Azure AD Temporary Access Pass Added to Account

This alert identifies when a temporary access pass (TAP) is added to an Azure Active Directory (Azure AD) account. TAPs are intended for temporary use, allowing users to access resources or perform actions without needing a password. While legitimate use cases exist, adversaries can leverage TAPs to gain unauthorized access, escalate privileges, establish persistence, or move laterally within an Azure environment. This activity warrants investigation, especially if the TAP is added to a privileged account. The source material does not indicate a specific campaign or threat actor, but the technique aligns with common cloud-based attack vectors.

Attack Chain

1. Initial Compromise (Optional): An attacker gains initial access to an Azure AD account through compromised credentials or other means.
2. Privilege Escalation (Optional): The attacker escalates privileges to an account with sufficient permissions to manage TAPs.
3. TAP Generation: The attacker, using an account with appropriate permissions, generates a temporary access pass (TAP) for a target account.
4. TAP Activation: The attacker uses the TAP to authenticate to the target account.
5. Resource Access: Once authenticated, the attacker gains access to resources and applications associated with the target account.
6. Lateral Movement (Optional): The attacker uses the compromised account to access other resources or accounts within the environment.
7. Persistence (Optional): The attacker establishes persistence by creating new credentials or modifying existing ones, if permissions allow.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, systems, and applications within the Azure environment. Compromised privileged accounts can grant attackers control over critical infrastructure, leading to data breaches, service disruptions, and reputational damage. The impact depends on the permissions associated with the compromised account and the resources accessible through the TAP.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect TAP additions in Azure AD audit logs (see rules).
• Investigate any instances where TAPs are added to privileged accounts in Azure AD, as highlighted in the rule description and references.
• Review Azure AD audit logs for suspicious activity surrounding the TAP generation event, including the source IP address and user agent (see rules).
• Monitor for anomalous sign-in activity using TAPs, specifically focusing on unusual locations or devices.