Entra ID Service Principal Federated Issuer Modification
Entra ID (Azure AD) service principal federated issuers can be modified by an attacker to establish persistence within a target environment.
Attackers can modify Entra ID (Azure AD) service principal federated issuers to establish persistence. This involves manipulating the trust relationships between the service principal and external identity providers. Successful modification allows unauthorized access to resources within the Azure environment. Although the referenced material does not specify attacker details, successful exploitation can lead to significant data breaches and unauthorized control over cloud resources. Defenders must monitor for unauthorized modifications to federated issuer configurations to mitigate this threat.
Attack Chain
- The attacker gains initial access to an Azure AD tenant with sufficient privileges to manage service principals and federated identity providers. This could be through compromised credentials or exploitation of a privileged account.
- The attacker identifies a target service principal within the Azure AD tenant.
- The attacker discovers the existing federated identity providers associated with the target service principal.
- The attacker modifies the configuration of an existing federated identity provider or adds a new one controlled by the attacker. This involves altering the metadata URL or issuer URI.
- The attacker configures their own identity provider to issue tokens that are trusted by the modified federated identity provider in Azure AD.
- Using the attacker-controlled identity provider, the attacker obtains a token for the target service principal.
- The attacker uses the obtained token to authenticate to Azure resources that the service principal has access to.
- The attacker maintains persistent access to the Azure environment through the modified federated identity provider, even if the original access method is revoked.
Impact
Successful modification of a federated issuer allows attackers to maintain persistent access to Azure resources, potentially leading to data exfiltration, unauthorized access to sensitive information, and disruption of cloud services. The impact depends on the permissions assigned to the compromised service principal.
Detection coverage 2
Detect Federated Identity Provider Modification in Azure AD
highDetects modifications to federated identity providers in Azure AD, which can indicate malicious attempts to establish persistence.
Detect Federated Identity Provider Creation in Azure AD
highDetects creation of federated identity providers in Azure AD, which can indicate malicious attempts to establish persistence.
Detection queries are available on the platform. Get full rules →