Azure AD Alert Details
Alert ID: AAD-CLOUD-DASHBOARD-1538-7842 Alert Time: 2024-02-24 09:30:15 EST Severity: HIGH (85/100) Source: Azure AD Identity Protection + Cloud App Security Rule: “Unusual Azure Portal Access – Privileged Account Reconnaissance” MITRE ATT&CK: T1538 – Cloud Service Dashboard Discovery
Alert Details:
Detection: Privileged account accessing multiple Azure management areas from unusual location
User: jwilson@company.com (Global Administrator) Source IP: 185.143.221[.]89 (Bulgaria) Time: 09:15-09:30 EST
Azure Portal Activity:
09:15:22 – Login to Azure Portal (successful)
09:15:45 – Navigated to “Subscriptions” blade (viewed all subscriptions)
09:16:12 – Navigated to “Resource Groups” (listed all resource groups)
09:16:38 – Navigated to “Virtual Machines” (viewed all VMs)
09:17:05 – Navigated to “SQL Databases” (viewed all databases)
09:17:33 – Navigated to “Storage Accounts” (listed all storage)
09:18:01 – Navigated to “Key Vaults” (viewed vault list)
09:18:28 – Navigated to “Azure AD Users” (exported user list)
09:19:15 – Navigated to “Azure AD Roles and Administrators”
09:19:45 – Navigated to “Enterprise Applications”
09:20:12 – Navigated to “Conditional Access Policies”
09:20:38 – Navigated to “Activity Log” (viewed recent changes)
09:21:00 – Signed out
Detection Logic:
User jwilson is Global Admin (highly privileged)
Normal access location: New York, USA
Current location: Bulgaria (impossible travel)
Access pattern: Systematic review of all Azure areas (reconnaissance)
No configuration changes made (view-only)
Pattern matches adversary discovery phase
Additional Context:
jwilson is a cloud architect
Account MFA: Enabled (but approved from Bulgaria?)
User reported MFA request at 09:15 (did NOT approve)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD alert
Azure AD Identity Protection
Confirmed suspicious Azure portal access
2. MFA Investigation
Check MFA approval
Azure AD Sign-in Logs
MFA approved from Bulgaria (token theft?)
3. Immediate Action
Disable account
Azure AD, Active Directory
jwilson account disabled
4. Session Termination
Revoke all sessions
Azure AD PowerShell
All sessions terminated
5. Token Revocation
Revoke refresh tokens
Azure AD
All tokens invalidated
6. Password Reset
Reset user password
Azure AD
Password reset; MFA re-enrolled
Jira Incident Report
Ticket: SOC-2024-121 Summary: T1538 – Azure Portal Reconnaissance by Compromised Global Admin Status: RESOLVED Resolution: MALICIOUS – Account Secured Priority: P1 – CRITICAL Labels: T1538, cloud-discovery, azure-portal, azure-ad, compromised-admin Components: Cloud-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Cloud App Security.
Alert: “Unusual Azure Portal Access – Privileged Account Reconnaissance”.
User: jwilson@company.com (Global Administrator).
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-02-24 09:30 EST.
Technique: MITRE ATT&CK T1538 – Cloud Service Dashboard Discovery.
2. Technical Analysis:
Attack Chain:
09:00 – Attacker obtains jwilson’s credentials (phishing)
09:15 – Attacker logs into Azure Portal from Bulgaria
09:15 – MFA push sent to user’s phone
09:15 – User did NOT approve (investigation ongoing: token theft possible)
09:15-09:21 – Attacker accesses Azure Portal (MFA somehow bypassed)
09:21 – Attacker signs out
09:30 – Azure AD detects anomaly
MFA Bypass Theory:
Session token theft from earlier legitimate session
Attacker used stolen token to access portal without MFA
User reported MFA request but did not approve
Token theft most likely vector
Resources Discovered:
Subscriptions: 3 production subscriptions identified
Resource Groups: 47 groups across subscriptions
Virtual Machines: 86 VMs (including 12 domain controllers)
SQL Databases: 23 databases (including customer data)
Storage Accounts: 34 accounts (including backups)
Key Vaults: 8 vaults (secrets/certificates)
Azure AD Users: 3,247 users exported
Admin Roles: 12 Global Admins identified
Conditional Access: Full policy visibility
Attacker Intent:
Complete Azure infrastructure mapping
Identifying high-value targets (Key Vaults, SQL, Domain Controllers)
Reconnaissance for ransomware or data theft
3. Investigation Findings:
Timeline:
09:00 – Credentials compromised
09:15-09:21 – Attacker reconnaissance
09:21 – Attacker exits
09:30 – Alert triggers
09:32 – SOC investigates
09:35 – Account disabled
09:36 – Sessions terminated
09:37 – Tokens revoked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Azure:
– User: jwilson@company.com
– Sign-in log ID: 7842-1234-5678-9012 (anomalous)
MFA:
– Push request at 09:15 (user declined)
4. Containment Actions:
Immediate Actions:
Disabled jwilson account.
Revoked all active sessions.
Revoked all refresh tokens.
Reset user password.
Re-enrolled MFA.
Azure-Wide Actions:
Reviewed all admin activity (no changes made).
Rotated any exposed secrets (precautionary).
Audited Conditional Access policies.
User Remediation:
jwilson briefed on token theft risks.
New laptop provisioned (potential compromise).
5. Root Cause Analysis:
Primary Cause: Credential compromise (phishing) combined with token theft.
Contributing Factors:
Session tokens not bound to device/location.
Admin account had excessive privileges.
No anomaly detection for token replay.
6. Business Impact:
Operational Impact: Global Admin offline for 2 hours.
Security Impact: Full Azure infrastructure inventory exposed.
Data Exposure: User list exported; no data accessed.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Tokens revoked.
Sessions terminated.
Technical Controls Enhanced:
Enforced token protection (conditional access token binding).
Reduced Global Admin count (JIT access only).
Implemented Privileged Identity Management (PIM) for admins.
Enhanced Azure AD Identity Protection alerts.
8. Conclusion:
An attacker compromised a Global Admin account and performed comprehensive reconnaissance of our Azure infrastructure via the portal. Azure AD detected the anomalous access pattern and triggered an alert. The account was secured before any changes could be made.
Closure Rationale: Account secured; tokens revoked; Azure inventory exposed but unchanged.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 10:30 EST