![]() In the case of Azure AD abuse, detection should focus on collection and analysis of sign-in and audit logs. These tools are not as likely to be used for malicious purposes on compromised endpoints but are used remotely to conduct attacks on cloud and identity infrastructure. Increasingly, adversaries utilize popular PowerShell modules like AzureAD, Azure, Microsoft.Graph, and AADInternals to perform attacks against cloud and SaaS environments upon compromising an Azure AD identity. NET methods, among other PowerShell featuresĪdversaries also occasionally leverage PowerShell to disable Windows security tools and to decrypt encrypted or obfuscated payloads.
0 Comments
Leave a Reply. |