Files
Anthropic-Cybersecurity-Skills/skills/detecting-azure-lateral-movement/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.2 KiB

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
detecting-azure-lateral-movement Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting. cybersecurity cloud-security
azure
entra-id
lateral-movement
sentinel
kql
graph-api
cloud-security
threat-hunting
1.0 mahipal Apache-2.0
PR.IR-01
ID.AM-08
GV.SC-06
DE.CM-01
T1078.004
T1550.001
T1021.007
T1098.003
T1528

Detecting Azure Lateral Movement

Overview

Lateral movement in Azure AD/Entra ID differs from on-premises environments. Attackers pivot through OAuth application consent grants, service principal abuse, cross-tenant access policies, and stolen refresh tokens rather than SMB/RDP connections. Detection requires correlating Microsoft Graph API audit logs, Azure AD sign-in logs, and Entra ID protection risk events using KQL queries in Microsoft Sentinel. This skill covers building detection analytics for common Azure lateral movement techniques including application impersonation, mailbox delegation abuse, and conditional access policy bypasses.

When to Use

  • When investigating security incidents that require detecting azure lateral movement
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Azure subscription with Microsoft Sentinel workspace configured
  • Azure AD P2 or Entra ID P2 license for risk-based sign-in detection
  • Microsoft Graph API permissions: AuditLog.Read.All, Directory.Read.All, SecurityEvents.Read.All
  • Log Analytics workspace ingesting AuditLogs, SigninLogs, and AADServicePrincipalSignInLogs
  • Familiarity with KQL (Kusto Query Language)

Steps

Step 1: Configure Log Ingestion

Enable diagnostic settings to stream Azure AD logs to Log Analytics:

  • Sign-in logs (interactive and non-interactive)
  • Audit logs (directory changes, app consent)
  • Service principal sign-in logs
  • Provisioning logs
  • Risky users and risk detections

Step 2: Build Detection Queries

Create KQL analytics rules in Sentinel for:

  • Unusual service principal credential additions
  • OAuth application consent grants to unknown apps
  • Cross-tenant sign-ins from new tenants
  • Token replay from different IP/user-agent combinations
  • Mailbox delegation changes (FullAccess, SendAs)

Step 3: Correlate Events

Chain multiple low-confidence indicators into high-confidence lateral movement detections by correlating sign-in anomalies with directory changes within time windows.

Step 4: Automate Response

Create Sentinel playbooks (Logic Apps) to automatically revoke suspicious OAuth grants, disable compromised service principals, and enforce step-up authentication.

Expected Output

JSON report containing detected lateral movement indicators, correlated event chains, affected identities, and recommended containment actions with MITRE ATT&CK technique mappings.