Detections
- Home
- - Detections
- -DT063
- ID: DT063
- Created: 19th July 2024
- Updated: 19th July 2024
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
Microsoft Entra ID Sign-in Logs
From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.
This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.
Sections
ID | Name | Description |
---|---|---|
PR030 | Authorization Token Staging | The subject pre-authorizes access to internal or third-party services using OAuth or other token-based mechanisms, creating persistent or stealth access pathways for future use. This staging behavior allows access to be decoupled from standard authentication workflows, enabling the subject to retrieve, manipulate, or exfiltrate data without using core credentials or triggering routine identity-based alerts.
Token staging is particularly relevant in cloud and hybrid environments where delegated access via OAuth, SAML, or API keys is commonly used. When authorization tokens grant broad scopes (e.g., full mailbox or document access), they can effectively serve as alternate credentials — often surviving role changes, session terminations, or identity deactivations.
From an investigative standpoint, this behavior constitutes an intentional act of access persistence setup. It may indicate foresight, circumvention of governance controls, or preparation for covert activity. Detection typically requires correlating authorization logs with subject role, timing, and expected access boundaries - especially where third-party application use diverges from organizational norms. |
PR015.002 | Remote Email Collection | A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services. |
PR004.002 | Collaboration Platform Exploration | A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information. |
IF011.003 | Providing Unauthorized Access to a Collaboration Platform | The subject grants unauthorized access to organizational collaboration platforms, such as Slack, Microsoft Teams, Confluence, or equivalent tools, thereby exposing them to internal information, workflows, or discussions outside their clearance or role-based access. This behavior may occur by inviting a guest account, elevating access permissions for an existing contact, or bypassing formal onboarding channels to enable out-of-policy access.
Such unauthorized collaboration introduces a high-risk vector for information leakage, intellectual property exposure, and unmonitored data sharing. In many cases, these platforms contain embedded files, chat histories, integration logs, and operational metadata that extend beyond what the subject may intend to share. Even when performed under the guise of productivity or convenience, this behavior constitutes a clear infringement of acceptable use policies and undermines formal access governance structures.
The action is often difficult to detect retrospectively if audit logging for guest access is not enabled or if collaboration platforms lack integration with centralized identity providers. Investigators should consider whether the access was temporary or persistent, and whether the subject demonstrated awareness of the policy violation (e.g., through attempts to obscure or justify the behavior). |
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|
AF027.001 | Email Deletion | The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment. |