Oct 31 2022 02:20 AM - edited Oct 31 2022 02:20 AM
Hi,
I've been tracking some activity which I think is somewhat malicious. Within sign-in logs I've noticed quite a few failures from user accounts under application "Microsoft Azure CLI". Over the last month there has been an ever-increasing amount of this traffic from users that would have no reason (or business) to be signing into this application. 99% of attempts are failures and I am wondering if there is some other process, unbeknown to the user that could cause this error?
I am happy to share the excerpt below as an example as we definitely don't have staff in Russia! Or any of the other strange countries appearing for location.
Microsoft Azure CLI | Failure | 91.243.188.240 | Moskva, Moskva, RU |
I am the Cyber Analyst for my organisation but relatively new to the field with only a newly qualified Apprentice and TL with equal knowledge in Cyber as myself.
Thanks,
Stephen
Nov 01 2022 12:21 PM
Nov 01 2022 03:17 PM
This would be an example of how to implement the extra check: Conditional Access - Require MFA for Azure management - Azure Active Directory - Microsoft Entra | M.... This way they'd need to prove the second factor even if they gain access to valid credentials.
You could make a variant on this to just block Azure Management for non-admins similar to the example described here: Block access to Azure Powershell Management (microsoft.com) or Block user access to Azure AD Powershell with Conditional Access - Microsoft Community Hub. In this case, you'd want to put your admins in a group that's excluded from the rule.
Please like and mark this thread as answered if it's helpful, thanks!
Nov 02 2022 01:59 AM
Nov 02 2022 08:10 AM
Hi Kurt,
Many thanks for your reply and the useful links. Trying to get our Sys Admin team to get their skates on with the CA policies. We had a some Webshell attacks few weeks back so been pushing for these controls.
Thanks,
Stephen
Nov 25 2022 08:49 AM
@Steph32UK I have seen quite a lot of login failures for Microsoft Azure CLI and a few successful. How did you get on blocking it? Are you still seeing attempts?
Nov 27 2022 01:03 AM
We have enrolled accounts onto MFA and still working on the Conditional Access Policies. Unfortunately our Sys Admin team hold the control for CAP and are a little slow to get things done!!!!