Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Attack Emulation: Analyzing Entra ID Logs...

Kennedy Torkura
March 15, 2025
0
12

Cloud Attack Emulation: Analyzing Entra ID Logs with GenAI

đź’Ą Fire in the Hole: Attacking Entra ID & Analyzing the Logs with GenAI đź’Ą

Hey Azure Cloudy defenders, how do you ensure a tight grip over Microsoft Azure Entra ID ?

FACT -> Every breach starts with initial access & identity-based attacks are prevalently successful.

Why ? 🤔

According to the recent CrowdStrike Global Threat Report, access broker activity surged in 2024 by approx 50%. Furthermore, valid account abuse was responsible for 35% of cloud incidents.

👉 But identity-based attacks aren't new. In fact, there is an abundance of tooling and products for these in the market. So the elephant in the room is how efficient these tools and products are. And truthfully, you have to figure that out because it's a responsibility!

đź’Ą One way to take responsibility -> VALIDATE !

How ? 🤔

⚡ Quick example: The attached document describes a demo of identity-based attacks aimed at persisting access. Attackers often create additional credentials for Azure apps, aka Service Principals. This attack is part of an adversary emulation exercise conducted using Mitigant ⚡

⚡ Here, the attackers are working to safeguard their initial access. The created credential acts as a backdoor that will be activated once the initial access credentials are discovered/revoked. How crafty!

⚡ The attack is documented at MITRE ATT&CK as "Account Manipulation: Additional Cloud Credentials 🔗 https://attack.mitre.org/techniques/T1098/001/

⚡Think about it this way - attacker is in & you failed to detect. The attacker creates a backdoor & you get notified. Lucky you. 👏

⚡ But ideally, you ought to detect even the first access. You have to do the hard work of ensuring efficient detections! Talking about detections, I used GenAI to analyze the logs created during the attack. It's a fast way to extract some value from the logs and understand their meaning.

Kennedy Torkura

March 15, 2025
Tweet

More Decks by Kennedy Torkura

See All by Kennedy Torkura
Ultimate Combo - Azure Sentinel and Cloud Attack Emulation
ktorkura
0
3
Agentic AI Threat Modeling - Part I
ktorkura
0
30
🤺 Cloud Attack Emulation: Azure Monitor Logs Analysis with GenAI⚡
ktorkura
0
28
GenAI Red Teaming Unique Challenges – Part I
ktorkura
0
33
Emerging GenAI Security Solutions
ktorkura
0
30
The Cyber Resilience Chasm
ktorkura
0
33
Outcome vs Output Security Approaches
ktorkura
0
290
Cloud Attack Emulation for Mere Mortals
ktorkura
0
110
Fast-tracking DevSecOps Maturity With Security Chaos Engineering
ktorkura
0
370

Featured

See All Featured
Building Applications with DynamoDB
mza
94
6.3k
Adopting Sorbet at Scale
ufuk
76
9.3k
YesSQL, Process and Tooling at Scale
rocio
172
14k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
40
7.2k
Into the Great Unknown - MozCon
thekraken
37
1.7k
Raft: Consensus for Rubyists
vanstee
137
6.9k
A better future with KSS
kneath
239
17k
A designer walks into a library…
pauljervisheath
205
24k
Visualization
eitanlees
146
16k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
For a Future-Friendly Web
brad_frost
176
9.7k

Transcript

  1. Cloud Attack Emulation Analyzing Entra ID Logs with GenAI 1

    @run2obtain Adversary Emulation. Simplified.

  2. Attack Emulation Summary (1) 2 @run2obtain • The attack emulation

    targets an important Entra ID component – Service Principal. • The credential created becomes a backdoor for the attacker i.e. to be used in the event the initial access credential is discovered and revoked. • The aim is to create additional credentials in an existing service principal. The following MITRE ATT&CK techniques is implemented: Account Manipulation: Additional Cloud Credentials. Here is the relevant description: In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account. As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset. Ref - https://attack.mitre.org/techniques/T1098/001/

  3. Attack Emulation Summary (2) 3 @run2obtain • The logs generated

    due to the activities of the attack are collected from Azure and analyzed using Perplexity AI. • Key lessons: • Emulating this attack allows defenders to understand the events to look out for when implementing counter-measures against attacks. • Defenders can also leverage this approach to validate if detection mechanisms are functioning accurately.

  4. Downloaded Azure Activity Logs Created Via Mitigant Attack Emulation 4

    @run2obtain

  5. …. and analyzed with AI by chatting with Perplexity 5

    @run2obtain File with Azure activity logs

  6. … first answer provides an interesting summary! 6 @run2obtain

  7. More details: successful actions and involved Entra ID resources 7

    @run2obtain

  8. Additional insights: Impact & Related MITRE ATT&CK TTPs 8 @run2obtain

  9. How about the other side of the coin: the attacker’s

    view 9 @run2obtain

  10. Let’s see the attacks using a sequence diagram 10 @run2obtain

  11. Emulate Attacks using Mitigant 11 Read more about Azure Attacks:

    https://www.mitigant.io/en/blog/feature-release-cloud-attack-emulation-for-azure

  12. Mitigant Cloud Attack Emulation https://www.mitigant.io/en/platform/cloud-attack-emulation Adversary Emulation. Simplified. Sign Up

    for your FREE TRIAL today ! 12 @run2obtain