detecting-azure-lateral-movement
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-azure-lateral-movementCorrelate Azure AD logs to detect lateral movement attacks.
- Identifies privilege escalation and token theft patterns.
- Uses Microsoft Graph API and Azure Sentinel KQL.
- Analyzes sign-in anomalies for cross-tenant pivoting.
- Outputs structured alerts for SOC analysts.
SKILL.md
.github/skills/detecting-azure-lateral-movementView on GitHub ↗
--- name: detecting-azure-lateral-movement description: Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting. domain: cybersecurity subdomain: cloud-security tags: [azure, entra-id, lateral-movement, sentinel, kql, graph-api, cloud-security, threat-hunting] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting Azure Lateral Movement ## Overview Lateral movement in Azure AD/Entra ID differs from on-premises environments. Attackers pivot through OAuth application consent grants, service principal abuse, cross-tenant access policies, and stolen refresh tokens rather than SMB/RDP connections. Detection requires correlating Microsoft Graph API audit logs, Azure AD sign-in logs, and Entra ID protection risk events using KQL queries in Microsoft Sentinel. This skill covers building detection analytics for common Azure lateral movement techniques including application impersonation, mailbox delegation abuse, and conditional access policy bypasses. ## When to Use - When investigating security incidents that require detecting azure lateral movement - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Azure subscription with Microsoft Sentinel workspace configured - Azure AD P2 or Entra ID P2 license for risk-based sign-in detection - Microsoft Graph API permissions: AuditLog.Read.All, Directory.Read.All, SecurityEvents.Read.All - Log Analytics workspace ingesting AuditLogs, SigninLogs, and AADServicePrincipalSignInLogs - Familiarity with KQL (Kusto Query Language) ## Steps ### Step 1: Configure Log Ingestion Enable diagnostic settings to stream Azure AD logs to Log Analytics: - Sign-in logs (interactive and non-interactive) - Audit logs (directory changes, app consent) - Service principal sign-in logs - Provisioning logs - Risky users and risk detections ### Step 2: Build Detection Queries Create KQL analytics rules in Sentinel for: - Unusual service principal credential additions - OAuth application consent grants to unknown apps - Cross-tenant sign-ins from new tenants - Token replay from different IP/user-agent combinations - Mailbox delegation changes (FullAccess, SendAs) ### Step 3: Correlate Events Chain multiple low-confidence indicators into high-confidence lateral movement detections by correlating sign-in anomalies with directory changes within time windows. ### Step 4: Automate Response Create Sentinel playbooks (Logic Apps) to automatically revoke suspicious OAuth grants, disable compromised service principals, and enforce step-up authentication. ## Expected Output JSON report containing detected lateral movement indicators, correlated event chains, affected identities, and recommended containment actions with MITRE ATT&CK technique mappings.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.