Azure AD Unusual Scripting Engine Usage

Triggers

• An account has executed O365 operations with either tools, scripting engines or command line interfaces which could be\u00a0maliciously used by attackers.

Possible Root Causes

• An attacker is \”living off the land\” through the misuse of authorized tools (curl, AutoHotKey32, etc.) to extend their attack.
• An attacker has used a scripting engine (Powershell, Python, and others) to build and execute attack tools.
• When attacker is not careful, the default User Agent strings are submitted by these tools, indicating that the operation is not done interactively by a legitimate human user.
• Automation tools and scripts are sometimes used by power users and IT personnel to access O365.

Business Impact

• Automated tools increase attack speed and volume while reducing human error, and attackers that successfully leverage them have an opportunity to move faster and in some cases with a lower chance of detection.
• Use of automation tools is a \”force multiplier\” that increases chances of successful breaches and data exfiltration, significantly increasing risks to the enterprise.

Steps to Verify

• Investigate O365 operation in context of the user, verify if this user would reasonably conduct these types of operations.
• Investigate tooling or scripting engine to validate if this is an appropriate and approved tool for a user of this type.