-
Notifications
You must be signed in to change notification settings - Fork 522
/
Copy pathdefense_evasion_azure_blob_permissions_modified.toml
96 lines (78 loc) · 6.03 KB
/
defense_evasion_azure_blob_permissions_modified.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
[metadata]
creation_date = "2021/09/22"
integration = ["azure"]
maturity = "production"
updated_date = "2025/01/15"
[rule]
author = ["Austin Songer"]
description = """
Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An
adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may
inadvertently modify the permissions, which could lead to data exposure or loss.
"""
false_positives = [
"""
Blob permissions may be modified by system administrators. Verify that the configuration change was expected.
Exceptions can be added to this rule to filter expected behavior.
""",
]
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Blob Permissions Modification"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Azure Blob Permissions Modification
Azure Blob Storage is a service for storing large amounts of unstructured data. It uses Azure RBAC to manage access, ensuring only authorized users can modify or access data. Adversaries may exploit this by altering permissions to gain unauthorized access or disrupt operations. The detection rule monitors specific Azure activity logs for successful permission changes, alerting analysts to potential security breaches or misconfigurations.
### Possible investigation steps
- Review the Azure activity logs to identify the user or service principal associated with the permission modification event by examining the relevant fields such as `event.dataset` and `azure.activitylogs.operation_name`.
- Check the `event.outcome` field to confirm the success of the permission modification and gather details on the specific permissions that were altered.
- Investigate the context of the modification by reviewing recent activities of the identified user or service principal to determine if the change aligns with their typical behavior or role.
- Assess the potential impact of the permission change on the affected Azure Blob by evaluating the sensitivity of the data and the new access levels granted.
- Cross-reference the modification event with any recent security alerts or incidents to identify if this change is part of a broader attack pattern or misconfiguration issue.
- Consult with the relevant data owners or administrators to verify if the permission change was authorized and necessary, and if not, take corrective actions to revert the changes.
### False positive analysis
- Routine administrative changes to Azure Blob permissions by authorized personnel can trigger alerts. To manage this, create exceptions for specific user accounts or roles that frequently perform legitimate permission modifications.
- Automated scripts or tools used for regular maintenance or deployment might modify permissions as part of their operation. Identify these scripts and exclude their activity from triggering alerts by using specific identifiers or tags associated with the scripts.
- Scheduled updates or policy changes that involve permission modifications can result in false positives. Document these schedules and adjust the monitoring rules to account for these timeframes, reducing unnecessary alerts.
- Integration with third-party services that require permission changes might cause alerts. Review and whitelist these services if they are verified and necessary for operations, ensuring they do not trigger false positives.
### Response and remediation
- Immediately revoke any unauthorized permissions identified in the Azure Blob Storage to prevent further unauthorized access or data exposure.
- Conduct a thorough review of the Azure Activity Logs to identify any other suspicious activities or permission changes that may have occurred around the same time.
- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized changes and any potential data exposure.
- Implement additional monitoring on the affected Azure Blob Storage accounts to detect any further unauthorized access attempts or permission modifications.
- Escalate the incident to the incident response team if there is evidence of a broader security breach or if sensitive data has been compromised.
- Review and update Azure RBAC policies to ensure that only necessary permissions are granted, and consider implementing more granular access controls to minimize the risk of future unauthorized modifications.
- Conduct a post-incident analysis to identify the root cause of the permission change and implement measures to prevent similar incidents in the future, such as enhancing logging and alerting capabilities.
## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"]
risk_score = 47
rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Use Case: Identity and Access Audit",
"Tactic: Defense Evasion",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(
"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or
"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and
event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"