Detect Acquire Access in Splunk
This detection identifies indicators that adversaries have leveraged purchased or brokered access to compromise an environment — the operational signature left when Initial Access Broker (IAB)-sold footholds are activated. Because T1650 itself is a pre-compromise preparation activity, detection focuses on anomalous authentication patterns consistent with a new threat actor using previously established access: first-use logons from novel geolocations for established accounts, high-risk sign-ins immediately followed by reconnaissance activity, web shell process ancestry patterns indicative of broker-planted backdoors, and external remote service sessions from IPs with no prior organizational history. Correlating Azure AD risk signals with unusual lateral movement timing provides the strongest detection fidelity.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1650 Acquire Access
- Canonical reference
- https://attack.mitre.org/techniques/T1650/
SPL Detection Query
| union
[search index=wineventlog OR index=azure sourcetype="azure:aad:signin"
| where result="0" AND risk_level_during_signin IN ("high", "medium")
| eval broker_indicator=case(
like(risk_detail, "%anonymizedIPAddress%"), "TOR/VPN exit node",
like(risk_detail, "%maliciousIPAddress%"), "Known malicious IP",
like(risk_detail, "%impossibleTravel%"), "Impossible travel - credential handoff",
like(risk_detail, "%newCountry%"), "New country - new actor",
true(), "High-risk unfamiliar sign-in"
)
| eval event_source="Azure AD Sign-In"
| table _time, user, src_ip, location, app, risk_level_during_signin, risk_state, broker_indicator, event_source]
[search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
| eval LogonTypeDesc=case(
Logon_Type="10", "RemoteInteractive (RDP)",
Logon_Type="3", "Network",
Logon_Type="8", "NetworkCleartext",
true(), "Other"
)
| where Logon_Type IN ("10", "3")
| where NOT (src_ip="127.0.0.1" OR src_ip="::1" OR src_ip="-")
| rex field=_raw "IpAddress:\s+(?<src_ip>[\d\.]+)"
| eval event_source="Windows Security 4624"
| eval broker_indicator="External network logon - validate against known IPs"
| table _time, user, src_ip, LogonTypeDesc, broker_indicator, event_source]
| sort -_time
| eval detection_time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats
count AS auth_events,
values(broker_indicator) AS broker_indicators,
values(src_ip) AS source_ips,
values(location) AS locations,
values(event_source) AS sources,
min(_time) AS first_seen,
max(_time) AS last_seen
by user
| where auth_events >= 1 AND mvcount(broker_indicators) >= 1
| eval risk_narrative=mvjoin(broker_indicators, " | ")
| eval ip_list=mvjoin(source_ips, ", ")
| table user, auth_events, risk_narrative, ip_list, locations, first_seen, last_seen
| sort -auth_eventsCorrelates Azure AD sign-in risk signals and Windows Security Event 4624 remote logon events to identify access patterns consistent with IAB-sold credential or backdoor activation. Flags high/medium risk sign-ins with anomaly indicators (TOR, impossible travel, new country) alongside external RDP/network logons from unrecognized sources.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Executive travel to new countries triggering impossible travel and new geolocation alerts simultaneously
- Corporate proxy or NAT changes making all users appear to sign in from new IP addresses
- Third-party IT service providers with rotating IP ranges conducting legitimate remote management sessions
- Help desk personnel using jump servers or remote access tools from centralized infrastructure
- Cloud-hosted workstations (Azure Virtual Desktop, AWS WorkSpaces) with dynamic IP assignments
Other platforms for T1650
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate IAB Credential Use — New Geolocation Authentication via VPN Exit Node
Expected signal: AADSignInLogs entry with ResultType=0, RiskLevelDuringSignIn='medium' or 'high', RiskDetail containing 'unfamiliarFeatures' or 'anonymizedIPAddress' if using VPN. Sign-in should appear in Identity Protection risk detections.
- Test 2Web Shell Activation Simulation — IIS Spawning Command Shell
Expected signal: Sysmon Event ID 1 (Process Create) with ParentImage=w3wp.exe and Image=cmd.exe. DeviceProcessEvents entry showing InitiatingProcessFileName=w3wp.exe and FileName=cmd.exe. Sysmon Event ID 3 (Network Connection) from w3wp.exe to localhost.
- Test 3Dormant Account Reactivation Simulation — RDP from New External IP
Expected signal: Windows Security Event 4624 on target server with Logon Type 10 (RemoteInteractive) or Type 3 (Network), showing the external test IP as the source. Also generates 4776 (credential validation) and 4672 (special privileges) if test account has elevated rights.
References (6)
- https://attack.mitre.org/techniques/T1650/
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
- https://www.crowdstrike.com/blog/access-brokers-who-are-they-and-how-do-they-operate/
- https://krebsonsecurity.com/2021/06/arrests-tied-to-cybercrime-forums-romanticized-on-underground-boards/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a
- https://unit42.paloaltonetworks.com/medusa-ransomware-threat-group/
Unlock Pro Content
Get the full detection package for T1650 including response playbook, investigation guide, and atomic red team tests.