administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.

t1078
t1078.004
t1586
t1586.003
azure active directory
splunk

Techniques

T1078
T1078.004
T1586
T1586.003

Sample rules

Azure AD Successful PowerShell Authentication

source: splunk
technicques:
- T1586
- T1586.003
- T1078
- T1078.004

Description

The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.

Detection logic

 `azure_monitor_aad`  category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" 
| rename properties.*  as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_successful_powershell_authentication_filter`