微信扫一扫article
README
🚀 BARK
BARK 是一款用于检测 Azure Active Directory (Azure AD) 中潜在特权提升攻击的工具。它通过分析 Microsoft Sentinel 中的审核日志,能够精准识别异常或高风险活动,为系统安全保驾护航。
🚀 快速开始
以下将详细介绍 BARK 在不同场景下的检测查询方法以及控制/预防措施。
✨ 主要特性
- 可对 Azure Active Directory (Azure AD) 进行潜在特权提升攻击检测。
- 通过分析 Microsoft Sentinel 中的审核日志识别异常或高风险活动。
💻 使用示例
基础用法
检测查询(用户作为行为者,用户作为目标)
AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "User"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], Target, GroupName
检测查询(用户作为行为者,服务主体作为目标)
AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "ServicePrincipal"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], ['Target Service Principal Name'], ['Target Service Principal ObjectId'], GroupName
检测查询(服务主体作为行为者,用户作为目标)
AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend ['Actor Service Principal ObjectId'] = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| where isnotempty(['Actor Service Principal ObjectId'])
| where ['Actor Service Principal Name'] != "MS-PIM"
| where TargetResources[0].type == "User"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| extend Target = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, OperationName, ['Actor Service Principal Name'], ['Actor Service Principal ObjectId'], Target, GroupName
检测查询(服务主体作为行为者,服务主体作为目标)
AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
🔧 控制/预防
文档中未提及具体的控制/预防内容,但在实际使用 BARK 时,可根据检测结果及时采取相应的安全措施,如限制异常用户或服务主体的权限等。
📚 相关链接
文档中未给出具体的相关链接,若有需要可进一步补充相关资源链接,以便用户获取更多信息。