Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
This week we have spent digging into Azure/365/Entra attacks and additional tactics around kerberoasting.
This update introduces:
When a Service Principal in Entra has been observed creating another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments.
Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. In this detection, successful logins that are 500 to 999 miles apart within a 2 hour window are deemed suspicious.
Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. In this detection, successful logins that are 1,000 to 2,000 miles apart within a 4 hour window are deemed suspicious.
SPNs are used by Kerberos authentication to identify the account running a particular service. Administrators may legitimately perform SPN enumeration to audit and manage SPNs in their environment. Threat actors have been observed using SPN enumeration to gather information about services and user accounts in an Active Directory environment.