
Entra Account Storm Campaign
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1068 - Exploitation for Privilege Escalation
ID | Data Source | Data Component | Detects |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[52] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges. | |||
Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications. Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe") |
T1134 - Access Token Manipulation
ID | Data Source | Data Component | Detects |
Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. | |||
Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[31] | |||
Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [32], DuplicateTokenEx[33], and ImpersonateLoggedOnUser[34]). Please see the referenced Windows API pages for more information. | |||
Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. | |||
Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[35] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process. | |||
Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
T1110 - Brute Force
ID | Data Source | Data Component | Detects |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. | |||
Monitor executed commands and arguments that may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Analytic 1 - Command-line tools used for brute force attacks. (index=security sourcetype="Powershell" EventCode=4104) OR(index=os sourcetype="linux_secure" (cmdline IN ("hydra", "medusa", "ncrack", "patator", "john", "hashcat", "rcrack", "w3af", "aircrack-ng"))) OR (index=os sourcetype="macos_secure" (cmdline IN ("hydra", "medusa", "ncrack", "patator", "john", "hashcat", "rcrack", "w3af", "aircrack-ng"))) | where match(CommandLine, "(?i)(hydra|medusa|ncrack|patator|john|hashcat|rcrack|w3af|aircrack-ng)") | |||
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Analytic 1 - Multiple failed logon attempts across different accounts. (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379))OR (index=security sourcetype="linux_secure" message="Failed password")OR (index=security sourcetype="macos_secure" message="Failed to authenticate user") |