Azure AD sign in from AzureHound default user agent

azure

Classification:

attack

Set up the azure integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when the AzureHound default user agent is seen in Azure AD sign-in logs.

Strategy

This rule monitors Azure AD sign-in logs for the default user agent AzureHound (this default user agent can be altered). AzureHound is a data collector for Bloodhound. Bloodhound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment. It is listed in MITRE ATT&CK with id S0521 and has been associated with a number of threat groups.

Triage and response

  1. Determine if your organization has authorized the use of Bloodhound.
  2. If the results of triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable the affected identity and revoke any sign-in sessions.
    • Investigate any actions taken by the identity {{@usr.id}} during the identified time frame.