ID | Title and description | Threat definitions release |
11452 |
New! CTD-000040: Azure AD guest account with an unredeemed invitation This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant. |
2023.01.0.7 |
11463 |
New! CTD-000041: Azure AD tenant with unsecured token persistence
This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. |
2023.01.0.7 |
11730 |
Updated! CTD-000010: Azure AD app with risky write permissions Now, this threat definition also checks additional permissions, including:
|
2023.01.0.7 |
11731 |
New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA. |
2023.01.0.7 |
11616 |
Updated! CTD-000035: Privileged Azure AD account synced from on-premise Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles. |
2022.12.0.1 |
10724 |
New! CTD-000037: Objects with privileged SIDs in SID History This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls. |
2022.12.0.1 |
10759 |
New! CTD-000012: Modified federation settings in Azure AD domain This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack. |
2022.12.0.1 |
11171 |
New! CTD-000008: Azure AD app with client secrets This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets. |
2022.12.0.1 |
11226 |
Updated! CTD-000018: Azure AD tenant with auditing disabled Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check. |
2022.12.0.1 |
11462 |
New! CTD-000034: Privileged AD user synced to Azure AD This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory. |
2022.12.0.1 |
11481 |
New! CTD-000038 Azure AD tenant with unsecured access to Azure management This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. |
2022.12.0.1 |
11507 |
New! CTD-000039 Azure AD Application Registration with dangling URI This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity. |
2022.12.0.1 |
Comments
0 comments
Please sign in to leave a comment.