Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
This week we have spent digging into Azure/365/Entra attacks and additional tactics around kerberoasting.
New Detections
This update introduces:
Azure: Service Principal Creation By Service Principal
When a Service Principal in Entra has been observed creating another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments.
Microsoft 365: Impossible Travel AAD Login - 500 to 999 miles
Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. In this detection, successful logins that are 500 to 999 miles apart within a 2 hour window are deemed suspicious.
Status: Default Disabled
Log type requirement: MS365
Microsoft 365: Impossible Travel AAD Login - 1,000 to 2,000 miles
Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. In this detection, successful logins that are 1,000 to 2,000 miles apart within a 4 hour window are deemed suspicious.
Status: Default Disabled
Log type requirement: MS365
Suspicious SPN Enumeration
SPNs are used by Kerberos authentication to identify the account running a particular service. Administrators may legitimately perform SPN enumeration to audit and manage SPNs in their environment. Threat actors have been observed using SPN enumeration to gather information about services and user accounts in an Active Directory environment.
Status: Enabled
Log type requirement: Windows, Blumira Agent for Windows
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
