{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-active-directory/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-14510"}],"_cs_exploited":false,"_cs_products":["OPTIMAX 6.1","OPTIMAX 6.2","OPTIMAX 6.3","OPTIMAX 6.4","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","ics","vulnerability"],"_cs_type":"advisory","_cs_vendors":["ABB","Microsoft"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14510, affects ABB Ability OPTIMAX versions that utilize Azure Active Directory (Azure AD) for Single-Sign On (SSO) authentication. This flaw stems from an incorrect implementation of the authentication algorithm, potentially allowing attackers to bypass the Azure AD authentication mechanism and gain unauthorized access to the OPTIMAX system. The affected versions include ABB Ability OPTIMAX 6.1 and 6.2 (all versions), 6.3 versions prior to 6.3.1-251120, and 6.4 versions prior to 6.4.1-251120. Successful exploitation could lead to significant disruption in energy, water, and wastewater sectors. The vulnerability was reported to CISA by ABB PSIRT.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an ABB Ability OPTIMAX installation using Azure AD SSO with a vulnerable version (6.1, 6.2, 6.3 \u0026lt; 6.3.1-251120, or 6.4 \u0026lt; 6.4.1-251120).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious authentication request, exploiting the incorrect implementation of the authentication algorithm (CWE-303).\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses the expected Azure AD authentication checks within OPTIMAX.\u003c/li\u003e\n\u003cli\u003eOPTIMAX incorrectly validates the attacker\u0026rsquo;s session, granting them access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to gain control over OPTIMAX functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then modify control parameters, manipulate data, or disrupt operations within the connected industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14510 enables unauthorized access to ABB Ability OPTIMAX systems, potentially leading to severe consequences in critical infrastructure sectors such as energy, water, and wastewater. An attacker could manipulate industrial processes, disrupt critical services, or cause significant financial and operational damage. Given the widespread deployment of ABB Ability OPTIMAX systems globally, a successful campaign exploiting this vulnerability could have far-reaching impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update ABB Ability OPTIMAX to fixed versions (6.3.1-251120 and later) to remediate CVE-2025-14510.\u003c/li\u003e\n\u003cli\u003eRefer to ABB PSIRT security advisory 9AKK108472A1331 for detailed mitigation steps and recommendations.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as per CISA\u0026rsquo;s recommended practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-optimax-auth-bypass/","summary":"CVE-2025-14510 allows an attacker to bypass Azure Active Directory Single-Sign On authentication in vulnerable ABB Ability OPTIMAX versions, potentially granting unauthorized access to critical infrastructure systems.","title":"ABB Ability OPTIMAX Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["oauth","device-code","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn early April 2026, Arctic Wolf observed a widespread phishing campaign that abused the OAuth device code flow. This campaign targeted organizations across multiple regions and sectors, mirroring the \u0026ldquo;Riding the Rails\u0026rdquo; campaign observed by Huntress in late March. The attackers exploited the device code grant type in the OAuth 2.0 authorization framework to obtain access tokens. By tricking users into entering a code on a legitimate Microsoft login page, attackers bypassed traditional MFA controls. Defenders should be aware of this evolving technique and implement detection strategies focused on anomalous application registrations and device code flow activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to the victim, impersonating a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that redirects the victim to a fake application authorization page.\u003c/li\u003e\n\u003cli\u003eThe fake page prompts the victim to enter a device code.\u003c/li\u003e\n\u003cli\u003eUnbeknownst to the victim, the device code is associated with a malicious OAuth application controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe victim is redirected to a legitimate Microsoft login page, where they enter the provided code and authenticate.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the malicious application receives an access token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the access token to access the victim\u0026rsquo;s account and sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform actions such as reading emails, accessing files, or initiating further malicious activity within the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis OAuth device code phishing campaign affected numerous organizations across multiple sectors and regions in early April 2026. Successful attacks grant threat actors unauthorized access to user accounts, potentially leading to data exfiltration, financial fraud, and further compromise of internal systems. Due to the nature of OAuth, attackers can maintain persistent access even after password changes, posing a significant long-term risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Azure AD sign-in logs for device code flow usage to identify suspicious authentications (logsource: azuread, category: authentication).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect suspicious application registrations in Azure AD (logsource: o365, category: configuration).\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of device code phishing and how to identify malicious authorization requests.\u003c/li\u003e\n\u003cli\u003eRegularly audit OAuth applications authorized within your environment and revoke access for any suspicious or unused applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to anomalous OAuth application activity promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:52:35Z","date_published":"2026-04-24T19:52:35Z","id":"/briefs/2026-05-oauth-device-code-phishing/","summary":"In early April 2026, Arctic Wolf tracked a large-scale device code phishing campaign across multiple regions and sectors where threat actors abused OAuth device code flow to trick victims into providing authentication codes.","title":"Large-Scale OAuth Device Code Phishing Campaign Observed in April 2026","url":"https://feed.craftedsignal.io/briefs/2026-05-oauth-device-code-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","policy-modification","attack.privilege-escalation","attack.credential-access","attack.persistence","attack.defense-impairment","attack.t1548","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCompromised or malicious actors may attempt to modify Azure Conditional Access (CA) policies to weaken security controls, elevate privileges, or establish persistence within the Azure environment. Conditional Access policies are critical for enforcing organizational security standards, and unauthorized changes can have significant security implications. This activity is detected through Azure Audit Logs by monitoring for \u0026ldquo;Update conditional access policy\u0026rdquo; events. Defenders should investigate any modifications to Conditional Access policies to ensure they are legitimate and align with security best practices. Detecting and responding to unauthorized CA policy modifications is crucial for maintaining the integrity and security of the Azure environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through compromised credentials or other means (not specified in source).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Impairment:\u003c/strong\u003e The modification of CA policies impairs the organization\u0026rsquo;s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;CA Policy Updated by Non Approved Actor\u0026rdquo; Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eproperties.message\u003c/code\u003e field in the Azure Audit Logs for \u0026ldquo;Update conditional access policy\u0026rdquo; events and compare \u0026ldquo;old\u0026rdquo; vs \u0026ldquo;new\u0026rdquo; values to understand the nature of the changes.\u003c/li\u003e\n\u003cli\u003eImplement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-29T12:00:00Z","date_published":"2024-05-29T12:00:00Z","id":"/briefs/2024-05-29-azure-ca-policy-update/","summary":"An unauthorized actor modifies an Azure Conditional Access policy, potentially leading to privilege escalation, credential access, persistence, or defense impairment.","title":"Unauthorized Modification of Azure Conditional Access Policy","url":"https://feed.craftedsignal.io/briefs/2024-05-29-azure-ca-policy-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.credential-access","attack.persistence","attack.privilege-escalation","attack.defense-impairment","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe addition of a new root certificate authority (CA) in Azure Active Directory (Azure AD) to support certificate-based authentication (CBA) can be a sign of malicious activity. While CBA offers passwordless authentication benefits, attackers can abuse it to establish persistent access, escalate privileges, or evade detection. An attacker with sufficient privileges in the Azure AD tenant can add a rogue CA, enabling them to authenticate as any user within the directory, even without their password. This bypasses multi-factor authentication (MFA) and grants unauthorized access to sensitive resources and data. Defenders should monitor Azure AD audit logs for unexpected modifications to the \u003ccode\u003eTrustedCAsForPasswordlessAuth\u003c/code\u003e setting, as this could indicate a compromised administrator account or an insider threat attempting to establish a backdoor.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCompromise an Azure AD administrator account with sufficient privileges to modify tenant-wide settings. This may be achieved through phishing, credential stuffing, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell cmdlets to interact with Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to add a new, attacker-controlled root certificate authority to the \u003ccode\u003eTrustedCAsForPasswordlessAuth\u003c/code\u003e setting. This involves modifying the Company Information object.\u003c/li\u003e\n\u003cli\u003eThe attacker generates or obtains a certificate signed by the newly added root CA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the certificate to authenticate to Azure AD as a targeted user, bypassing password requirements and multi-factor authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the targeted user\u0026rsquo;s resources, such as email, files, and applications.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Azure AD tenant by impersonating highly privileged users or roles.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the Azure AD tenant, even if the compromised administrator account is remediated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the Azure AD tenant, including access to sensitive data, applications, and resources. Attackers can use the compromised tenant to move laterally to other systems, exfiltrate data, or disrupt business operations. The number of potential victims is dependent on the size of the Azure AD tenant. Organizations across all sectors are at risk, especially those heavily reliant on Azure AD for identity and access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;New Root Certificate Authority Added\u0026rdquo; to your SIEM to detect unauthorized modifications to the \u003ccode\u003eTrustedCAsForPasswordlessAuth\u003c/code\u003e setting (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs regularly for suspicious activity related to the \u0026ldquo;Set Company Information\u0026rdquo; operation (logsource).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure AD accounts, including administrators, but understand that CBA can bypass it.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the number of accounts with permissions to modify tenant-wide settings.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of certificates signed by unknown or untrusted CAs to authenticate to Azure AD.\u003c/li\u003e\n\u003cli\u003eConsult the SpecterOps and Goodworkaround articles for more information on certificate-based authentication abuse in Azure AD (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-08T18:22:00Z","date_published":"2024-05-08T18:22:00Z","id":"/briefs/2024-05-azuread-root-ca-add/","summary":"An attacker may add a new root certificate authority to an Azure AD tenant to support certificate-based authentication for persistence, privilege escalation, or defense evasion.","title":"Azure AD Root Certificate Authority Added for Passwordless Authentication","url":"https://feed.craftedsignal.io/briefs/2024-05-azuread-root-ca-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","certificate-based-authentication","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCertificate-Based Authentication (CBA) in Azure Active Directory allows users and services to authenticate using digital certificates instead of passwords. While intended to enhance security, misconfiguration or malicious use of CBA can lead to significant security risks. Attackers can exploit CBA to gain unauthorized access, establish persistent footholds, and escalate privileges within the Azure environment. This involves manipulating authentication policies to favor or require certificate authentication, potentially bypassing other security controls. Detection of CBA enablement is crucial as it can be a precursor to more sophisticated attacks targeting cloud resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account with sufficient privileges to modify authentication policies (e.g., Global Administrator).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Azure AD authentication methods policy to enable certificate-based authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a certificate authority (CA) in Azure AD, which will be used to issue certificates for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or compromises a certificate that is trusted by the registered CA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted certificate to authenticate to Azure AD, bypassing traditional password-based authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly gained access to provision new resources, modify existing configurations, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating service principals or applications that authenticate using certificates, allowing them to maintain access even if the initial account is compromised.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CBA can lead to full compromise of an Azure AD tenant. Attackers can gain access to sensitive data, disrupt services, and deploy malicious applications. The lack of multi-factor authentication on certificate-based logins significantly increases the risk of unauthorized access. The impact can range from data breaches and financial losses to complete operational shutdown, depending on the scope of the compromised resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect when certificate-based authentication is enabled in Azure AD (\u003ccode\u003eAuthentication Methods Policy Update\u003c/code\u003e in Audit Logs).\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for modifications to authentication methods policies, paying close attention to changes related to certificate-based authentication.\u003c/li\u003e\n\u003cli\u003eImplement strong certificate management practices, including proper key storage, certificate revocation, and monitoring of certificate usage.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected changes to Azure AD authentication policies or the registration of new certificate authorities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T14:30:00Z","date_published":"2024-04-29T14:30:00Z","id":"/briefs/2024-04-azure-ad-cba-enabled/","summary":"Enabling certificate-based authentication (CBA) in Azure Active Directory can be abused by attackers to establish persistence, escalate privileges, and impair defenses.","title":"Azure AD Certificate-Based Authentication Enabled","url":"https://feed.craftedsignal.io/briefs/2024-04-azure-ad-cba-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","identity_protection","sign-in","account_compromise","risk_detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies Azure Active Directory sign-ins that exhibit properties unfamiliar to the user, such as new locations, devices, or browsers. This activity can indicate account compromise, lateral movement, or other malicious behavior. The detection leverages Azure Identity Protection\u0026rsquo;s risk detection capabilities, specifically the \u0026lsquo;unfamiliarFeatures\u0026rsquo; event. While a user legitimately changing devices or locations can trigger this, repeated or high-risk instances should be investigated. The alert is generated by Azure\u0026rsquo;s risk detection service, which analyzes sign-in patterns and flags anomalous events based on historical data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials through phishing, credential stuffing, or other means (T1566, T1110).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to sign in to Azure AD using the compromised credentials (T1078).\u003c/li\u003e\n\u003cli\u003eThe sign-in originates from a location, device, or network that is not typical for the user (T1078).\u003c/li\u003e\n\u003cli\u003eAzure Identity Protection detects the unfamiliar sign-in properties and generates a \u0026lsquo;unfamiliarFeatures\u0026rsquo; risk event.\u003c/li\u003e\n\u003cli\u003eThe security operations team receives an alert based on the Sigma rule, indicating a potentially compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to access sensitive resources or data within the Azure environment (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker could attempt to escalate privileges within the environment to gain broader access (T1068).\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence within the environment to maintain access even if the initial compromise is detected (T1098).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, privilege escalation, and persistent access to the Azure environment. This can result in data breaches, financial loss, and reputational damage. The number of affected users and the severity of the impact will depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the data they are able to access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unfamiliar Sign-In Properties\u0026rdquo; to your SIEM and tune for your environment to detect potentially compromised accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts for the \u0026ldquo;Unfamiliar Sign-In Properties\u0026rdquo; Sigma rule by reviewing the user\u0026rsquo;s sign-in history and recent activity logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eEducate users about phishing and other social engineering tactics to prevent credential theft (T1566).\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other factors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-azure-unfamiliar-signin/","summary":"This alert detects Azure AD sign-ins with properties unfamiliar to the user, indicating potential account compromise or unauthorized access.","title":"Azure AD Sign-In with Unfamiliar Properties","url":"https://feed.craftedsignal.io/briefs/2024-01-30-azure-unfamiliar-signin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","authentication","geo-location","unauthorized-access","credential-compromise","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the risk of unauthorized access to Azure Active Directory (Azure AD) resources stemming from successful authentication events originating from unexpected geographic locations. While the source material does not attribute this activity to a specific threat actor, such access can be indicative of compromised user accounts, sophisticated phishing attacks, or insider threats. The focus is on detecting deviations from established operational norms, where user logins typically originate from known and trusted countries. By monitoring sign-in logs, security teams can identify potentially malicious activity that bypasses standard security controls and warrants further investigation. Effective detection relies on maintaining an accurate list of countries where the organization operates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains valid user credentials through phishing, malware, or credential stuffing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker leverages the compromised credentials to attempt authentication to Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Request:\u003c/strong\u003e The attacker initiates a sign-in request to Azure AD from an IP address associated with an unexpected geographic location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass MFA (if present):\u003c/strong\u003e If multi-factor authentication (MFA) is enabled, the attacker may attempt to bypass it through techniques like MFA fatigue or SIM swapping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication:\u003c/strong\u003e The attacker successfully authenticates to Azure AD, gaining access to cloud resources and applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges within the Azure AD environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the cloud environment, accessing sensitive data and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Persistence:\u003c/strong\u003e The attacker exfiltrates sensitive data or establishes persistent access for future malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, financial loss, and reputational damage. The extent of the impact depends on the level of access gained by the attacker and the sensitivity of the compromised data. Organizations may face regulatory fines, legal action, and loss of customer trust. The absence of geographic restrictions on authentication increases the attack surface and elevates the risk of unauthorized access from malicious actors operating outside of the organization\u0026rsquo;s control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect successful authentications from countries outside of the organization\u0026rsquo;s operational footprint, based on the \u003ccode\u003eLocation\u003c/code\u003e field in Azure AD sign-in logs.\u003c/li\u003e\n\u003cli\u003eMaintain and regularly update a whitelist of countries where the organization operates to ensure the accuracy of the \u003ccode\u003efilter\u003c/code\u003e in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the sign-in event and the potential compromise of the user account.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise, although attackers may attempt to bypass MFA.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T18:22:00Z","date_published":"2024-01-29T18:22:00Z","id":"/briefs/2024-01-azure-auth-bypass/","summary":"Detection of successful authentications originating from geographic locations outside of an organization's expected operational footprint, potentially indicating compromised credentials or unauthorized access.","title":"Azure AD Authentication from Unexpected Geo-locations","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","device-registration","policy-change"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe device registration policy in Azure Active Directory controls which devices can be registered or joined to the Azure AD tenant. Modification of this policy can weaken security controls, allowing unauthorized devices to access corporate resources. This activity is often associated with threat actors attempting to escalate privileges or impair existing defenses. This brief focuses on detecting changes to the Azure AD device registration policies using Azure Audit Logs, providing detection engineers with the ability to monitor and alert on potentially malicious modifications to this critical security control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an account with sufficient privileges to modify Azure AD policies, such as a Global Administrator or Privileged Role Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure PowerShell/CLI to interact with Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the device registration policy, potentially allowing non-compliant devices to register or join the domain. This may involve changing settings related to multi-factor authentication, device compliance, or allowed operating systems.\u003c/li\u003e\n\u003cli\u003eThe Azure AD Audit Logs record an event with ActivityDisplayName equal to \u0026lsquo;Set device registration policies\u0026rsquo; under the \u0026lsquo;Policy\u0026rsquo; Category.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a rogue device that does not meet the organization\u0026rsquo;s security standards.\u003c/li\u003e\n\u003cli\u003eThe rogue device gains access to sensitive corporate resources, bypassing intended security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the rogue device to perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the device registration policy can lead to unauthorized devices accessing sensitive corporate resources, bypassing multi-factor authentication or device compliance requirements. This can result in data breaches, privilege escalation, and further compromise of the Azure AD environment. The impact can be severe if the attacker leverages the policy change to register multiple rogue devices, creating a persistent backdoor into the organization\u0026rsquo;s resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Changes to Device Registration Policy\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized modifications to device registration policies (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for any unexpected \u0026ldquo;Set device registration policies\u0026rdquo; events (logsource).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all administrative accounts to prevent unauthorized policy changes (TTP).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-device-registration-policy-change/","summary":"Monitoring changes to the device registration policy can detect potential privilege escalation or defense impairment attempts by malicious actors aiming to weaken security controls related to device management in Azure Active Directory.","title":"Azure AD Device Registration Policy Changes Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-device-registration-policy-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","threat-intelligence","risk-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure AD Threat Intelligence identifies suspicious user activities that deviate from established patterns or align with known attack tactics. These alerts, surfaced within the Azure AD Identity Protection framework, are crucial for detecting stealthy maneuvers, persistence attempts, unauthorized privilege escalations, and initial access attempts. The alerts are triggered by unusual sign-ins, potentially originating from unfamiliar locations or devices. Defenders should prioritize investigation into these alerts as they can be indicative of compromised accounts or malicious actors attempting to gain unauthorized access to resources within the Azure environment. Successfully identifying and mitigating these threats prevents further lateral movement, data exfiltration, and potential damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises user credentials through phishing, credential stuffing, or other means (Initial Access).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to sign in to Azure AD using the compromised credentials, potentially from an unusual location or device.\u003c/li\u003e\n\u003cli\u003eAzure AD Threat Intelligence detects the unusual sign-in activity based on risk indicators and flags it as \u0026lsquo;investigationsThreatIntelligence\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker, if successful in the initial sign-in, attempts to access sensitive resources or applications within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by modifying user profiles or application settings.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges by exploiting vulnerabilities or misconfigurations within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other resources and accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting Azure AD can compromise user accounts and lead to unauthorized access to sensitive data and resources. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Organizations relying heavily on Azure AD for identity and access management are particularly vulnerable. The number of affected users and the extent of the damage will depend on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;investigationsThreatIntelligence\u0026rsquo; events within Azure AD risk detection logs (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by the detection, correlating with other sign-in events from the same user to identify potential false positives or confirm malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of compromised credentials and unauthorized sign-ins.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other risk factors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-azuread-threatintel/","summary":"This brief focuses on detecting unusual user activity and sign-in patterns flagged by Azure AD Threat Intelligence, which may indicate stealthy attacks, persistence attempts, privilege escalation, or initial access.","title":"Azure AD Threat Intelligence Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-threatintel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","AD FS"],"_cs_severities":["medium"],"_cs_tags":["cloud","azure","adfs","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the creation of a rogue AD FS service instance within the Azure AD Hybrid Health Service to spoof AD FS signing logs. The attacker leverages the Azure AD Hybrid Health Service to create a new AD FS service and adds a fake server instance. This method allows the attacker to manipulate AD FS logging information without needing to compromise an on-premises AD FS server. The attack can be performed programmatically through HTTP requests to Azure, making it scalable and difficult to trace back to traditional on-premises attack vectors. This technique is particularly concerning because it undermines the integrity of AD FS logs, a crucial component for security monitoring and incident response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Azure Account:\u003c/strong\u003e The attacker gains access to an Azure account, potentially through stolen credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProvision Rogue AD Health Service:\u003c/strong\u003e The attacker programmatically provisions a new AD Health Service within the compromised Azure environment, specifically targeting AD FS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCreate Fake Server Instance:\u003c/strong\u003e Within the newly created AD Health Service, the attacker creates a fake server instance, mimicking a legitimate AD FS server. The \u003ccode\u003eResourceId\u003c/code\u003e will contain \u003ccode\u003eAdFederationService\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eManipulate Logs:\u003c/strong\u003e Using the fake server instance, the attacker injects or alters AD FS signing logs, creating a false narrative of user authentication events.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpersonate Users/Bypass Authentication:\u003c/strong\u003e The attacker uses the manipulated logs to impersonate legitimate users or bypass authentication controls in applications relying on AD FS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation:\u003c/strong\u003e Using the falsely acquired credentials or authentication tokens, the attacker moves laterally within the network, escalating privileges to access sensitive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/System Compromise:\u003c/strong\u003e The attacker exfiltrates sensitive data or gains control over critical systems using the compromised accounts and manipulated logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to spoof AD FS signing logs, potentially leading to unauthorized access, data breaches, and system compromise. The compromised logs can be used to cover the attacker\u0026rsquo;s tracks, making detection and incident response more difficult. Organizations relying on Azure AD Hybrid Health for AD FS monitoring are at risk of having their security posture undermined. The number of potential victims is substantial, as many organizations use AD FS for authentication and rely on its logs for security monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Active Directory Hybrid Health AD FS New Server\u003c/code\u003e to your SIEM to detect the creation of new AD FS server instances within the Azure AD Hybrid Health Service. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for any unusual activity related to the \u003ccode\u003eMicrosoft.ADHybridHealthService\u003c/code\u003e resource provider and the \u003ccode\u003eMicrosoft.ADHybridHealthService/services/servicemembers/action\u003c/code\u003e operation, specifically the \u003ccode\u003eAdministrative\u003c/code\u003e category.\u003c/li\u003e\n\u003cli\u003eReview and validate all AD FS server instances registered within the Azure AD Hybrid Health Service to ensure their legitimacy.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to prevent unauthorized access and mitigate the risk of initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-azuread-adfs-spoofing/","summary":"A threat actor can create a new, rogue AD Health ADFS service within Azure and then create a fake server instance, which can be leveraged to spoof AD FS signing logs without compromising on-prem AD FS servers.","title":"Spoofing AD FS Signing Logs via Azure AD Hybrid Health Service","url":"https://feed.craftedsignal.io/briefs/2024-01-23-azuread-adfs-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","privilege-escalation","credential-access","persistence","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe unauthorized removal of a Conditional Access (CA) policy in Azure Active Directory can significantly weaken an organization\u0026rsquo;s security posture. Conditional Access policies are critical for enforcing multi-factor authentication, device compliance, and other security controls based on user, location, device, and application conditions. When a non-approved actor removes such a policy, it can open the door for privilege escalation, credential access, and persistence by malicious actors. This activity is often performed after an initial compromise to disable security controls and move laterally within the environment. Identifying and responding to such removals promptly is essential to maintain a strong security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to an account with sufficient privileges to view and modify Azure Active Directory settings. This could be through phishing, password spraying, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges within Azure AD to gain the necessary permissions to manage Conditional Access policies. This might involve adding themselves to a privileged role or exploiting misconfigurations in existing roles.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker enumerates existing Conditional Access policies to identify targets for removal. They may focus on policies that enforce MFA or restrict access based on location.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker disables or modifies logging configurations to reduce the likelihood of detection.\u003c/li\u003e\n\u003cli\u003ePolicy Removal: The attacker removes the targeted Conditional Access policy using the Azure portal, PowerShell, or the Azure CLI. The audit logs will record a \u0026ldquo;Delete conditional access policy\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eCredential Access: With the CA policy removed, the attacker may attempt to access sensitive resources or applications without MFA, potentially gaining access to credentials or sensitive data.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating new user accounts or modifying existing ones to maintain access even if their initial entry point is discovered.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the compromised credentials and weakened security controls to move laterally to other systems and resources within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful removal of a Conditional Access policy can lead to widespread compromise. Attackers can bypass multi-factor authentication, gain unauthorized access to sensitive data, and escalate privileges within the organization. The impact can range from data breaches and financial losses to reputational damage and compliance violations. Depending on the scope of the compromised policy, the number of affected users could range from dozens to thousands.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the \u0026ldquo;Delete conditional access policy\u0026rdquo; event in Azure audit logs, indicating a CA policy removal.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Azure Active Directory role assignments to minimize the risk of unauthorized privilege escalation.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all user accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for unusual activity, such as changes to user accounts, role assignments, and Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of CA policy removal to determine the scope of the compromise and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and harden Conditional Access policies to ensure they are effectively protecting critical resources and applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-azure-ca-policy-removal/","summary":"An unauthorized actor removes a Conditional Access policy in Azure, potentially weakening the organization's security posture and enabling privilege escalation or credential access.","title":"Unauthorized Removal of Azure Conditional Access Policy","url":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-ca-policy-removal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","anonymous-proxy","identity-protection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on identifying malicious activity within Azure Active Directory environments where users are observed originating traffic from anonymous IP addresses. These IP addresses are typically associated with VPNs, Tor exit nodes, or proxy services, often used by threat actors to obfuscate their true location and evade detection. The activity is flagged within Azure AD Identity Protection as a \u0026lsquo;riskyIPAddress\u0026rsquo;. Detecting and investigating these events is crucial, as they often precede or accompany other malicious behaviors such as account compromise, privilege escalation, and data exfiltration. It allows defenders to proactively identify and respond to potential security incidents before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure AD user account through various means, such as credential theft, phishing, or brute-force attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an anonymous proxy service (e.g., VPN, Tor) to mask their true IP address and location.\u003c/li\u003e\n\u003cli\u003eThe compromised user account is used to sign in to Azure AD from the anonymous IP address.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the sign-in attempt as \u0026lsquo;riskyIPAddress\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges within the Azure AD environment, potentially targeting sensitive roles or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by creating new user accounts or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eThe attacker may then try to access sensitive data or resources within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker exfiltrates sensitive data or launches further attacks against other systems within the organization\u0026rsquo;s network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging anonymous IP addresses can lead to significant damage, including unauthorized access to sensitive data, compromise of critical systems, and financial losses. The use of anonymous proxies makes attribution and incident response more difficult, potentially prolonging the duration of the attack. Organizations may experience data breaches, reputational damage, and regulatory fines as a result of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;riskyIPAddress\u0026rsquo; events in Azure AD logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any sign-in events flagged as \u0026lsquo;riskyIPAddress\u0026rsquo; in the context of other sign-ins from the same user to identify potential account compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access from untrusted locations or devices.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity, such as changes to user accounts, group memberships, or application permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-azure-anonymous-ip/","summary":"Detection of user activity originating from an IP address identified as an anonymous proxy, potentially indicating unauthorized access, privilege escalation, or persistence within an Azure Active Directory environment.","title":"Azure AD Activity From Anonymous IP Address","url":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-anonymous-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","bitlocker","key-retrieval","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers with access to Azure Active Directory, either through compromised credentials or an insider threat, can retrieve BitLocker recovery keys stored within the Azure environment. This allows them to decrypt volumes protected with BitLocker encryption. While retrieving BitLocker keys is a legitimate administrative function, anomalous or unauthorized access can indicate malicious activity. Attackers may leverage this to gain unauthorized access to encrypted data, escalate privileges, or move laterally within the compromised environment. Defenders need to monitor BitLocker key retrieval events for unusual patterns or unauthorized access attempts to detect and prevent potential data breaches or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains unauthorized access to an Azure Active Directory account with sufficient privileges, possibly via credential phishing or password spraying (T1078.004).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): The attacker escalates privileges within Azure AD if the initially compromised account lacks the necessary permissions to read BitLocker keys.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses Azure AD tools or PowerShell cmdlets to identify devices with BitLocker encryption enabled.\u003c/li\u003e\n\u003cli\u003eKey Retrieval: The attacker uses the Azure portal or PowerShell to retrieve the BitLocker recovery key for a specific device. This generates an audit log event.\u003c/li\u003e\n\u003cli\u003eOffline Access: The attacker uses the retrieved BitLocker recovery key to unlock the encrypted drive on a compromised system or a copied disk image.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Lateral Movement: With the drive unlocked, the attacker can access sensitive data, install malware, or use the system for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful BitLocker key retrieval can lead to unauthorized access to sensitive data stored on encrypted drives. This could result in data breaches, financial loss, reputational damage, and legal liabilities. The impact depends on the sensitivity and volume of data stored on the encrypted volumes, as well as the attacker\u0026rsquo;s subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect BitLocker key retrieval events in Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eReview Azure AD access logs for suspicious activity related to user accounts that have permissions to read BitLocker keys (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges in Azure AD, to prevent unauthorized access (T1078.004).\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to restrict access to sensitive Azure resources, including BitLocker recovery keys, based on factors such as location, device, and user risk.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Azure AD roles and permissions to ensure that users only have the necessary privileges to perform their job functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:29:00Z","date_published":"2024-01-03T18:29:00Z","id":"/briefs/2024-01-bitlocker-key-retrieval/","summary":"An adversary with sufficient privileges in Azure Active Directory may attempt to retrieve BitLocker keys to decrypt drives for lateral movement or data exfiltration.","title":"Azure AD Bitlocker Key Retrieval","url":"https://feed.craftedsignal.io/briefs/2024-01-bitlocker-key-retrieval/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","role-assignment","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often target identity and access management systems like Azure Active Directory (Azure AD) to gain control over an organization\u0026rsquo;s resources. By adding users to highly privileged roles such as Global Administrator or Device Administrator, adversaries can achieve persistence, allowing them to regain access even after initial compromises are remediated. This activity often occurs after an initial foothold has been established, enabling privilege escalation and stealthy movement within the cloud environment. Monitoring role assignments in Azure AD is crucial for detecting and preventing unauthorized access and maintaining the integrity of the organization\u0026rsquo;s cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure AD roles and identifies potential targets like Global Administrator or Device Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAdd-AzureADGroupMember\u003c/code\u003e or similar cmdlets to add a compromised or newly created user account to the target role.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit logs record the \u0026ldquo;Add member to role\u0026rdquo; operation with the specific role GUIDs (e.g., \u0026lsquo;7698a772-787b-4ac8-901f-60d6b08affd2\u0026rsquo; or \u0026lsquo;62e90394-69f5-4237-9190-012177145e10\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe newly added user account inherits the privileges associated with the Global Administrator or Device Administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating new administrative accounts or modifying existing ones to maintain control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to a Global Administrator or Device Administrator role grants the attacker unrestricted access to the Azure AD tenant, potentially impacting all resources connected to it. This can lead to data breaches, service disruptions, financial losses, and reputational damage. The scope of the impact depends on the extent to which the attacker leverages the compromised privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious additions of users to Global or Device Admin roles in Azure AD Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the context of the user account being added and the source of the role assignment operation.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft (T1078.004).\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD role assignments to identify and remove any unauthorized or unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for other suspicious Azure AD activity, such as unusual sign-in patterns, application registrations, and resource deployments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:27:00Z","date_published":"2024-01-03T18:27:00Z","id":"/briefs/2024-01-03-azuread-role-assignment/","summary":"An attacker may attempt to add a user to a high-privilege Azure AD role, such as Global Administrator or Device Administrator, to establish persistence, gain initial access, escalate privileges, or operate stealthily within the compromised environment.","title":"Azure AD User Added to Global or Device Admin Role","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-role-assignment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.credential-access","attack.persistence","attack.defense-impairment","attack.t1548","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis activity involves the addition of a user to an Azure Active Directory group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are used to enforce authentication requirements based on various conditions (user, location, device, etc.). If an attacker gains the ability to modify these policies, they can weaken security controls to facilitate privilege escalation, credential access, persistence within the environment, and impair defenses. This type of attack can be initiated by an insider threat or external compromise of an account. The goal is to manipulate CA policies to bypass multi-factor authentication, grant unauthorized access, or maintain persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a user account or service principal with sufficient privileges to manage group memberships in Azure AD. This could be achieved through credential compromise or other initial access vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Azure AD group that has permissions to manage Conditional Access policies. These groups are often used to delegate administrative control over CA policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Azure portal, PowerShell, or the Azure AD Graph API/Microsoft Graph API to add a malicious user account to the target group.\u003c/li\u003e\n\u003cli\u003eThe Azure Audit Logs record the \u0026ldquo;Add member from group\u0026rdquo; event, indicating the change in group membership.\u003c/li\u003e\n\u003cli\u003eThe newly added malicious user inherits the group\u0026rsquo;s permissions, which includes the ability to view, create, modify, and delete Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies existing CA policies to weaken security controls. For example, they might exclude themselves from MFA requirements or grant access to sensitive resources without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their modified CA policies to gain unauthorized access to sensitive data or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new CA policies that ensure their continued access, even if their initial access is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this attack chain can lead to significant compromise of an organization\u0026rsquo;s Azure environment. Attackers can bypass MFA, gain access to sensitive resources, establish persistent access, and impair security defenses. The extent of the damage depends on the permissions associated with the compromised group and the scope of the modified Conditional Access policies. This can lead to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect additions of users to groups with CA policy modification access and tune for your environment.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Azure AD group memberships, especially for groups with administrative privileges (as detected by the Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all users, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege when assigning permissions to Azure AD groups.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"/briefs/2024-01-azure-group-add/","summary":"An attacker adds a user to a privileged Azure Active Directory group with permissions to modify Conditional Access policies, potentially leading to privilege escalation, credential access, persistence, and defense impairment.","title":"User Added to Group with Conditional Access Policy Modification Access","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-group-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","appid","uri","application","serviceprincipal","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may modify the AppID URI of an application in Azure to facilitate various malicious activities, including gaining unauthorized access, establishing persistence, accessing credentials, escalating privileges, or maintaining stealth within the environment. The AppID URI serves as a unique identifier for an application within the Azure Active Directory (Azure AD) ecosystem. Changes to this URI could indicate that an attacker is attempting to impersonate a legitimate application or service, potentially bypassing security controls and gaining elevated access. Monitoring for these changes is crucial for defenders to identify and respond to potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available applications and service principals within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target application with a high-value AppID URI.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the AppID URI of the target application, potentially to impersonate another service or application (T1552).\u003c/li\u003e\n\u003cli\u003eThis change might be done to allow the attacker to request tokens for that application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified AppID URI to request access tokens, potentially gaining unauthorized access to resources (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired access tokens to move laterally within the Azure environment and access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the modified application for continued unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of an AppID URI can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. An attacker can impersonate legitimate applications, bypassing security controls and potentially affecting numerous resources and users. The scope of the impact depends on the permissions and access levels associated with the compromised application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Application AppID Uri Configuration Changes\u0026rdquo; to your SIEM to detect unauthorized modifications to AppID URIs (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the AppID URI changes.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit application permissions and configurations to identify and remediate any misconfigurations.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for other suspicious activities related to application and service principal management.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:24:00Z","date_published":"2024-01-03T17:24:00Z","id":"/briefs/2024-01-azure-appid-uri-change/","summary":"Detection of configuration changes to an application's AppID URI in Azure, potentially indicating malicious activity related to initial access, persistence, credential access, privilege escalation, or stealth.","title":"Detect Application AppID URI Configuration Changes in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-appid-uri-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","temporary-access-pass","privilege-escalation","initial-access","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies when a temporary access pass (TAP) is added to an Azure Active Directory (Azure AD) account. TAPs are intended for temporary use, allowing users to access resources or perform actions without needing a password. While legitimate use cases exist, adversaries can leverage TAPs to gain unauthorized access, escalate privileges, establish persistence, or move laterally within an Azure environment. This activity warrants investigation, especially if the TAP is added to a privileged account. The source material does not indicate a specific campaign or threat actor, but the technique aligns with common cloud-based attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Optional):\u003c/strong\u003e An attacker gains initial access to an Azure AD account through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges to an account with sufficient permissions to manage TAPs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTAP Generation:\u003c/strong\u003e The attacker, using an account with appropriate permissions, generates a temporary access pass (TAP) for a target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTAP Activation:\u003c/strong\u003e The attacker uses the TAP to authenticate to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access:\u003c/strong\u003e Once authenticated, the attacker gains access to resources and applications associated with the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to access other resources or accounts within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence by creating new credentials or modifying existing ones, if permissions allow.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and applications within the Azure environment. Compromised privileged accounts can grant attackers control over critical infrastructure, leading to data breaches, service disruptions, and reputational damage. The impact depends on the permissions associated with the compromised account and the resources accessible through the TAP.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect TAP additions in Azure AD audit logs (see rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where TAPs are added to privileged accounts in Azure AD, as highlighted in the rule description and references.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for suspicious activity surrounding the TAP generation event, including the source IP address and user agent (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor for anomalous sign-in activity using TAPs, specifically focusing on unusual locations or devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-azure-tap-added/","summary":"Detection of a temporary access pass (TAP) being added to an Azure AD account, which could indicate potential privilege escalation, initial access, persistence, or stealth activity.","title":"Azure AD Temporary Access Pass Added to Account","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-tap-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.initial-access","attack.stealth","attack.t1078"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting potentially risky authentication events within Azure Active Directory. Specifically, it flags successful logins to applications deemed \u0026ldquo;important\u0026rdquo; where the authentication process only involved a single factor. This bypasses the added security of multi-factor authentication (MFA), potentially exposing these applications to compromise if the single factor (e.g., password) is weak, stolen, or compromised. The alert is designed to identify deviations from a secure authentication baseline, particularly in environments where MFA is expected for sensitive resources. The applications considered \u0026ldquo;important\u0026rdquo; must be pre-defined by the defender for this detection to function effectively.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a valid username and password through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to a pre-defined, high-value application within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eAzure AD processes the authentication request.\u003c/li\u003e\n\u003cli\u003eThe application is configured to allow single-factor authentication.\u003c/li\u003e\n\u003cli\u003eAzure AD verifies the supplied username and password against its directory.\u003c/li\u003e\n\u003cli\u003eUpon successful verification, Azure AD grants the attacker access to the application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the application\u0026rsquo;s data and functionality.\u003c/li\u003e\n\u003cli\u003eDepending on the application and attacker\u0026rsquo;s motives, this could lead to data exfiltration, privilege escalation, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of successful single-factor authentication to critical applications can range from minor data breaches to significant compromises of sensitive systems. The number of potential victims depends on the application\u0026rsquo;s user base and the sensitivity of the data it manages. Sectors most at risk include those handling financial, healthcare, or sensitive personal information. A successful attack could lead to data theft, financial loss, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePopulate the \u003ccode\u003eAppId\u003c/code\u003e field in the Sigma rule with the Application IDs of your organization\u0026rsquo;s critical applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the single-factor authentication.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users accessing critical applications to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and update Azure AD Conditional Access policies to ensure appropriate authentication requirements are in place.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule based on observed false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-03-azure-single-factor-auth/","summary":"Detection of successful Azure AD authentications to critical applications that only required single-factor authentication, potentially indicating a security lapse or policy violation leading to unauthorized access.","title":"Azure AD Authentication to Important Apps Using Single-Factor Authentication","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-single-factor-auth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","password-reset","privilege-escalation","initial-access","persistence","credential-access","stealth"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting user-initiated password resets within Azure Active Directory (Azure AD). While legitimate password resets are common, monitoring this activity can help identify potentially malicious behavior, such as an attacker attempting to gain unauthorized access to an account or an insider threat actor escalating privileges. Attackers may leverage compromised credentials or social engineering to initiate password resets, bypassing multi-factor authentication (MFA) if it is not properly configured or enforced. This detection is important for defenders because successful password resets can lead to a complete account takeover, allowing attackers to access sensitive data, resources, and systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials through phishing, credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to log in to an Azure AD-protected resource using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker fails to authenticate, either because they do not have the correct password or MFA is enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset request using the \u0026ldquo;Forgot password\u0026rdquo; feature or a similar mechanism.\u003c/li\u003e\n\u003cli\u003eAzure AD sends a password reset verification code or link to the user\u0026rsquo;s registered email address or phone number.\u003c/li\u003e\n\u003cli\u003eIf the attacker controls the registered email address or phone number (due to prior compromise), they can access the verification code or link.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the verification code or link to set a new password for the user\u0026rsquo;s Azure AD account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the Azure AD account with the new password, gaining unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful password resets by attackers can lead to complete account takeover, allowing them to access sensitive data, resources, and systems protected by Azure AD. This can result in data breaches, financial loss, reputational damage, and disruption of business operations. The impact depends on the privileges and permissions assigned to the compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePassword Reset By User Account\u003c/code\u003e to your SIEM to detect user-initiated password resets in Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected password resets, especially those initiated by users who have not recently requested a password change.\u003c/li\u003e\n\u003cli\u003eReview and enforce multi-factor authentication (MFA) policies to prevent attackers from bypassing password-based authentication.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity related to password resets, such as multiple failed login attempts followed by a successful reset.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-azure-user-password-reset/","summary":"Detects when a user successfully resets their own password in Azure Active Directory, which may indicate malicious activity or account compromise.","title":"Azure AD User Password Reset Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-user-password-reset/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","azure","entra","guest-account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe conversion of a user account from \u0026ldquo;Guest\u0026rdquo; to \u0026ldquo;Member\u0026rdquo; within Azure Active Directory (Azure AD) can represent a significant privilege escalation. While legitimate use cases exist for such conversions, malicious actors can abuse this functionality to gain unauthorized access and persistence. By elevating a guest account, which typically has limited permissions, to a member account, attackers can inherit the broader access rights associated with the latter, potentially compromising sensitive data and systems. Monitoring this activity is crucial as it can be indicative of insider threats or compromised administrative accounts used to manipulate user roles.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Initial Account:\u003c/strong\u003e An attacker gains initial access, possibly through phishing or credential stuffing, to an account with sufficient privileges to modify user attributes in Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Target Guest Account:\u003c/strong\u003e The attacker identifies a guest account within the Azure AD environment that could provide valuable access if converted to a member account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify UserType Attribute:\u003c/strong\u003e Using the compromised account, the attacker modifies the \u003ccode\u003eUserType\u003c/code\u003e attribute of the target guest account from \u0026ldquo;Guest\u0026rdquo; to \u0026ldquo;Member\u0026rdquo; via the Azure AD portal, PowerShell, or the Microsoft Graph API. This action generates an \u0026ldquo;Update user\u0026rdquo; event in the Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInherit Member Privileges:\u003c/strong\u003e Once the \u003ccode\u003eUserType\u003c/code\u003e is changed to \u0026ldquo;Member\u0026rdquo;, the account inherits the privileges and group memberships associated with member accounts within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging the newly acquired member privileges, the attacker moves laterally within the Azure AD environment, accessing resources and services that were previously inaccessible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or System Compromise:\u003c/strong\u003e The attacker uses the elevated privileges to exfiltrate sensitive data, compromise critical systems, or establish persistent backdoors for future access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful conversion of a guest account to a member account can lead to significant privilege escalation, potentially granting attackers access to sensitive data, critical systems, and confidential resources. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The impact depends on the permissions assigned to member accounts and the sensitivity of the resources they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;User State Changed From Guest To Member\u0026rdquo; Sigma rule to your SIEM to detect unauthorized user type conversions in Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of user type changes from \u0026ldquo;Guest\u0026rdquo; to \u0026ldquo;Member\u0026rdquo; to verify their legitimacy, focusing on the user performing the action and the reason for the change (as captured by the Azure AD audit logs).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of account compromise and unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all user accounts to minimize the potential impact of a successful privilege escalation attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-azure-guest-member/","summary":"An adversary may convert a guest user account to a member account in Azure Active Directory to elevate privileges and gain persistent access to resources.","title":"Azure AD Guest to Member User Type Conversion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-guest-member/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePrivileged Identity Management (PIM) is a critical component of Azure Active Directory, enabling organizations to manage, control, and monitor access to important resources. Attackers often target PIM configurations to escalate privileges, establish persistence, or move laterally within a compromised environment. This activity focuses on detecting changes to PIM role settings, which could indicate malicious activity aimed at weakening security controls. Defenders must monitor these changes to prevent unauthorized access and maintain the integrity of their Azure environment. This includes understanding who is making these changes, the scope of the modifications, and whether the changes align with established security policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access to an account with sufficient privileges to view PIM settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing PIM role settings within the Azure Active Directory environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModification:\u003c/strong\u003e The attacker modifies existing PIM role settings, such as extending the maximum activation time or removing approval requirements, using the Azure portal, PowerShell, or the Azure CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By modifying PIM settings, the attacker escalates their privileges, granting themselves elevated access to sensitive resources or administrative functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new or modifying existing role assignments to maintain access even if their initial account is compromised.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With escalated privileges, the attacker moves laterally to access other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker leverages their escalated privileges to exfiltrate sensitive data, disrupt services, or cause other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of PIM settings can have severe consequences, including unauthorized access to sensitive data, disruption of critical services, and privilege escalation leading to complete compromise of the Azure environment. A single compromised PIM setting can affect multiple users and resources, amplifying the impact of the attack. Early detection of PIM setting modifications can prevent attackers from gaining a foothold and causing significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect changes to PIM settings based on the \u003ccode\u003eproperties.message\u003c/code\u003e field within Azure audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly review Azure audit logs for events related to PIM configuration changes, paying close attention to the user accounts making the changes and the scope of the modifications.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts with privileges to manage PIM settings.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting users only the minimum permissions required to perform their job functions.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of normal PIM settings and alert on any deviations from this baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by correlating them with other security events and user activity.\u003c/li\u003e\n\u003cli\u003eImplement automated responses to detected PIM setting modifications, such as disabling the affected user account or reverting the changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-azure-pim-settings-change/","summary":"Detects unauthorized or malicious modifications to Privileged Identity Management (PIM) settings within Azure environments, potentially leading to privilege escalation, persistence, and stealthy access by attackers.","title":"Detection of Privileged Identity Management (PIM) Settings Modifications","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-pim-settings-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.initial-access","attack.stealth","attack.t1078"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a potentially malicious increase in successful sign-ins within an Azure Active Directory environment. An attacker who has compromised credentials may attempt to leverage them repeatedly, resulting in a higher-than-normal volume of successful authentications. While not definitive proof of compromise, a sudden spike warrants further investigation. This behavior is typically observed during the initial access, persistence, privilege escalation, or stealth phases of an attack. This detection focuses on identifying increases of 10% or greater, providing a starting point for identifying anomalous activity. Defenders should investigate the source of the increase, focusing on specific users, applications, or geographic locations involved.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker obtains valid user credentials through phishing, brute-force, or credential stuffing attacks against Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker uses the compromised credentials to successfully authenticate to Azure AD, gaining initial access to the environment (T1078).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnumeration:\u003c/strong\u003e The attacker enumerates available resources, applications, and user accounts within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities in Azure AD or related applications. This may involve authenticating to multiple resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms, such as creating new accounts or modifying existing ones, to maintain access to the environment. This may involve repeatedly authenticating to refresh tokens or maintain sessions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised account to access other resources or accounts within the Azure AD environment, potentially triggering further successful sign-ins.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Damage:\u003c/strong\u003e The attacker uses the compromised access to exfiltrate sensitive data or disrupt business operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker attempts to cover their tracks by disabling logging or deleting audit trails to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack following a measurable increase in authentications can lead to unauthorized access to sensitive data, financial loss, reputational damage, and disruption of business operations. The specific impact depends on the level of access gained by the attacker and the resources they are able to compromise. For example, an attacker gaining access to an administrator account could potentially take control of the entire Azure AD environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Measurable Increase Of Successful Authentications\u0026rdquo; Sigma rule to your SIEM and tune for your environment. This rule detects increases of 10% or greater in successful sign-ins (rule, logsource: azure, service: signinlogs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the source of the increased authentications and the users/applications involved.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft Entra ID Protection reports for unusual sign-in activity, as referenced in the source material: \u003ca href=\"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\"\u003ehttps://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor for other suspicious activities, such as unusual sign-in locations, access to sensitive resources, or changes to user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-azure-auth-increase/","summary":"This detection identifies a statistically significant (10% or greater) increase in successful sign-ins to Azure Active Directory, potentially indicating credential compromise or account takeover attempts.","title":"Azure AD Successful Authentication Increase","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-auth-increase/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1578.003","azure"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAn attacker can create a new AD Health ADFS service and a fake server to spoof AD FS signing logs. This involves adding a rogue AD FS service to Azure AD Hybrid Health. Once the attacker no longer requires the spoofed logs, they may delete the service to remove traces of their activity or to hinder investigations. This is achieved via HTTP requests to Azure, specifically targeting the deletion of the AD FS service instance. This activity is logged within Azure Activity Logs, providing an opportunity for detection. Defenders should monitor for unexpected deletions of AD FS service instances within their Azure AD environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure tenant with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker provisions a new, rogue AD FS service within the Azure AD Hybrid Health Service.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a fake server or modifies an existing one to generate spoofed AD FS signing logs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spoofed logs to conduct malicious activity, potentially bypassing security controls.\u003c/li\u003e\n\u003cli\u003eOnce the malicious activity is complete, the attacker initiates the deletion of the rogue AD FS service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to Azure to delete the service using the \u003ccode\u003eMicrosoft.ADHybridHealthService/services/delete\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record the deletion event with CategoryValue set to \u0026lsquo;Administrative\u0026rsquo; and ResourceProviderValue as \u0026lsquo;Microsoft.ADHybridHealthService\u0026rsquo;.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the AD FS service instance can hinder forensic investigations and potentially mask malicious activity within the Azure AD environment. This can lead to delayed incident response and make it more difficult to identify the source and scope of the attack. The impact depends on the sophistication of the attacker and the extent to which they leveraged the spoofed logs for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the deletion of AD FS service instances in Azure AD Hybrid Health (Azure Activity Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eMicrosoft.ADHybridHealthService/services/delete\u003c/code\u003e operations where the \u003ccode\u003eResourceId\u003c/code\u003e contains \u003ccode\u003eAdFederationService\u003c/code\u003e in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for unexpected or unauthorized modifications to AD FS service configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-azuread-adfs-delete/","summary":"Threat actors may delete Azure AD Hybrid Health AD FS service instances after using them to spoof AD FS signing logs for defense evasion.","title":"Azure AD Hybrid Health AD FS Service Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-adfs-delete/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["cloud","azure","application","uri","modification","persistence","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may modify application URIs within Azure Active Directory to redirect users or applications to malicious resources, obtain unauthorized access, or establish persistence. The modification of an application\u0026rsquo;s URI can be a subtle but effective technique for gaining a foothold in an environment. By manipulating the URI settings, attackers can redirect traffic to attacker-controlled servers, intercept credentials, or perform other malicious actions. This activity is often difficult to detect because it can blend in with legitimate administrative tasks. Investigation is merited if URIs for domain names no longer exist, are not using HTTPS, have wildcards at the end of the domain, are not unique to that app, or point to domains that the organization does not control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account with sufficient privileges to modify application registrations.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Active Directory portal.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a target application registration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the application\u0026rsquo;s URI settings, such as the reply URLs or identifier URIs.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the URI to point to a malicious server or a phishing page.\u003c/li\u003e\n\u003cli\u003eUsers or applications are redirected to the malicious URI when attempting to authenticate or access the application.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts credentials or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by maintaining control over the application\u0026rsquo;s URI settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to credential theft, data breaches, or unauthorized access to sensitive resources. By compromising application URIs, attackers can redirect users to phishing pages, intercept credentials, or gain a foothold in the environment for further exploitation. This activity can be difficult to detect and can have a significant impact on the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eApplication URI Configuration Changes\u003c/code\u003e to your SIEM to detect suspicious modifications to application URIs in Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eApplication URI Configuration Changes\u003c/code\u003e to determine if the URI modification is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit Logs for any changes to application URI settings (as indicated by \u003ccode\u003eproperties.message: Update Application Sucess- Property Name AppAddress\u003c/code\u003e) and validate the legitimacy of the changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:21:00Z","date_published":"2024-01-03T14:21:00Z","id":"/briefs/2024-01-03-azure-app-uri-modification/","summary":"Detection of Azure application URI modifications that can be indicative of malicious activity, such as using dangling URIs, non-HTTPS URIs, wildcard domains, or URIs pointing to uncontrolled domains, potentially leading to initial access, stealth, persistence, credential access, and privilege escalation.","title":"Azure Application URI Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-app-uri-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis activity involves the removal of a user from an Azure Active Directory (Azure AD) group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are critical for enforcing organizational security standards and access controls. The removal of users from these groups can be an attempt by a malicious actor to disrupt security measures, escalate privileges, or establish persistence within the Azure environment. An attacker with sufficient privileges may remove legitimate administrators from CA policy modification groups to bypass multi-factor authentication or other controls, potentially gaining unauthorized access to sensitive resources. This activity is of concern to defenders as it can be a precursor to more significant compromises.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure AD account with sufficient privileges, possibly through credential theft or account compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates Azure AD groups to identify those with permissions to manage or modify Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account that is a member of the identified privileged group.\u003c/li\u003e\n\u003cli\u003eThe attacker uses Azure AD administrative tools or PowerShell cmdlets to remove the target user from the privileged group.\u003c/li\u003e\n\u003cli\u003eThe Azure Audit Logs record the event \u0026ldquo;Remove member from group\u0026rdquo; related to the targeted group and user.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies Conditional Access policies to weaken security controls, such as disabling multi-factor authentication or allowing access from untrusted locations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the weakened security posture to gain unauthorized access to sensitive resources or data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new, attacker-controlled accounts with high privileges or by modifying existing accounts to bypass security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal of a user from a Conditional Access policy modification group can lead to significant security breaches. Attackers can weaken or disable MFA requirements, bypass location-based restrictions, and gain unauthorized access to sensitive applications and data. This can result in data exfiltration, financial loss, and reputational damage. The scope of the impact depends on the permissions assigned through the compromised Conditional Access policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;User Removed From Group With CA Policy Modification Access\u0026rdquo; to your SIEM to detect unauthorized removal of users from critical groups with CA modification access (logsource: azure, service: auditlogs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the context of the user removed and the target group (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative accounts, including those with permissions to manage Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eReview and audit Azure AD group memberships regularly, especially for groups with elevated privileges.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications (logsource: azure, service: auditlogs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-group-removal/","summary":"An attacker removes a user from a privileged Azure Active Directory group with permissions to modify Conditional Access policies, potentially leading to privilege escalation, persistence, or defense evasion.","title":"User Removed from Group with Conditional Access Policy Modification Access","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-group-removal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","privilege-escalation","attack.privilege-escalation","attack.t1548"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the creation of a new Conditional Access (CA) policy within Azure Active Directory (Azure AD) by an actor not authorized to perform such actions. Conditional Access policies are critical security controls that enforce organizational policies based on various conditions, such as user identity, location, device, and application. Unauthorized modification or creation of these policies can lead to significant security breaches, allowing attackers to bypass security controls, escalate privileges, and gain unauthorized access to sensitive resources. This activity is detected via Azure Audit Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to an account with sufficient privileges to interact with Azure AD, potentially through compromised credentials or an insider threat.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e The attacker escalates privileges within Azure AD to a role that permits the creation or modification of Conditional Access policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker creates a new Conditional Access policy using the Azure portal, PowerShell, or Azure CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Configuration:\u003c/strong\u003e The attacker configures the CA policy to weaken security controls, such as disabling MFA for specific users, locations, or applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass Security Controls:\u003c/strong\u003e The newly created or modified CA policy allows the attacker to bypass intended security controls, granting them unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With bypassed security controls, the attacker moves laterally within the network, accessing sensitive resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker achieves their final objective, such as exfiltrating sensitive data or causing disruption to business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe creation of unauthorized Conditional Access policies can have severe consequences, including unauthorized access to sensitive data, privilege escalation, and circumvention of security controls. The impact can range from data breaches and financial loss to reputational damage and disruption of critical business services. If successful, attackers could gain complete control over the Azure AD environment, affecting all connected services and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized CA policy creation events in Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eReview Azure AD role assignments to ensure least privilege and restrict CA policy management to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to identify the actor and the details of the created CA policy.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for other suspicious activities, such as changes to user accounts, group memberships, and application registrations.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of expected CA policy configurations and alert on deviations from this baseline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-ca-policy-add/","summary":"An unauthorized actor created a new Conditional Access policy in Azure AD, potentially leading to privilege escalation and unauthorized access.","title":"Unauthorized Conditional Access Policy Creation in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-ca-policy-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.initial-access","attack.persistence","attack.privilege-escalation","attack.stealth","attack.t1098.003","attack.t1078"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to add new members to administrative roles in Azure Active Directory to establish persistence and elevate privileges. This allows them to perform actions as a highly privileged user, potentially bypassing security controls and accessing sensitive resources. The activity is logged within Azure Activity Logs, specifically when the \u0026lsquo;Add member to role\u0026rsquo; operation is executed within the \u0026lsquo;AzureActiveDirectory\u0026rsquo; workload, targeting roles with names ending in \u0026lsquo;Admins\u0026rsquo; or \u0026lsquo;Administrator\u0026rsquo;. Monitoring these events can help detect unauthorized privilege escalation and potential malicious activity within the Azure environment. This activity could be the result of compromised credentials or an insider threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCompromise an existing user account with sufficient permissions to modify Azure AD roles.\u003c/li\u003e\n\u003cli\u003eAuthenticate to the Azure portal or utilize Azure CLI with the compromised account.\u003c/li\u003e\n\u003cli\u003eIdentify a target Azure AD administrative role (e.g., Global Administrator, Security Administrator).\u003c/li\u003e\n\u003cli\u003eExecute the \u0026lsquo;Add member to role\u0026rsquo; operation, adding the attacker-controlled user to the target role. This can be performed via the Azure portal, PowerShell, or Azure CLI.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record the \u0026lsquo;Add member to role.\u0026rsquo; event, with the \u0026lsquo;Workload\u0026rsquo; as \u0026lsquo;AzureActiveDirectory\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eModifiedProperties{}.NewValue\u003c/code\u003e field reflects the addition of the user to the admin role, containing strings like \u0026ldquo;Admins\u0026rdquo; or \u0026ldquo;Administrator.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates as the newly added user, inheriting the privileges of the administrative role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to an Azure AD administrative role grants the attacker extensive control over the Azure environment. This can lead to data breaches, service disruptions, and the deployment of malicious applications.  Compromised administrator accounts can be used to disable security features, modify audit logs, and create backdoors for persistent access. Detection is critical to limit the scope and duration of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of users being added to Azure AD administrative roles (logsource: azure, service: activitylogs).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of the \u0026ldquo;Add member to role.\u0026rdquo; operation in Azure AD Activity Logs where the ModifiedProperties{}.NewValue ends with \u0026lsquo;Admins\u0026rsquo; or \u0026lsquo;Administrator\u0026rsquo; to validate legitimate administrative changes.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD role assignments to identify and remove unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual activity from newly added members of administrative roles after the \u0026lsquo;Add member to role\u0026rsquo; event.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuread-admin-role-add/","summary":"An adversary adds a user to an Azure Active Directory administrative role to gain initial access, persist in the environment, escalate privileges, and potentially operate stealthily.","title":"Azure AD User Added to Administrator Role","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-admin-role-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","mfa","credential-access","persistence","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable multi-factor authentication (MFA) within Azure Active Directory (Azure AD) to bypass security controls and gain unauthorized access to user accounts and resources. This activity can occur after initial compromise or as part of an insider threat scenario. The disabling of MFA typically manifests as a successful \u0026ldquo;Disable Strong Authentication\u0026rdquo; event within the Azure Active Directory activity logs. Defenders should monitor for these events, especially when initiated by accounts that do not typically perform administrative functions, as it may indicate malicious activity aimed at weakening the organization\u0026rsquo;s security posture and establishing persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an account with sufficient privileges in Azure AD, possibly through credential compromise or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure AD PowerShell modules.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies target user accounts for which they wish to disable MFA.\u003c/li\u003e\n\u003cli\u003eThe attacker disables MFA for the targeted user accounts, resulting in an \u0026ldquo;Disable Strong Authentication.\u0026rdquo; event in the Azure AD activity logs.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the targeted user accounts without MFA.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to sensitive resources, such as email, files, or applications.\u003c/li\u003e\n\u003cli\u003eThe attacker may then move laterally within the environment, accessing additional resources and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling MFA can significantly weaken an organization\u0026rsquo;s security posture, leading to unauthorized access to sensitive data and systems. Successful exploitation could result in data breaches, financial loss, and reputational damage. The impact is widespread, affecting any organization that relies on Azure AD for identity and access management, impacting potentially thousands of users and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances of MFA being disabled in Azure AD activity logs, focusing on \u0026ldquo;Disable Strong Authentication\u0026rdquo; events (\u003ccode\u003eeventSource: AzureActiveDirectory\u003c/code\u003e, \u003ccode\u003eeventName: 'Disable Strong Authentication.'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of MFA being disabled, especially if the activity is performed by unusual accounts.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) policies and monitor for unauthorized changes to MFA settings.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for Azure AD roles and permissions.\u003c/li\u003e\n\u003cli\u003eEnable logging for Azure Active Directory activity and sign-in logs (\u003ccode\u003eproduct: azure\u003c/code\u003e, \u003ccode\u003eservice: activitylogs\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-mfa-disabled/","summary":"An adversary may disable multi-factor authentication (MFA) in Azure Active Directory to weaken an organization's security posture and bypass authentication mechanisms, potentially gaining unauthorized access to sensitive resources and maintaining persistence.","title":"Azure AD MFA Disabled to Bypass Authentication","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-mfa-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","Microsoft Entra ID Protection"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","atypical-travel","account-compromise","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Atypical Travel detection in Azure Identity Protection is designed to identify instances where a user signs in from two geographically distant locations within a time frame that makes legitimate travel improbable. This anomaly indicates that an attacker may have compromised a user\u0026rsquo;s credentials and is attempting to access resources from a different location. The alert is triggered by the \u0026lsquo;unlikelyTravel\u0026rsquo; risk event type within Azure\u0026rsquo;s risk detection service. This capability helps defenders identify compromised accounts and prevent further damage such as data exfiltration or lateral movement within the environment. The detection is based on comparing current sign-in locations against the user\u0026rsquo;s historical sign-in patterns, making it more accurate and less prone to false positives compared to simple geo-location based alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains a user\u0026rsquo;s credentials through phishing, credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Location A):\u003c/strong\u003e The attacker uses the compromised credentials to sign in from a location that may be atypical for the user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Location A):\u003c/strong\u003e The attacker successfully authenticates and gains access to Azure resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised account has sufficient permissions, the attacker attempts to escalate privileges within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to move laterally to other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecond Sign-in (Location B):\u003c/strong\u003e Within a short timeframe, the attacker (or another attacker using the same credentials) signs in from a geographically distant location (Location B).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAtypical Travel Alert:\u003c/strong\u003e Azure Identity Protection detects the unlikely travel scenario based on the two geographically improbable sign-ins.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access/Data Exfiltration:\u003c/strong\u003e The attacker accesses sensitive resources or exfiltrates data from the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Atypical Travel attack can lead to unauthorized access to sensitive data, privilege escalation, lateral movement within the Azure environment, and potentially data exfiltration. The number of victims depends on the scope of the compromised user\u0026rsquo;s access and the attacker\u0026rsquo;s objectives. Organizations in all sectors are potentially at risk, as attackers often target user accounts with elevated privileges or access to critical data. The financial impact can include the cost of incident response, data breach notifications, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Atypical Travel events (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate flagged sessions in the context of other sign-ins from the user, as suggested by the false positives guidance.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location and other factors.\u003c/li\u003e\n\u003cli\u003eMonitor user accounts for unusual activity, such as changes in sign-in patterns or resource access.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent brute-force attacks against user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:21:00Z","date_published":"2024-01-02T18:21:00Z","id":"/briefs/2024-01-azure-atypical-travel/","summary":"The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.","title":"Azure Identity Protection Atypical Travel Anomaly","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-atypical-travel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","privileged-access","role-assignment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on the addition of users to privileged roles within Azure Active Directory (Azure AD). An attacker who gains initial access to an account may attempt to escalate privileges to gain broader control over the Azure environment. This can be achieved by adding the compromised account or a new attacker-controlled account to a highly privileged role. This activity often occurs after an initial compromise and is a critical step in establishing persistence and expanding access within the target environment. Successful role assignment allows the attacker to perform actions normally restricted to administrators, potentially leading to data exfiltration, service disruption, or further lateral movement. This activity is visible in the Azure Audit Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account through credential phishing or password spraying (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential target roles with high privileges within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to add the compromised account, or a new account under their control, to one of these privileged roles.\u003c/li\u003e\n\u003cli\u003eThe attacker executes an \u0026ldquo;Add eligible member\u0026rdquo; action, either permanent or eligible, within Azure AD, which is logged in the audit logs.\u003c/li\u003e\n\u003cli\u003eAzure AD processes the request and, if successful, grants the new role assignment to the target account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly acquired privileges to access sensitive resources, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new administrative accounts or modifying existing configurations to maintain access even if the initial compromised account is remediated.\u003c/li\u003e\n\u003cli\u003eThe attacker performs data exfiltration or causes disruption to the Azure environment based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to a privileged role can grant the attacker complete control over the Azure AD environment. This may allow them to access sensitive data, disrupt critical services, and deploy malicious applications. The impact can range from data breaches and financial loss to complete compromise of the organization\u0026rsquo;s cloud infrastructure. The scope depends on the role assigned, but global administrator roles can cause catastrophic damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;User Added To Privilege Role\u0026rdquo; to your SIEM to detect suspicious role assignments in Azure AD Audit Logs.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for any \u0026ldquo;Add eligible member\u0026rdquo; events (permanent or eligible) to identify potentially malicious role assignments.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to mitigate the risk of initial access compromise (T1110).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the scope of access for each user and role (T1068).\u003c/li\u003e\n\u003cli\u003eRegularly audit and review user role assignments to identify and remove unnecessary privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:30:00Z","date_published":"2024-01-02T15:30:00Z","id":"/briefs/2024-01-azure-role-assignment/","summary":"Detection of a user being added to a privileged role in Azure AD, potentially indicating privilege escalation or persistence by an attacker.","title":"Azure AD Privileged Role Assignment","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-role-assignment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","persistence","initial-access","stealth","account-manipulation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation and immediate deletion of user accounts within Azure Active Directory can be indicative of various malicious activities. Attackers may create accounts to escalate privileges, establish persistence, or gain initial access to a system. The short lifespan of these accounts suggests an attempt to evade detection. This behavior is particularly concerning as it can be used to perform actions and then quickly remove the evidence of the account\u0026rsquo;s existence from standard audit logs. Monitoring for this activity helps defenders identify and respond to potential security breaches within their Azure environment. This technique is relevant for any organization utilizing Azure Active Directory for user management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD environment, potentially through compromised credentials or a phishing attack.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new user account within the Azure AD. This can be achieved through the Azure portal, PowerShell, or the Azure CLI.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns elevated privileges to the newly created account. This might involve adding the account to privileged roles such as Global Administrator or assigning specific permissions to access sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created account to perform malicious activities, such as accessing confidential data, modifying system configurations, or deploying malicious applications.\u003c/li\u003e\n\u003cli\u003eAfter completing the malicious tasks, the attacker removes the elevated privileges from the account to reduce the chances of detection during privilege reviews.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the created account from Azure AD. This step is performed to remove the traces of the account\u0026rsquo;s existence and hinder forensic investigations.\u003c/li\u003e\n\u003cli\u003eThe actions performed by the short-lived account may leave other traces in logs, such as access logs or activity logs related to the resources the account interacted with.\u003c/li\u003e\n\u003cli\u003eThe attacker aims to maintain stealth and evade detection while gaining unauthorized access to resources or establishing persistence within the Azure AD environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive resources, data breaches, and system compromise. The creation and deletion of short-lived accounts can mask malicious activities, making it difficult to trace the attacker\u0026rsquo;s actions. Organizations using Azure AD could experience data exfiltration, financial loss, and reputational damage. Detecting such activity early is critical to preventing further damage and mitigating the impact of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Account Created And Deleted Within A Close Time Frame\u0026rdquo; to your SIEM and tune for your environment to detect suspicious account creation/deletion events in Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Account Created And Deleted Within A Close Time Frame\u0026rdquo; to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with elevated privileges, to reduce the risk of credential compromise (reference: attack.initial-access).\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD audit logs for unusual account activity, focusing on accounts created and deleted within a short timeframe (logsource: azure, service: auditlogs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:30:00Z","date_published":"2024-01-02T15:30:00Z","id":"/briefs/2024-01-azure-short-lived-account/","summary":"Detection of Azure Active Directory accounts that are created and deleted within a short timeframe, potentially indicating malicious activity such as privilege escalation or persistence attempts.","title":"Azure AD Account Created and Deleted Within a Close Time Frame","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-short-lived-account/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","brute-force","credential-stuffing","authentication"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting abnormal increases in failed authentication attempts within Azure Active Directory (Azure AD). An adversary attempting to gain unauthorized access to user accounts or systems often performs brute-force or credential stuffing attacks. These attacks result in a higher-than-normal number of failed sign-in attempts. Monitoring and detecting such increases can provide early warning of potential breaches or compromised accounts. Defenders should investigate any significant spikes in failed authentications as they might indicate malicious activity targeting user accounts or application access. The detection is based on analysis of Azure AD sign-in logs to identify when the number of failed sign-ins increases by 10% or greater, warranting further investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain initial access through various methods, such as phishing, compromised credentials, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Stuffing/Brute-Force:\u003c/strong\u003e The attacker uses lists of known usernames and passwords (credential stuffing) or systematically tries different password combinations (brute-force) against Azure AD accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Attempts:\u003c/strong\u003e Each failed authentication attempt is logged within Azure AD sign-in logs, recording details such as username, IP address, and failure reason.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThreshold Exceeded:\u003c/strong\u003e The number of failed sign-in attempts reaches a threshold, triggering the detection rule based on a 10% or greater increase.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout (Potential):\u003c/strong\u003e Multiple failed authentication attempts may lead to account lockouts, disrupting legitimate user access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Potential):\u003c/strong\u003e If the attacker guesses the correct credentials, they gain unauthorized access to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e After gaining access, the attacker attempts to escalate privileges or move laterally within the network to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data or causes disruption to services depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force or credential stuffing attack can lead to unauthorized access to user accounts, data breaches, and service disruptions. Depending on the compromised account\u0026rsquo;s privileges, the attacker may gain access to sensitive information, escalate privileges, or move laterally within the organization\u0026rsquo;s network. The impact could range from minor data leaks to significant financial losses and reputational damage. Early detection and mitigation are crucial to minimize the impact of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect increases in failed Azure AD sign-in attempts and tune the threshold (10%) based on your environment (\u003ccode\u003eCount: \u0026quot;\u0026lt;10%\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule to determine the source and scope of the increased failed authentications.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential-based attacks.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent attackers from repeatedly attempting to guess passwords.\u003c/li\u003e\n\u003cli\u003eMonitor sign-in logs for unusual patterns, such as sign-ins from unfamiliar locations or devices, to identify potential compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-azure-ad-failed-auth-increase/","summary":"Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.","title":"Azure AD Failed Authentication Increase","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-ad-failed-auth-increase/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","identity-protection","impossible-travel","account-compromise","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects \u0026ldquo;impossible travel\u0026rdquo; events within Azure Active Directory (Azure AD), a common indicator of account compromise. The scenario involves a user account exhibiting login activity from two geographically distant locations in a timeframe that makes physical travel between them impossible. This anomalous behavior often signifies that an attacker has gained unauthorized access to the account and is operating from a different location than the legitimate user. The rule leverages Azure AD Identity Protection\u0026rsquo;s risk detection capabilities to identify such instances. This detection is crucial for defenders as it highlights potential breaches and enables swift remediation actions to prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials, potentially through phishing (T1566), credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure AD from a geographic location different from the legitimate user\u0026rsquo;s typical location.\u003c/li\u003e\n\u003cli\u003eShortly after the initial authentication, the legitimate user authenticates to Azure AD from their usual location.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the activity as \u0026ldquo;impossible travel\u0026rdquo; due to the conflicting geographic locations and the short timeframe between the authentications.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;impossibleTravel\u0026rdquo; risk event is logged within Azure AD\u0026rsquo;s risk detection logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the compromised account (T1068) to gain broader access to resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may move laterally within the organization (T1021) to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s ultimate goal could be data exfiltration, financial theft, or disruption of services, depending on the organization\u0026rsquo;s profile.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful \u0026ldquo;impossible travel\u0026rdquo; attack can lead to a full compromise of the user\u0026rsquo;s account, granting the attacker access to sensitive data, internal systems, and other resources accessible to the user. Depending on the user\u0026rsquo;s role and permissions, the impact could range from data breaches to financial losses and significant reputational damage. Organizations in all sectors are vulnerable, with a higher risk for those handling sensitive data or operating critical infrastructure. The number of affected users depends on the attacker\u0026rsquo;s ability to move laterally and escalate privileges after compromising the initial account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;impossible travel\u0026rdquo; events flagged by Azure AD Identity Protection, focusing on the \u003ccode\u003eriskEventType: 'impossibleTravel'\u003c/code\u003e (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the user account involved and the geographic locations of the login attempts (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eReview and enhance user training programs to educate employees on the risks of phishing and credential compromise (T1566).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of unauthorized access even if credentials are compromised (T1110).\u003c/li\u003e\n\u003cli\u003eReview and adjust the sensitivity of Azure AD Identity Protection\u0026rsquo;s risk detection policies to align with your organization\u0026rsquo;s risk tolerance.\u003c/li\u003e\n\u003cli\u003eConsider implementing conditional access policies that restrict access based on geographic location or require MFA for logins from unfamiliar locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-impossible-travel/","summary":"This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.","title":"Impossible Travel Detection in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-impossible-travel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","pim","role-assignment","attack.initial-access","attack.stealth","attack.t1078","attack.persistence","attack.privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe unauthorized assignment of privileged roles outside of Azure Privileged Identity Management (PIM) represents a significant security risk. Attackers may attempt to bypass PIM controls to gain persistent access, escalate privileges, or move laterally within the Azure environment. Detecting these anomalous role assignments is crucial for identifying potentially compromised accounts or malicious insiders. This activity is a common tactic used by attackers to establish persistence and maintain control over cloud resources. Monitoring for this behavior can help security teams quickly identify and respond to potential breaches, limiting the impact of successful attacks. This activity can be associated with lateral movement, privilege escalation, and persistence within the cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised user account or service principal within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to identify existing privileged roles and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses PIM to directly assign themselves a privileged role (e.g., Global Administrator, Security Administrator) using Azure CLI, PowerShell, or the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their permissions without triggering PIM alerts or requiring approval.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly assigned privileged role to access sensitive data, modify configurations, or create new resources.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new accounts or modifying existing ones with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other Azure resources or subscriptions using their increased access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising privileged roles within Azure can have severe consequences, potentially impacting all resources within the affected Azure Active Directory tenant. Successful attacks can lead to unauthorized data access, service disruption, financial loss, and reputational damage. The scope of the impact depends on the level of privilege gained by the attacker and the sensitivity of the targeted resources. Without proper detection and response, organizations may remain unaware of the breach, allowing attackers to maintain persistent access and continue their malicious activities undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eRoles Assigned Outside PIM\u003c/code\u003e to your SIEM to detect unauthorized role assignments within your Azure environment.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances flagged by the Sigma rule \u003ccode\u003eRoles Assigned Outside PIM\u003c/code\u003e to determine the legitimacy of the role assignment and the identity of the assigner.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the ability to assign privileged roles outside of PIM, as described in the Microsoft documentation reference.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-assigned-outside/","summary":"Detection of privilege role assignments outside of Azure Privileged Identity Management (PIM) can indicate potential attacker activity related to initial access, stealth, persistence, or privilege escalation within the Azure environment.","title":"Azure PIM - Role Assignment Outside of Privileged Identity Management","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-assigned-outside/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","federation","privilege-escalation","persistence","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can modify federation settings on Azure domains to gain unauthorized access and establish persistence. This involves manipulating the trust relationships between the Azure Active Directory and external identity providers. By altering these settings, an attacker can potentially bypass normal authentication mechanisms, assume identities, and maintain a foothold within the environment. This activity is typically carried out by users or applications with administrative privileges, making it crucial to monitor and validate any changes made to the federation settings. Detecting such modifications can be challenging due to the legitimate use of these settings by system administrators. This activity falls under tactics such as privilege escalation, persistence, initial access, and stealth.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to manage Azure Active Directory settings, such as a Global Administrator or Privileged Role Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell/CLI to interact with Azure resources.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing domain federation settings to understand the current configuration and identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the federation settings on the domain using commands like \u003ccode\u003eSet-MsolDomainFederationSettings\u003c/code\u003e or through the Azure portal interface. This may involve altering the trusted certificate, changing the issuer URI, or modifying other federation parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker tests the modified federation settings to ensure they can successfully authenticate using the altered configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified federation settings to impersonate users or applications, gaining unauthorized access to protected resources and services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating backdoors or alternate authentication methods using the modified federation settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Azure domain federation settings can lead to significant consequences, including unauthorized access to sensitive data, privilege escalation, and long-term persistence within the Azure environment. Attackers could potentially compromise entire domains, impacting all users and applications relying on the affected Azure Active Directory. This can result in data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Azure Domain Federation Settings Modified\u0026rdquo; to detect suspicious modifications to federation settings in Azure audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate changes to Azure domain federation settings, focusing on unfamiliar users and unexpected modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for the \u0026ldquo;Set federation settings on domain\u0026rdquo; event to identify potential tampering.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all accounts with administrative privileges to reduce the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement the principle of least privilege, granting users only the necessary permissions to perform their tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-azure-federation-modification/","summary":"An attacker may modify Azure domain federation settings to establish persistence, escalate privileges, or gain unauthorized access to resources.","title":"Azure Domain Federation Settings Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-federation-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure Active Directory","version":"https://jsonfeed.org/version/1.1"}