Unusual Authentication by Microsoft 365 Azure AD Service Principal

microsoft-365

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.

Strategy

Using the New Value detection method, find when a Microsoft 365 Azure AD service principal uses a new @AuthenticationMethod.

Triage and response

  1. Determine if the service principal {{@usr.id}} should be authenticating using the {{@AuthenticationMethod}} authentication method and {{@ExtendedProperties.RequestType}} request type.
  2. If {{@usr.email}} should not be authenticating using {{@AuthenticationMethod}},
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard
    • If necessary, initiate your company’s incident response (IR) process.