_ipv4(values_properties_addressPrefixes)
  | extend isipv6 = parse_ipv6(values_properties_addressPrefixes)
  | extend ip_type = case(isnotnull(isipv4), "v4", "v6")
  | summarize make_list(values_properties_addressPrefixes) by ip_type;
AzureActivity
| where parse_json(tostring(Authorization_d.evidence)).principalType == "ServicePrincipal"
| extend ClaimsObjectIdentifier = parse_json(Claims).["http://schemas.microsoft.com/identity/claims/objectidentifier"] 
| extend parsedClaims = parse_json(Claims_d)
| where ActivityStatusValue == "Success" and ActivitySubstatusValue == "OK"
| project
    TimeGenerated,
    CorrelationId,
    OperationName,
    ResourceProviderValue,
    _ResourceId,
    ActivityIpAddress = CallerIpAddress,
    ApplicationId = tostring(Claims_d.appid),
    Uti = tostring(Claims_d.uti),
    ActivityStatus
| join kind=inner (union AADServicePrincipalSignInLogs, AADManagedIdentitySignInLogs
    | project
        ConditionalAccessPolicies,
        ConditionalAccessStatus,
        ServicePrincipalCredentialKeyId,
        SignInIpAddress = IPAddress,
        UniqueTokenIdentifier
    )
    on $left.Uti == $right.UniqueTokenIdentifier
| where ActivityIpAddress != SignInIpAddress and SignInIpAddress != ""
| extend isipv4 = parse_ipv4(ActivityIpAddress)
| extend ip_type = case(isnotnull(isipv4), "v4", "v6")
| join kind=fullouter (azure_ranges) on ip_type
| extend ipv6_match = ipv6_is_in_any_range(ActivityIpAddress, list_values_properties_addressPrefixes)
| extend ipv4_match = ipv4_is_in_any_range(ActivityIpAddress, list_values_properties_addressPrefixes)
| extend IpAddressType = iff(ipv4_match or ipv6_match, "Azure Public IP", "None Azure IP")
| where isnotempty(ApplicationId)
| join kind=leftouter(
    PrivilegedWorkloadIdentityInfo
    | project
        WorkloadIdentityName,
        WorkloadIdentityType,
        ApplicationObjectId,
        ServicePrincipalObjectId,
        ApplicationId,
        IsFirstPartyApp,
        EntraIdRoles,
        AppRolePermissions,
        WorkloadIdClassification = EnterpriseAccessModelTiering
    )
    on ApplicationId
| extend Severity = iff(IpAddressType != "Azure Public IP", "High", "Medium")

Explanation

This query is designed to detect potential token replay attacks in Microsoft Azure. Here's a simplified breakdown of what it does:

  1. Purpose: It identifies instances where a token, used for accessing Azure resources, is utilized from a different IP address than the one used during the initial sign-in. This could indicate a security threat, such as a token replay attack.

  2. Severity Levels:

    • The alert severity is set to "High" if the activity IP address is not within the known Azure service tag IP address ranges, suggesting it might be from an unauthorized or suspicious source.
    • Otherwise, the severity is "Medium".
  3. Data Sources:

    • It pulls data from Azure activity logs and sign-in logs related to service principals and managed identities.
    • It also references a list of Azure IP ranges to determine if the IP address is part of Azure's public IPs.
  4. Logic:

    • The query checks for successful activities performed by service principals.
    • It compares the IP address used for the activity with the IP address used during the sign-in.
    • If these IPs differ and the sign-in IP is not empty, it flags the activity as suspicious.
  5. Alert Configuration:

    • If a suspicious activity is detected, an alert is created.
    • The alert includes details like the workload identity name, the activity IP address, and whether the IP is within Azure's public range.
    • Alerts are grouped by cloud application and are set to create incidents for further investigation.
  6. Additional Details:

    • The query includes mappings to enrich the alert with details about the workload identity, such as its name, type, and associated roles or permissions.
    • It also specifies how long to suppress similar alerts to avoid alert fatigue.

Overall, this query helps in monitoring and identifying unauthorized or suspicious use of tokens in Azure, which is crucial for maintaining security and preventing potential breaches.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: November 23, 2023

Tables

AzureActivityAADServicePrincipalSignInLogsAADManagedIdentitySignInLogsPrivilegedWorkloadIdentityInfo

Keywords

AzureActivityServicePrincipalApplicationIdIpAddressWorkloadIdentityNameWorkloadIdentityTypeServicePrincipalObjectIdConditionalAccessStatusEntraIdRolesAppRolePermissions

Operators

letexternaldatawithformatmv-expandsummarizebytostringextendparse_ipv4parse_ipv6caseisnotnullmake_listwhereparse_jsonprojectjoinkinduniononandisnotemptyipv6_is_in_any_rangeipv4_is_in_any_rangeiff

Severity

Medium

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub