As we approach the fourth anniversary of the Entra ID Attack and Defense Playbook in October 2024, it’s a perfect time to reflect on its evolution and the collective effort that has made it a valuable resource (based on the feedback) for security professionals.

The playbook began as a vision to consolidate common attack scenarios on Microsoft Entra ID (formerly Azure Active Directory) and the corresponding mitigation and detection strategies. This vision quickly became a collaborative project resonating with the community, leading to its first Chapter on ‘Password Spray’ attacks. Over the years, the playbook has expanded to include many scenarios, insights based on real-world experiences, and attack simulations.

The funny fact is that we’ve met each other in in-person only 3 times during the past 4,5 years; two times in the US at MVP Summit and one time at Cloud Identity Summit in Cologne:)

Playbook Structure

The playbook is structured to provide a comprehensive guide on various attack scenarios. It leverages the Microsoft security stack for detection and mitigation strategies for the attack scenarios. It is also aligned with the MITRE ATT&CK framework, ensuring that each attack scenario and its detections & mitigations are positioned within a broader security landscape.

As we celebrate this milestone, we thank all the followers and contributors who have enriched the playbook with their expertise and feedback. The playbook is more than just a document; it’s a dynamic entity that continues to grow and adapt to the ever-changing cyber threat environment.

Here’s to many more years of safeguarding Entra ID environments together. As we look forward, we are confident that the playbook will continue to grow and evolve — Happy 4th anniversary to the Entra ID Attack and Defense Playbook.

The playbook Entra ID Attack and Defense Playbook can be found on GitHub.

Chapters – Summary

Here is a short intro to every Chapter included in the playbook. Alongside the chapter description, you can find the details of when we initially created or updated the Chapter and the authors’ names.

  • Password Spray Attack: The first chapter of the Entra ID Attack and Defense playbook covers password spray attacks, including how they are executed, detected, and mitigated.
    • Created: November 2020 Updated: October 2022
    • Authors: Sami Lamppu, Thomas Naunheim
  • Link to the chapter: Password Spray

  • Illicit Consent Grant Attack: This is also known as an OAuth phishing attack, a consent grant attack, or an illicit consent grant attack. One of my favorite attack scenarios has many names, but they all mean the same thing. This chapter elaborates on how attackers use EID-registered applications to gain unauthorized access to data. It emphasizes the importance of securing and monitoring Entra ID Consent framework activities.
    • Created: February 2021. The initial update in September 2021. The second update: October 2022
    • Authors: Thomas Naunheim, Joosua Santasalo & Sami Lamppu
  • Link to the chapter: Illicit Consent Grant

  • Privileged Service Principals in Azure DevOps: The chapter discusses the risks and detection techniques related to privileged service principals in ADO and highlights the challenges in auditing and securing these environments.
    • Authors: Joosua Santasalo, Sami Lamppu, Thomas Naunheim Created: July 2021 Updated: October 2022 (Added MITRE ATT&CK mapping)
  • Link to the chapter: Abusing Service Principals outside of ADO
  • Abusing Microsoft Entra Connect Sync Service Account: Explores the vulnerabilities and detection methods for attacks targeting the Entra Connect sync service account. It provides insights into securing this critical component.
    • Authors: Sami Lamppu and Thomas Naunheim Created: March 2022 Updated: October 2022 (Added M&TRE mapping)
  • Link to the chapter: Abuse of Azure AD Connect Sync Service Account

  • Entra ID Security Config Analyzer (EIDSCA): In this chapter, we took an alternative approach to the earlier chapters, which did not cover the typical Microsoft Entra ID attack path. This solution focuses on the proactive side and how organizations can monitor and strengthen Entra ID’s security posture. For this purpose, we created the ‘Entra ID Security Config Analyzer’ aka ‘EIDSCA’ solution. The EIDSCA’s primary objective is to detect and provide visibility to weak EID configurations and provide mitigations to the findings.
  • It is worth mentioning that this has been the longest and, at the same time, the hardest chapter we have ever made. The architecture has remained the same, but we have already released 3rd version of the EIDSCA, and V4 is on the planning table.
    • Created: March 2023 Update: February 2024
    • Authors: Thomas Naunheim, Sami Lamppu & Markus Pitkäranta
  • Link to the chapter: Entra ID Security Config Analyzer
Initial announcement figure of EIDSCA, before Azure Active Directory was renamed
  • Replay of the Primary Refresh Token: This section covers attacks involving the replay of PRT and other tokens to gain unauthorized access, including detection methods and mitigation techniques.
    • Created: August 2022 Updated: January 2023 (Added RT attack scenarios), October 2022 (Added MITRE ATT&CK mapping)
    • Authors: Sami Lamppu and Thomas Naunheim
  • Link to the chapter: Replay of PRT and other issued tokens from AAD join device

  • Adversary-in-the-Middle (AiTM): The newest chapter focuses on AiTM attacks. According to the latest Microsoft Digital Defense Report (MDDR), Identity-based attacks are still growing; over 99% of identity attacks are password attacks (7000 password attacks blocked per sec), but don’t forget AiTM and token replay attacks.
  • The report states: ‘Although token theft results in far fewer identity compromises than password attacks, our detections indicate incidents have grown to an estimated 39,000 per day. Moreover, over the last year, we’ve seen a 146% rise in AiTM phishing attacks’.
  • This chapter provides deep insights into the attack, detections, and mitigations.
    • Created: September 2024
    • Authors: Sami Lamppu and Thomas Naunheim
    • Reviewers: Fabian Bader, Joosua Santasalo
  • Link to the chapter: Adversary-in-the-Middle (AiTM) Attacks
AiTM Chapter promo figure
  • Identity Security Monitoring (Appendix): This section describes guidelines and best practices for monitoring identity security, including tools and techniques for detecting and responding to identity-related threats.
    • Created: December 2020, Updated November 2022
    • Author: Thomas Naunheim
  • Lateral Movement from AD to Entra ID (Appendix): Describes techniques used by attackers to move laterally from on-premises Active Directory to Azure AD, with strategies for detection and prevention.

A typical day at the Office

Looking back over the past four years, our approach to working with the content has been similar. Here is the model we have used, and it can be divided into three different phases. Let’s take a look at each phase.

Planning

Everything starts with planning, right? As in every project, planning is half of the work. In this phase, setting the scope is the most crucial task. For example, when we were planning the chapter ‘Replay of the Primary Refresh Token and other issued tokens from an Azure AD joined device’, we needed to set the scope only for specific scenarios in a token replay attack. We decided to leave much of the research outside because we saw the scope too broad, and it would have been a never-ending story.

One important factor to consider in the planning phase is our personal lives. There are quite many moving parts in our personal lives, as well as our hectic work. Thomas is really active in community engagements. That said, a typical timeline for each Chapter has been somewhere around 3-6 months. You might wonder how on earth it will take so long 🙂 Security research is a time-consuming task, and we’re not doing this playbook (unfortunately) as our daily job, even though we would like to. Also, we have high demands on ourselves and our work. We want to be sure about the research outcome, quality of the detections, and overall quality of the playbook’s written content. To summarize:

  • Intensive security research takes time
  • The detection part is always challenging
  • Quality: QA by us and other community members is the last missing puzzle

Research

When the scope has been set, we divide the work between the collaborators. This method makes us more efficient and allows everyone to push their area forward. We also have weekly status calls to discuss each area’s status, pain points, and next steps. In addition, we are using Teams channels for discussions and brainstorming.

In this phase, the main focus is on the research work, such as reproducing the attack, building detections, and finding the correct mitigations for the attack. And, of course, testing and simulating everything tens of times 🙂

Research work in progress during the AiTM chapter
I haven’t counted how many Teams calls we have had, but there are many!

Conclusion / Summary

Every security researcher loves documentation! In the last phase, we document our research and put everything into the paper. It might be obvious, but this part also takes a lot of time. Documenting and reviewing the content, KQL queries, and the rest of the content is a time-consuming task. The idea is that if I’m writing content, Thomas will do QA and vice versa. After countless Team calls, sparring through chat, and verifying the results, we are finally ready to publish our work. It is always a fascinating moment (at least for me) to hear community feedback!

A Tribute to the Contributors

From Thomas Naunheim’s initial idea to the collective group of security experts, each contribution has been pivotal. We are deeply grateful to all community member who have been part in this journey. Special thanks to Joosua Santasalo, Markus Pitkäranta, Fabian Bader, Christopher Brumm & Robbe Van den Daele & Tony Redmond. Their roles as contributors and reviewers have been crucial, enriching the playbook with their insights and comments based on real-world scenarios and attack simulations.

How to become part of the project and contribute?

  • Update or new content (Pull Request): As mentioned, we would like to have a living document driven by the security & identity community! Share your results and insights as part of this project! Send a pull request to add your content to this project.
  • Issues/Outdated content: Protection features or tools change continually. Update the outdated content (as part of the pull request) or create an issue to point out.
  • Reviewer: We also look for experts who want to review or discuss the existing or new content before publishing!
  • Feedback: Feel free to suggest attack/defense scenarios that could interest the community. We will add them to the backlog and idea collection!

What’s Next?

There is more to come. We have several topics on our table, and we plan to start working on a new chapter early next year. Also, EIDSCA v4 is in progress. Stay tuned!

If you would like to participate in our research work, you can also become part of the project and contribute. More information is on GitHub.