Detection content that uncovers attempts to steal AccessKey for the current session in Azure

‘The Suspicious Command Line Contains Azure TokenCache.dat as Argument’ community rule by the SOC Prime‍ team is available at Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/MzSiYeDJ9PvW/ The TokenCache.dat file contains the AccessKey for the current session and is stored as a plaintext JSON file. Any manipulations with this file via the command line may indicate an attempt to steal the token so that in future it can be used for malicious purposes.

Rule Metrics:

  • Severity: 3 / 3;
  • Actionability (how much triage is required to make a decision based on the data source + alert): 2 / 3;
  • Pain Index (shows where the rule is on the Pyramid of Pain): 3 / 3;
  • SIEM Impact (anticipated rule impact on the average SIEM) : 2 / 3.

More information about these metrics you can find in our blog: https://socprime.com/blog/siem-impact-pain-actionability-and-severity/

 

PLATFORMS: Sigma, ELK stack, Elasticsearch, elasticsearch-rule, Kibana, xpack-watcher, ArcSight ESM, ArcSight-keyword, SumoLogic, Qualys, IBM Qradar, Splunk, ala, ala-rule, RSA Netwitness, powershell, CarbonBlack.

LOG SOURCES: sysmon, security.

The rule covers three techniques according to the MITRE ATT&CK® methodology: Application Access Token (T1527), Credential Dumping (T1003), Steal Application Access Token (T1528)

/Stay safe