Azure AD User ImmutableId Attribute Modification for Persistence
Attackers modify the ImmutableID attribute of an Azure AD user to establish a federation backdoor, bypassing MFA and enabling persistent access.
Attackers are targeting Azure Active Directory (Azure AD) environments to establish persistent backdoors. This involves manipulating the SourceAnchor attribute, also known as ImmutableId, of a user object within Azure AD. This manipulation allows an attacker to forge authentication and bypass Multi-Factor Authentication (MFA) for the targeted user. Successful exploitation allows the attacker to impersonate any user. Defenders should monitor changes to the SourceAnchor attribute for unusual activity. This activity is a common step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence.
Attack Chain
- The attacker gains initial access to an account with sufficient privileges to modify Azure AD user attributes.
- The attacker identifies a target user account within the Azure AD tenant.
- The attacker modifies the
SourceAnchor(ImmutableId) attribute of the target user's account using Azure AD PowerShell or the Azure portal. - The attacker configures a malicious Security Assertion Markup Language (SAML) identity provider.
- The attacker crafts a SAML assertion with the target user's
ImmutableIdand signs it with the malicious identity provider. - The attacker uses the crafted SAML assertion to authenticate to Azure AD as the target user, bypassing password and MFA requirements.
- The attacker gains unauthorized access to resources and data within the Azure AD environment.
- The attacker maintains persistent access to the compromised user account, even if the user's password is changed or MFA is enabled.
Impact
Successful modification of the ImmutableId attribute allows attackers to bypass password and MFA protections, leading to full account compromise. An attacker with the ability to impersonate a privileged user can escalate privileges, access sensitive data, and disrupt critical business operations. This can lead to data breaches, financial loss, and reputational damage.
Recommendation
- Deploy the Sigma rule
Azure AD User ImmutableId Attribute Updatedto your SIEM and tune for your environment. - Enable Azure AD audit logging and monitor for "Update user" operations targeting the
SourceAnchorattribute. - Investigate any modifications to the
SourceAnchorattribute, especially those performed by unfamiliar or unauthorized accounts. - Review and harden Azure AD federation settings to prevent the use of malicious SAML identity providers.
- Monitor and investigate user accounts identified in the
RBA messagein the alert description.
Detection coverage 2
Azure AD User ImmutableId Attribute Updated
highDetects modifications to the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user, which can indicate an attempt to establish a federation backdoor.
Azure AD ImmutableId Reset to Null
mediumDetects when the ImmutableId of an Azure AD user is reset to null which could indicate an attempt to remove a compromised federation backdoor.
Detection queries are available on the platform. Get full rules →