Campaigns
Entra Account Storm Campaign

Entra Account Storm Campaign

MicrosoftEntraAccountTakeoverEntraStorm
Entra Account Storm Campaign is a targeted cyberattack campaign focused on Microsoft Entra ID accounts. Threat actors use automated tools to perform password spraying, gain unauthorized access, and exfiltrate data. The attacks occur in waves, often from cloud services like AWS, and combine stealth with bursts of intense activity. This campaign highlights the risks of weak credentials and insufficient cloud security monitoring.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1068 - Exploitation for Privilege Escalation


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[52] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

DS0009

Process

Process Creation

Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications.

Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe")


T1134 - Access Token Manipulation

ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Modification

Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

DS0017

Command

Command Execution

Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[31]

DS0009

Process

OS API Execution

Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [32], DuplicateTokenEx[33], and ImpersonateLoggedOnUser[34]). Please see the referenced Windows API pages for more information.



Process Creation

Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.



Process Metadata

Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[35] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

DS0002

User Account

User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.


T1110 - Brute Force


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

Analytic 1 - Command-line tools used for brute force attacks.

(index=security sourcetype="Powershell" EventCode=4104) OR(index=os sourcetype="linux_secure" (cmdline IN ("hydra", "medusa", "ncrack", "patator", "john", "hashcat", "rcrack", "w3af", "aircrack-ng"))) OR (index=os sourcetype="macos_secure" (cmdline IN ("hydra", "medusa", "ncrack", "patator", "john", "hashcat", "rcrack", "w3af", "aircrack-ng"))) | where match(CommandLine, "(?i)(hydra|medusa|ncrack|patator|john|hashcat|rcrack|w3af|aircrack-ng)")

DS0002

User Account

User Account Authentication

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.

Analytic 1 - Multiple failed logon attempts across different accounts.

(index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379))OR (index=security sourcetype="linux_secure" message="Failed password")OR (index=security sourcetype="macos_secure" message="Failed to authenticate user")

Observed Countries8

AU (244)
CA (534)
DE (621)
GB (424)
IE (556)
IN (222)
NL (833)
US (516)