Azure AD Alert Details
Alert ID: AAD-CLOUD-ADMIN-1651-7842 Alert Time: 2024-03-14 11:30:22 EST Severity: HIGH (88/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Suspicious Cloud Administration Commands from Unusual Location” MITRE ATT&CK: T1651 – Cloud Administration Command
Alert Details:
Detection: Global administrator running high-impact commands from unusual location
User: jwilson@company.com (Global Administrator) Source IP: 185.143.221[.]89 (Bulgaria) Time: 11:15-11:30 EST
Azure AD Audit Events:
11:15:22 – Add member to group “Global Administrators” (added user attacker@evil.com) – SUCCESS
11:17:45 – Create new conditional access policy “Allow All” (disables MFA) – SUCCESS
11:19:12 – Update domain federation settings (change authentication to attacker-controlled IDP) – SUCCESS
11:21:33 – Add application registration “Internal Tools” with high privileges – SUCCESS
11:23:50 – Grant admin consent to application (allows app to read all mailboxes) – SUCCESS
11:25:15 – Reset password for 5 privileged users (including CEO) – SUCCESS
Detection Logic:
jwilson is global admin, but these actions are highly unusual
Source IP Bulgaria (normal location: US)
Commands are high-impact (adding admins, changing federation, resetting passwords)
Pattern matches attacker taking over Azure AD tenant
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD audit logs
Azure AD Portal
Confirmed malicious admin commands
2. User Verification
Contact jwilson
Phone, Teams
jwilson did NOT perform these actions (account compromised)
3. Immediate Action
Disable jwilson account
Azure AD
Account disabled
4. Revert Changes
Reverse all malicious actions
Azure AD PowerShell
Removed attacker from Global Admins, deleted conditional access policy, reverted federation settings, deleted malicious app, reset passwords for affected users
5. Account Remediation
Reset jwilson password
Azure AD
Password reset; MFA enforced
6. Incident Response
Activate emergency response
Management, Legal
Tenant takeover attempt declared
Jira Incident Report
Ticket: SOC-2024-218 Summary: T1651 – Cloud Administration Command: Attacker Takes Control of Azure AD Tenant Status: RESOLVED Resolution: MALICIOUS – Changes Reverted, Account Secured Priority: P1 – CRITICAL Labels: T1651, cloud-admin-command, azure-ad, compromised-admin Components: Cloud-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Audit Logs.
Alert: “Suspicious Cloud Administration Commands from Unusual Location”.
User: jwilson@company.com (Global Administrator).
Source IP: 185.143.221[.]89 (Bulgaria).
Actions: Added global admin, changed federation, reset passwords, etc.
Time: 2024-03-14 11:30 EST.
Technique: MITRE ATT&CK T1651 – Cloud Administration Command.
2. Technical Analysis:
Attack Chain:
10:30 – jwilson account compromised via phishing
10:45 – Attacker logs into Azure AD portal from Bulgaria
11:00 – Attacker enumerates admin roles
11:15-11:30 – Malicious admin commands
11:30 – Azure AD detects
Malicious Actions:
Added attacker as Global Admin: attacker@evil.com (now has full control)
Created Conditional Access policy “Allow All”: disables MFA for all users
Changed federation settings: redirects authentication to attacker-controlled IDP
Added malicious app “Internal Tools”: with permissions to read all mailboxes
Granted admin consent: allows app to access all mailboxes
Reset passwords: for CEO, CFO, CTO, and two IT admins
Attacker Intent:
Full takeover of Azure AD tenant
Access all mailboxes and data
Lock out legitimate admins
Compromised Admin:
jwilson (Global Admin) – no MFA (now enforced)
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
11:15-11:30 – Malicious actions
11:30 – Alert
11:32 – SOC investigates
11:33 – jwilson account disabled
11:35 – Reversion of changes begins
11:50 – All changes reverted
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– jwilson (compromised)
– attacker@evil.com (added as Global Admin, now removed)
App:
– “Internal Tools” (malicious app, removed)
4. Containment Actions:
Immediate Actions:
Disabled jwilson account.
Removed attacker@evil.com from Global Admins.
Deleted “Allow All” conditional access policy.
Reverted federation settings to original.
Deleted malicious app “Internal Tools”.
Reset passwords for all affected users (CEO, CFO, CTO, IT admins).
Blocked attacker IP.
Post-Incident:
Enforced MFA for all admins.
Implemented Privileged Identity Management (JIT access).
Audited all recent admin actions.
5. Root Cause Analysis:
Primary Cause: Global admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
No alerts for critical admin changes.
6. Business Impact:
Operational Impact: Temporary disruption during recovery.
Data Exposure: Potential mailbox access; none confirmed.
Reputational Impact: High (tenant takeover).
7. Remediation & Prevention:
Completed Actions:
Changes reverted.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Implemented Conditional Access policies requiring trusted locations.
Enabled Azure AD Identity Protection alerts for admin changes.
Deployed Privileged Identity Management.
8. Conclusion:
An attacker compromised a global admin account and performed critical cloud administration commands, attempting to take over the Azure AD tenant. Azure AD detected the anomalous activity, enabling rapid reversion of all changes and securing the account.
Closure Rationale: Malicious changes reverted; admin account secured; tenant protected.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 12:30 EST