ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT063
  • Created: 19th July 2024
  • Updated: 19th July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Microsoft Entra ID Sign-in Logs

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.

Sections

ID Name Description
PR015.002Remote Email Collection

A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services.

PR004.002Collaboration Platform Exploration

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

IF011.003Providing Unauthorized Access to a Collaboration Platform

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

AF018.002Environment Tripwires

The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.

 

This tripwire API is embedded within various parts of the environment:

  • Cloud Services: It hooks into serverless functions, containers, or virtual machines to monitor access and activity.
  • Applications: It integrates into custom-built web applications to observe access to certain URLs, paths, or endpoints.
  • Infrastructure Services: It monitors cloud management APIs (e.g., AWS, Azure, Google Cloud) for unusual activities indicative of an investigation.

 

Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:

  • Known Security Tools: Scanning for network traffic signatures from common security tools (like Nessus or nmap) or patterns associated with incident response teams.
  • Unusual Access: Detecting attempts from IP ranges linked to internal security teams or cloud provider security operations centers.
  • System Changes: Watching for actions typical of an investigation, such as new logging mechanisms, alterations to IAM roles, or the activation of cloud monitoring services.

 

The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.

 

Upon detecting activity, the API tripwire can take immediate evasive actions:

  • Alert the Subject: It sends covert alerts to an external server controlled by the subject, through an HTTP request, encrypted email, or messaging platform.
  • Suspend Malicious Activity: If integrated into a malicious workflow, the API can halt ongoing data exfiltration or malware processes.
  • Clean Up Evidence: It triggers scripts to delete logs, clear files, or reset system configurations to hinder forensic analysis.
  • Feign Normalcy: It restores access controls and system settings to their default state, masking any signs of unusual activity.