(New threat classification) Malicious credential theft tool execution following suspicious sign-in Sign-in event from user with leaked credentials coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN Sign-in event from an anonymous IP coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN
Sign-in event from an infected device coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN Sign-in event from an unfamiliar location coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN Impossible travel to an atypical location coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN The permutations of suspicious Azure AD sign-in alerts with "IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN" alerts are: Alternatively, this could be an indication of an attacker trying to use brute force techniques to gain access to an Azure AD account. Though not evidence of a multistage attack, the correlation of these two lower-fidelity alerts results in a high-fidelity incident suggesting malicious initial access to the organization's network. Suspicious sign-in coinciding with successful sign-in to Palo Alto VPN by IP with multiple failed Azure AD sign-insĭescription: Fusion incidents of this type indicate that a suspicious sign-in to an Azure AD account coincided with a successful sign-in through a Palo Alto VPN from an IP address from which multiple failed Azure AD sign-ins occurred in a similar time frame. Sign-in event from user with leaked credentials leading to multiple passwords reset Sign-in event from an anonymous IP leading to multiple passwords reset Sign-in event from an infected device leading to multiple passwords reset Sign-in event from an unfamiliar location leading to multiple passwords reset Impossible travel to an atypical location leading to multiple passwords reset The permutations of suspicious Azure AD sign-in alerts with multiple passwords reset alerts are:
Palo alto vm download password#
Account manipulation (including password reset) may aid adversaries in maintaining access to credentials and certain permission levels within an environment. This evidence suggests that the account noted in the Fusion incident description has been compromised and was used to perform multiple password resets in order to gain access to multiple systems and resources. MITRE ATT&CK techniques: Valid Account (T1078), Brute Force (T1110)ĭata connector sources: Microsoft Sentinel (scheduled analytics rule), Azure Active Directory Identity Protectionĭescription: Fusion incidents of this type indicate that a user reset multiple passwords following a suspicious sign-in to an Azure AD account. MITRE ATT&CK tactics: Initial Access, Credential Access This scenario makes use of alerts produced by scheduled analytics rules. (New threat classification) Multiple passwords reset by user following suspicious sign-in Sign-in event from user with leaked credentials leading to multiple VM creation activities Sign-in event from an anonymous IP address leading to multiple VM creation activities Sign-in event from an infected device leading to multiple VM creation activities Sign-in event from an unfamiliar location leading to multiple VM creation activities Impossible travel to an atypical location leading to multiple VM creation activities The permutations of suspicious Azure AD sign-in alerts with the multiple VM creation activities alert are:
This type of alert indicates, with a high degree of confidence, that the account noted in the Fusion incident description has been compromised and used to create new VMs for unauthorized purposes, such as running crypto mining operations.
MITRE ATT&CK techniques: Valid Account (T1078), Resource Hijacking (T1496)ĭata connector sources: Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protectionĭescription: Fusion incidents of this type indicate that an anomalous number of VMs were created in a single session following a suspicious sign-in to an Azure AD account. MITRE ATT&CK tactics: Initial Access, Impact Compute resource abuse Multiple VM creation activities following suspicious Azure Active Directory sign-in
0 kommentar(er)
