[Meta] Midnight Blizzard (APT29) Azure TTPs Rule Coverage

[terrancedejesus]

Parent Epic (If Applicable)

Meta Summary

This meta has been created to capture research and analysis on recent public intelligence from Microsoft on Midnight Blizzard (aka APT29). Referenced below, several TTPs have been analyzed and released that detail abusing native Azure services such as Graph, authorization and authentication workflows with OAuth, entity accounts in Entra ID and much more.

The goal of this meta should be to assess the existing intelligence shared and publicly related information enough to setup proper infrastructure, conduct emulation and identify candid SIEM detection rule capabilities.

This may rely on integrations such as Azure and O365 for log ingestion and visibility.

Estimated Time to Complete

~2 sprint cycles (4 weeks)

Potential Blockers

No initial blockers but this may be subject to change as we explore.

Tasklist

Meta Tasks

Preview Give feedback

1. Provide Week 1 Update Comment
2. Provide Week 2 Update or Closeout Comment

While incomplete, I have started a task list of activity we should attempt to understand, emulate and test monitoring capabilities on.

Rule Coverage Tasks

Preview Give feedback

1. First Occurrence of OAuth Application and Azure API Call
2. Potential Password Spraying of O365/Entra ID Accounts
3. First Occurrence of OAuth Application Calls to Exchange
4. First Occurrence of User Leveraging Proxy Services for Azure
5. App with application-only permissions accessing numerous emails (MSFT Recommended)
6. Increase in app API calls to EWS after a credential update (MSFT Recommended)
7. Increase in app API calls to EWS (MSFT Recommended)
8. App metadata associated with suspicious mal-related activity (MSFT Recommended)
9. Suspicious user created an OAuth app that accessed mailbox items (MSFT Recommended)

Resources / References

• https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/