The Adversary’s Path to Achieving Persistence
Once SCATTERED SPIDER gains access to a target organization, they work to ensure persistence in the environment. In one example, the adversary added unauthorized federated identity providers to Azure AD/Entra ID tenants, creating persistent backdoor access that bypasses standard security controls. This technique involves establishing trust relationships with attacker-controlled identity providers, allowing them to authenticate as legitimate users. Their federation manipulation remains effective even after password resets, making this a particularly dangerous persistence mechanism. This approach enables SCATTERED SPIDER to maintain access long after initial detection and remediation efforts.
Falcon Next-Gen SIEM provides numerous rule templates that may be leveraged to identify this attack vector, as well as similar attacks, as outlined within the list below:
- Microsoft – Entra ID – External Organization Connected to Directory
- Microsoft – Entra ID – Identity Provider Added
- Microsoft – Entra ID – Cross Tenant Partner Given Inbound Access
- Microsoft – Entra ID – Cross Tenant Partner User Syncing Enabled
- Microsoft – Entra ID – New Unverified Domain Added to Tenant
- Microsoft – Entra ID – Modification of Federated Identity Credentials for Service Principals or Applications
- Microsoft – Exchange – Persistence via IdP
- Microsoft – M365 Exchange Online – Persistence via Identity Provider
- Okta – SSO – IDP Provider Modification
- Okta – SSO – External IDP Modified
- Okta – SSO – Sign-In Events via Third-Party IdP
- Fortinet – NGFW – Identity Provider Added
- Fortinet – NGFW – Identity Provider Removed
Figure 3 shows the “Microsoft – M365 OneDrive & SharePoint – Excessive Data Download Activity” rule firing within Falcon Next-Gen SIEM.
Falcon Next-Gen SIEM extends detection capabilities into VMware environments, identifying malicious activities before full compromise occurs. Technical implementation details are available in the VMware integration documentation in Falcon Next-Gen SIEM.
Privilege Escalation in Cloud Environments
SCATTERED SPIDER operators deploy ransomware as a primary attack vector. While CrowdStrike Falcon® Insight XDR endpoint protection secures endpoints against these threats, unmonitored VMware infrastructure creates significant visibility gaps that attackers routinely exploit.
// Rule Name: Microsoft - Entra ID - Modification of Federated Identity Credentials for Service Principals or Applications
// Description: This rule detects the addition of a federated identity credential to a service principal or application registration, a tactic that adversaries may use to persist in an environment by creating and/or modifying service principals. For instance, adding a federated identity credential to a user-assigned managed identity service principal could potentially allow an adversary to authenticate and obtain an access token for the tenant from outside an Azure-owned resource. However, this attack would require the adversary to already possess high privileges within the tenant, granting them the ability to add credentials to applications.
// Severity: Low
// MITRE ATT&CK: T1556.007 - Modify Authentication Process: Hybrid Identity
//
// Detection Logic:
// - Identify targeted Microsoft products
// - Seek out instances where updates to the application or service principal are observed
// - Identify instances where modification events are present
#Vendor="microsoft" #event.dataset=/entraid.audit/ #repo!="xdr*"
| event.action="update-application" OR event.action="update-service-principal"
| case {
#event.module="azure" // Data Connector built for Microsoft Graph API; Parser: azuread-ecs
| split(Vendor.targetResources)
| split(Vendor.targetResources.modifiedProperties)
| Vendor.targetResources.modifiedProperties.displayName="FederatedIdentityCredentials";
#event.module="entraid" // Data Connector built for Microsoft Entra ID; Parser: entraid-ecs;
| split(Vendor.properties.targetResources)
| split(Vendor.properties.targetResources.modifiedProperties)
| Vendor.properties.targetResources.modifiedProperties.displayName="FederatedIdentityCredentials";
}
The following rule templates may be leveraged to identify this attack vector, as well as similar attacks:
Let’s now examine another rule in depth to see how CQL supports detection of potential malicious behavior involving persistence. The following query stems from the “Microsoft – Entra ID – Modification of Federated Identity Credentials for Service Principals or Applications” rule. This rule monitors modifications to federated identity credentials in Microsoft Entra ID, a technique frequently exploited by adversaries for persistence and privilege escalation.
SCATTERED SPIDER often pairs ransomware with data exfiltration techniques. Falcon Next-Gen SIEM implements several detection rules targeting these exfiltration methods:
- CrowdStrike – Endpoint – Exfiltration to File Sharing Services during Interactive RDP Session
- CrowdStrike – Endpoint – DNS Request For Online File Sharing Site From Unusual Image File Name
- Generic – Web – HTTP Request to Paste Site
- Microsoft – M365 OneDrive & SharePoint – Excessive Data Download Activity
Adversaries such as SCATTERED SPIDER consistently target Global Administrator privileges in Azure/Entra ID environments, demonstrating their sophisticated understanding of cloud security architecture. By escalating to Global Administrator status, these adversaries gain the ultimate access level within Microsoft’s identity management framework, enabling them to bypass security controls across the entire tenant. This privileged position allows them to modify authentication requirements, disable security features like MFA, and create persistent backdoor accounts while evading detection. Their methodical privilege escalation strategy reveals a calculated approach focused on achieving complete tenant control, highlighting why defending these elevated permissions is a critical security priority for organizations operating in Azure environments.
