Detect Acquire Access in CrowdStrike LogScale
This detection identifies indicators that adversaries have leveraged purchased or brokered access to compromise an environment — the operational signature left when Initial Access Broker (IAB)-sold footholds are activated. Because T1650 itself is a pre-compromise preparation activity, detection focuses on anomalous authentication patterns consistent with a new threat actor using previously established access: first-use logons from novel geolocations for established accounts, high-risk sign-ins immediately followed by reconnaissance activity, web shell process ancestry patterns indicative of broker-planted backdoors, and external remote service sessions from IPs with no prior organizational history. Correlating Azure AD risk signals with unusual lateral movement timing provides the strongest detection fidelity.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1650 Acquire Access
- Canonical reference
- https://attack.mitre.org/techniques/T1650/
LogScale Detection Query
#event_simpleName = "UserActivityAuditEvent"
| EventName = /(?i)(add|delete|consent|update|create)/
| UserName != /(?i)(service-|automation-|pipeline-)/
| case {
EventName = /(?i)delete/ | RiskScore := "High" ;
EventName = /(?i)consent/ | RiskScore := "High" ;
EventName = /(?i)(add|create)/ | RiskScore := "Medium" ;
* | RiskScore := "Low"
}
| RiskScore != "Low"
| table([UserName, EventName, TargetObjectId, SourceIPAddress, RiskScore, @timestamp])
| sort(@timestamp, order=desc, limit=100)CrowdStrike LogScale CQL detection for Acquire Access (T1650). Queries Falcon telemetry for acquire access behavioral indicators aligned with MITRE ATT&CK T1650.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
- Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
- IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions
Other platforms for T1650
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate IAB Credential Use — New Geolocation Authentication via VPN Exit Node
Expected signal: AADSignInLogs entry with ResultType=0, RiskLevelDuringSignIn='medium' or 'high', RiskDetail containing 'unfamiliarFeatures' or 'anonymizedIPAddress' if using VPN. Sign-in should appear in Identity Protection risk detections.
- Test 2Web Shell Activation Simulation — IIS Spawning Command Shell
Expected signal: Sysmon Event ID 1 (Process Create) with ParentImage=w3wp.exe and Image=cmd.exe. DeviceProcessEvents entry showing InitiatingProcessFileName=w3wp.exe and FileName=cmd.exe. Sysmon Event ID 3 (Network Connection) from w3wp.exe to localhost.
- Test 3Dormant Account Reactivation Simulation — RDP from New External IP
Expected signal: Windows Security Event 4624 on target server with Logon Type 10 (RemoteInteractive) or Type 3 (Network), showing the external test IP as the source. Also generates 4776 (credential validation) and 4672 (special privileges) if test account has elevated rights.
References (6)
- https://attack.mitre.org/techniques/T1650/
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
- https://www.crowdstrike.com/blog/access-brokers-who-are-they-and-how-do-they-operate/
- https://krebsonsecurity.com/2021/06/arrests-tied-to-cybercrime-forums-romanticized-on-underground-boards/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a
- https://unit42.paloaltonetworks.com/medusa-ransomware-threat-group/
Unlock Pro Content
Get the full detection package for T1650 including response playbook, investigation guide, and atomic red team tests.