Back Id acfdee3f-b794-404a-aeba-ef6a1fa08ad1 Rulename Azure DevOps Agent Pool Created Then Deleted Description As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.
Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.
Back Id 3b9a44d7-c651-45ed-816c-eae583a6f2f1 Rulename Azure DevOps Build Variable Modified by New User Description Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.
As variables are often changed by users, just detecting these changes would have a high false positive rate.
Back Id 155e9134-d5ad-4a6f-88f3-99c220040b66 Rulename Azure DevOps Pipeline modified by a new user Description There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before.
Back Id 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3 Rulename Creation of expensive computes in Azure Description Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.
An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.
For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Severity Low Tactics DefenseEvasion Techniques T1578 Required data connectors AzureActivity Kind Scheduled Query frequency 1d Query period 1d Trigger threshold 1 Trigger operator gt Source Uri https://github.
Back Id 88f453ff-7b9e-45bb-8c12-4058ca5e44ee Rulename Microsoft Entra ID Hybrid Health AD FS New Server Description This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.
Back Id 86a036b2-3686-42eb-b417-909fc0867771 Rulename Microsoft Entra ID Hybrid Health AD FS Service Delete Description This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.
Back Id 56fe0db0-6779-46fa-b3c5-006082a53064 Rulename NRT Creation of expensive computes in Azure Description Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.
An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.
For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Severity Medium Tactics DefenseEvasion Techniques T1578 Required data connectors AzureActivity Kind NRT Source Uri https://github.
Back Id ec491363-5fe7-4eff-b68e-f42dcb76fcf6 Rulename NRT Microsoft Entra ID Hybrid Health AD FS New Server Description This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.
