LoFP / administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.

Techniques

• T1078
• T1078.004
• T1586
• T1586.003

Sample rules

Azure AD Successful PowerShell Authentication

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1078
  • T1078.004

Description

The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is “Microsoft Azure PowerShell.” This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.

Detection logic

`azure_monitor_aad`  category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" 
| rename properties.*  as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_successful_powershell_authentication_filter`