💥 Fire in the Hole: Attacking Entra ID & Analyzing the Logs with GenAI 💥
Hey Azure Cloudy defenders, how do you ensure a tight grip over Microsoft Azure Entra ID ?
FACT -> Every breach starts with initial access & identity-based attacks are prevalently successful.
Why ? 🤔
According to the recent CrowdStrike Global Threat Report, access broker activity surged in 2024 by approx 50%. Furthermore, valid account abuse was responsible for 35% of cloud incidents.
👉 But identity-based attacks aren't new. In fact, there is an abundance of tooling and products for these in the market. So the elephant in the room is how efficient these tools and products are. And truthfully, you have to figure that out because it's a responsibility!
💥 One way to take responsibility -> VALIDATE !
How ? 🤔
⚡ Quick example: The attached document describes a demo of identity-based attacks aimed at persisting access. Attackers often create additional credentials for Azure apps, aka Service Principals. This attack is part of an adversary emulation exercise conducted using Mitigant ⚡
⚡ Here, the attackers are working to safeguard their initial access. The created credential acts as a backdoor that will be activated once the initial access credentials are discovered/revoked. How crafty!
⚡ The attack is documented at MITRE ATT&CK as "Account Manipulation: Additional Cloud Credentials 🔗 https://attack.mitre.org/techniques/T1098/001/
⚡Think about it this way - attacker is in & you failed to detect. The attacker creates a backdoor & you get notified. Lucky you. 👏
⚡ But ideally, you ought to detect even the first access. You have to do the hard work of ensuring efficient detections! Talking about detections, I used GenAI to analyze the logs created during the attack. It's a fast way to extract some value from the logs and understand their meaning.