Catégorie : Microsoft Defender for Cloud

Azure Defender – Génération Alertes

Hello,

Dans cet article, je vais vous présenter comment générer des alertes de sécurité pour Azure Defender et ce directement depuis le portail Azure.

La génération d’alertes peut-être intéressantes si vous souhaitez réaliser des « Firedrills » par exemple.

Pour cela je vous donne rendez-vous au sein du service Azure Security Center, puis je vous invite à cliquer sur « Security Alerts » et enfin sur « Create sample alerts ».

Les alertes suivantes peuvent être générées:

  • App Service / Suspicious WordPress theme invocation detected
  • App Service / Phishing content hosted on Azure Webapps
  • App Service / Attempt to run high privilege command detected
  • AKS / Exposed Kubernetes dashboard detected
  • AKS / Container with a sensitive volume detected
  • AKV / Access from a TOR exit node to a Key Vault
  • AKV / High volume of operations in a Key Vault
  • AKV / Suspicious secret listing and query in a Key Vault
  • SQL / Unusual export location
  • SQL / Attempted logon by a potentially harmful application
  • SQL / Logon from an unusual location
  • SQL / Potential SQL injection
  • Storage / Unusual amount of data extracted from a storage account
  • Storage / Unusual change of access permissions in a storage account
  • Windows / Detected Petya ransomware indicators
  • Windows / Executable found running from a suspicious location

Maxime.

Azure Defender Resource Manager

Hello,

Azure supporte désormais le service Resource Manager dans son offre Azure Defender. Cette fonctionnalité est désormais disponible en pré-version.

Vous pouvez retrouver ci-dessous l’ensembles des alertes disponibles:

AlertDescriptionMITRE tactics
(Learn more)
Severity
PREVIEW – Activity from a risky IP address
(ARM.MCAS_ActivityFromAnonymousIPAddresses)
Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.
These proxies are used by people who want to hide their device’s IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.
Medium
PREVIEW – Activity from infrequent country
(ARM.MCAS_ActivityFromInfrequentCountry)
Activity from a location that wasn’t recently or ever visited by any user in the organization has occurred.
This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.
Medium
PREVIEW – Impossible travel activity
(ARM.MCAS_ImpossibleTravelActivity)
Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials.
This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days, during which it learns a new user’s activity pattern.
Medium
PREVIEW – Azurite toolkit run detected
(ARM_Azurite)
A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool Azurite can be used by an attacker (or penetration tester) to map your subscriptions’ resources and identify insecure configurations.High
PREVIEW – Suspicious management session using PowerShell detected
(ARM_UnusedAppPowershellPersistence)
Subscription activity logs analysis has detected suspicious behavior. A principal that doesn’t regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker.PersistenceMedium
PREVIEW – Suspicious management session using an inactive account detected
(ARM_UnusedAccountPersistence)
Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker.PersistenceMedium
PREVIEW – MicroBurst toolkit « Get-AzureDomainInfo » function run detected
(ARM_MicroBurstDomainInfo)
A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool « MicroBurst » (see https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscription(s) resources, identify insecure configurations, and leak confidential information.High
PREVIEW – MicroBurst toolkit « Get-AzurePasswords » function run detected
(ARM_MicroBurstRunbook)
A known cloud-environment reconnaissance toolkit run has been detected in your environment. The tool « MicroBurst » (see https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscription(s) resources, identify insecure configurations, and leak confidential information.High
PREVIEW – Suspicious management session using Azure portal detected
(ARM_UnusedAppIbizaPersistence)
Analysis of your subscription activity logs has detected a suspicious behavior. A principal that doesn’t regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn’t used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker.Medium
Antimalware broad files exclusion in your virtual machine (Preview)
(ARM_AmBroadFilesExclusion)
Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.
Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
Medium
Antimalware disabled and code execution in your virtual machine (Preview)
(ARM_AmDisablementAndCodeExecution)
Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware.
High
Antimalware disabled in your virtual machine (Preview)
(ARM_AmDisablement)
Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
Attackers might disable the antimalware on your virtual machine to prevent detection.
Medium
Antimalware file exclusion and code execution in your virtual machine (Preview)
(ARM_AmFileExclusionAndCodeExecution)
File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
High
Antimalware file exclusion and code execution in your virtual machine (Preview)
(ARM_AmTempFileExclusionAndCodeExecution)
Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
High
Antimalware file exclusion in your virtual machine (Preview)
(ARM_AmTempFileExclusion)
File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware.
Medium
Antimalware real-time protection was disabled in your virtual machine (Preview)
(ARM_AmRealtimeProtectionDisabled)
Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
Medium
Antimalware real-time protection was disabled temporarily in your virtual machine (Preview)
(ARM_AmTempRealtimeProtectionDisablement)
Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
Medium
Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine (Preview)
(ARM_AmRealtimeProtectionDisablementAndCodeExec)
Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
High
Antimalware temporarily disabled in your virtual machine (Preview)
(ARM_AmTemporarilyDisablement)
Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.
Attackers might disable the antimalware on your virtual machine to prevent detection.
Medium
Antimalware unusual file exclusion in your virtual machine (Preview)
(ARM_UnusualAmFileExclusion)
Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.
Medium
Custom script extension with suspicious command in your virtual machine (Preview)
(ARM_CustomScriptExtensionSuspiciousCmd)
Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.
ExecutionMedium
Custom script extension with suspicious entry-point in your virtual machine (Preview)
(ARM_CustomScriptExtensionSuspiciousEntryPoint)
Custom script extension with a suspicious entry-point was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. The entry-point refers to a suspicious GitHub repository.
Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
ExecutionMedium
Custom script extension with suspicious payload in your virtual machine (Preview)
(ARM_CustomScriptExtensionSuspiciousPayload)
Custom script extension with a payload from a suspicious GitHub repository was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
ExecutionMedium
MicroBurst exploitation toolkit used to enumerate resources in your subscriptions (Preview)
(ARM_MicroBurst.AzDomainInfo)
MicroBurst’s Information Gathering module was run on your subscription. This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscriptionHigh
MicroBurst exploitation toolkit used to enumerate resources in your subscriptions (Preview)
(ARM_MicroBurst.AzureDomainInfo)
MicroBurst’s Information Gathering module was run on your subscription. This tool can be used to discover resources, permissions and network structures. This was detected by analyzing the Azure Activity logs and resource management operations in your subscriptionHigh
MicroBurst exploitation toolkit used to execute code on your virtual machine (Preview)
(ARM_MicroBurst.AzVMBulkCMD)
MicroBurst’s exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription.High
MicroBurst exploitation toolkit used to execute code on your virtual machine (Preview)
(RM_MicroBurst.AzureRmVMBulkCMD)
MicroBurst’s exploitation toolkit was used to execute code on your virtual machines. This was detected by analyzing Azure Resource Manager operations in your subscription.High
MicroBurst exploitation toolkit used to extract keys from your Azure key vaults (Preview)
(ARM_MicroBurst.AzKeyVaultKeysREST)
MicroBurst’s exploitation toolkit was used to extract keys from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.High
MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)
(ARM_MicroBurst.AZStorageKeysREST)
MicroBurst’s exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.High
MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults (Preview)
(ARM_MicroBurst.AzKeyVaultSecretsREST)
MicroBurst’s exploitation toolkit was used to extract secrets from your Azure key vaults. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.High
PowerZure exploitation toolkit used to elevate access from Azure AD to Azure (Preview)
(ARM_PowerZure.AzureElevatedPrivileges)
PowerZure exploitation toolkit was used to elevate access from AzureAD to Azure. This was detected by analyzing Azure Resource Manager operations in your tenant.High
PowerZure exploitation toolkit used to enumerate resources (Preview)
(ARM_PowerZure.GetAzureTargets)
PowerZure exploitation toolkit was used to enumerate resources on behalf of a legitimate user account in your organization. This was detected by analyzing Azure Resource Manager operations in your subscription.High
PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables (Preview)
(ARM_PowerZure.ShowStorageContent)
PowerZure exploitation toolkit was used to enumerate storage shares, tables, and containers. This was detected by analyzing Azure Resource Manager operations in your subscription.High
PowerZure exploitation toolkit used to execute a Runbook in your subscription (Preview)
(ARM_PowerZure.StartRunbook)
PowerZure exploitation toolkit was used to execute a Runbook. This was detected by analyzing Azure Resource Manager operations in your subscription.High
PowerZure exploitation toolkit used to extract Runbooks content (Preview)
(ARM_PowerZure.AzureRunbookContent)
PowerZure exploitation toolkit was used to extract Runbook content. This was detected by analyzing Azure Resource Manager operations in your subscription.High
Suspicious failed execution of custom script extension in your virtual machine (Preview)
(ARM_CustomScriptExtensionSuspiciousFailure)
Suspicious failure of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Such failures may be associated with malicious scripts run by this extension.
ExecutionMedium
Unusual config reset in your virtual machine (Preview)
(ARM_VMAccessUnusualConfigReset)
An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
While this action may be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it.
CredentialAccessMedium
Unusual deletion of custom script extension in your virtual machine (Preview)
(ARM_CustomScriptExtensionUnusualDeletion)
Unusual deletion of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
ExecutionMedium
Unusual execution of custom script extension in your virtual machine (Preview)
(ARM_CustomScriptExtensionUnusualExecution)
Unusual execution of a custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
Attackers may use custom script extensions to execute malicious code on your virtual machines via the Azure Resource Manager.
ExecutionMedium
Unusual user password reset in your virtual machine (Preview)
(ARM_VMAccessUnusualPasswordReset)
An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
While this action may be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it.
CredentialAccessMedium
Unusual user SSH key reset in your virtual machine (Preview)
(ARM_VMAccessUnusualSSHReset)
An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.
While this action may be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.
CredentialAccessMedium
Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials (Preview)
(ARM_MicroBurst.RunCodeOnBehalf)
Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription.High
Usage of NetSPI techniques to maintain persistence in your Azure environment (Preview)
(ARM_NetSPI.MaintainPersistence)
Usage of NetSPI persistence technique to create a webhook backdoor and maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.High
Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials (Preview)
(ARM_PowerZure.RunCodeOnBehalf)
PowerZure exploitation toolkit detected attempting to run code or exfiltrate Azure Automation account credentials. This was detected by analyzing Azure Resource Manager operations in your subscription.High
Usage of PowerZure function to maintain persistence in your Azure environment (Preview)
(ARM_PowerZure.MaintainPersistence)
PowerZure exploitation toolkit detected creating a webhook backdoor to maintain persistence in your Azure environment. This was detected by analyzing Azure Resource Manager operations in your subscription.High

Maxime.