Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Attack Emulation: Analyzing Entra ID Logs...

Kennedy Torkura
March 15, 2025
10

Cloud Attack Emulation: Analyzing Entra ID Logs with GenAI

💥 Fire in the Hole: Attacking Entra ID & Analyzing the Logs with GenAI 💥

Hey Azure Cloudy defenders, how do you ensure a tight grip over Microsoft Azure Entra ID ?

FACT -> Every breach starts with initial access & identity-based attacks are prevalently successful.

Why ? 🤔

According to the recent CrowdStrike Global Threat Report, access broker activity surged in 2024 by approx 50%. Furthermore, valid account abuse was responsible for 35% of cloud incidents.

👉 But identity-based attacks aren't new. In fact, there is an abundance of tooling and products for these in the market. So the elephant in the room is how efficient these tools and products are. And truthfully, you have to figure that out because it's a responsibility!

💥 One way to take responsibility -> VALIDATE !

How ? 🤔

⚡ Quick example: The attached document describes a demo of identity-based attacks aimed at persisting access. Attackers often create additional credentials for Azure apps, aka Service Principals. This attack is part of an adversary emulation exercise conducted using Mitigant ⚡

⚡ Here, the attackers are working to safeguard their initial access. The created credential acts as a backdoor that will be activated once the initial access credentials are discovered/revoked. How crafty!

⚡ The attack is documented at MITRE ATT&CK as "Account Manipulation: Additional Cloud Credentials 🔗 https://attack.mitre.org/techniques/T1098/001/

⚡Think about it this way - attacker is in & you failed to detect. The attacker creates a backdoor & you get notified. Lucky you. 👏

⚡ But ideally, you ought to detect even the first access. You have to do the hard work of ensuring efficient detections! Talking about detections, I used GenAI to analyze the logs created during the attack. It's a fast way to extract some value from the logs and understand their meaning.

Kennedy Torkura

March 15, 2025
Tweet

Transcript

  1. Cloud Attack Emulation Analyzing Entra ID Logs with GenAI 1

    @run2obtain Adversary Emulation. Simplified.
  2. Attack Emulation Summary (1) 2 @run2obtain • The attack emulation

    targets an important Entra ID component – Service Principal. • The credential created becomes a backdoor for the attacker i.e. to be used in the event the initial access credential is discovered and revoked. • The aim is to create additional credentials in an existing service principal. The following MITRE ATT&CK techniques is implemented: Account Manipulation: Additional Cloud Credentials. Here is the relevant description: In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account. As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset. Ref - https://attack.mitre.org/techniques/T1098/001/
  3. Attack Emulation Summary (2) 3 @run2obtain • The logs generated

    due to the activities of the attack are collected from Azure and analyzed using Perplexity AI. • Key lessons: • Emulating this attack allows defenders to understand the events to look out for when implementing counter-measures against attacks. • Defenders can also leverage this approach to validate if detection mechanisms are functioning accurately.
  4. …. and analyzed with AI by chatting with Perplexity 5

    @run2obtain File with Azure activity logs
  5. Emulate Attacks using Mitigant 11 Read more about Azure Attacks:

    https://www.mitigant.io/en/blog/feature-release-cloud-attack-emulation-for-azure