{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-39361"},{"cvss":8.5,"id":"CVE-2026-39974"},{"cvss":7.8,"id":"CVE-2026-32168"},{"cvss":8.8,"id":"CVE-2026-32171"},{"cvss":7.8,"id":"CVE-2026-32192"}],"_cs_exploited":false,"_cs_products":["Azure","Microsoft 365 Copilot","Dynamics 365","Power Apps"],"_cs_severities":["high"],"_cs_tags":["cloud","privilege-escalation","code-execution","spoofing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been reported affecting Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps. Successful exploitation of these vulnerabilities could enable attackers to perform a variety of malicious actions, including escalating their privileges within the affected systems, executing arbitrary code to gain further control, and conducting spoofing attacks to deceive users or bypass security measures. The full details regarding specific vulnerability types and exploitation methods are currently unavailable, but the breadth of affected products indicates a potentially widespread impact across cloud-based Microsoft services. Defenders should prioritize monitoring for suspicious activity indicative of exploitation attempts targeting these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the advisory lacks specifics, we will describe a generalized attack chain based on the potential vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a target environment, possibly through compromised credentials or a separate vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker exploits a vulnerability within one of the Microsoft cloud products (Azure, Microsoft 365 Copilot, Dynamics 365, or Power Apps) to elevate their privileges to a higher level, potentially gaining administrative rights.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e Leveraging the escalated privileges, the attacker injects malicious code into a vulnerable component of the cloud service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The injected code is executed, allowing the attacker to perform arbitrary actions within the context of the compromised service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised service as a pivot point to move laterally within the cloud environment, targeting other resources and services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Manipulation:\u003c/strong\u003e Once established within the environment, the attacker exfiltrates sensitive data or manipulates data for malicious purposes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSpoofing Attacks:\u003c/strong\u003e The attacker leverages the compromised environment to launch spoofing attacks, potentially targeting other users or systems with phishing emails or other deceptive tactics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence within the cloud environment to maintain access even after the initial vulnerability is patched.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have significant consequences, including unauthorized access to sensitive data, disruption of critical business processes, and financial losses. The number of potential victims is substantial, given the widespread use of Microsoft cloud services across various sectors. A successful attack could result in data breaches, service outages, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor logs from Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps for suspicious activity indicative of privilege escalation, code execution, and spoofing attacks.\u003c/li\u003e\n\u003cli\u003eEnable and review audit logs within the affected Microsoft cloud services to identify anomalous user behavior and potential security breaches.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your specific environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eFollow Microsoft\u0026rsquo;s official security advisories and apply any available patches or mitigations as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:09Z","date_published":"2026-04-24T09:09:09Z","id":"/briefs/2026-04-microsoft-cloud-vulns/","summary":"Multiple vulnerabilities in Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps could allow an attacker to escalate privileges, execute arbitrary code, and conduct spoofing attacks.","title":"Multiple Vulnerabilities in Microsoft Cloud Products Allow Privilege Escalation and Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-microsoft-cloud-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","suspicious-browser"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u0026ldquo;suspiciousBrowser\u0026rdquo; risk event in Azure Identity Protection signals unusual sign-in patterns indicative of potential account compromise or other malicious activity. This alert is triggered when the same browser is used to access multiple tenants from different countries, which is an atypical behavior for legitimate users. This type of activity could be caused by malware, credential theft, or an attacker attempting to blend in with normal user behavior after gaining unauthorized access. This detection is important for defenders because it can highlight early stages of an attack, potentially preventing lateral movement, data exfiltration, or other damaging actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials through phishing, malware, or other means (T1566, T1190).\u003c/li\u003e\n\u003cli\u003eThe attacker configures a browser with the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the same browser to attempt sign-ins to multiple Azure tenants from different geographical locations, attempting to blend in with typical user activity.\u003c/li\u003e\n\u003cli\u003eAzure Identity Protection detects the \u0026ldquo;suspiciousBrowser\u0026rdquo; risk event based on the anomalous sign-in activity.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker may gain access to sensitive data and resources within the targeted tenants.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised accounts to escalate privileges and move laterally within the organization (T1078, T1068).\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploy ransomware (T1003, T1486).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting suspicious browser activity can lead to unauthorized access to multiple Azure tenants, potentially impacting numerous organizations. The compromise of user accounts can result in data breaches, financial losses, and reputational damage. The scope of the impact depends on the level of access granted to the compromised accounts and the sensitivity of the data stored within the targeted tenants.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u0026ldquo;suspiciousBrowser\u0026rdquo; risk events in your Azure environment and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by this detection in the context of other sign-ins from the same user to identify false positives.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) to mitigate the impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eMonitor user sign-in activity for unusual patterns, such as sign-ins from multiple geographical locations within a short period.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-31-suspicious-azure-browser/","summary":"A suspicious browser activity alert indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser, potentially indicating compromised credentials or other malicious activity.","title":"Azure Identity Protection Suspicious Browser Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-31-suspicious-azure-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often target cloud environments to establish persistence and maintain unauthorized access. One technique involves adding their own authentication methods to compromised user accounts. By registering a new security info, such as a phone number or email address, an attacker can bypass multi-factor authentication and regain access even if the original credentials are changed. This activity is typically logged within Azure Audit Logs, specifically under the \u0026lsquo;Authentication Methods\u0026rsquo; service and \u0026lsquo;UserManagement\u0026rsquo; category. Detecting these changes is crucial for identifying potentially compromised accounts and preventing further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the Azure environment is gained, potentially through credential phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the Azure Active Directory (Azure AD) settings for the compromised user.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Security info\u0026rdquo; section of the user\u0026rsquo;s profile.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new authentication method, such as a phone number or email address, controlled by the attacker. This action generates an audit log event with OperationName \u0026ldquo;User registered security info\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker can now use the newly added authentication method to bypass multi-factor authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to access sensitive data, applications, or resources within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the Azure environment, even if the original account password is changed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of rogue authentication methods allows attackers to maintain persistent access to compromised accounts within Azure environments. This can lead to data breaches, unauthorized access to sensitive applications, privilege escalation, and lateral movement within the cloud infrastructure. The impact can range from data exfiltration to complete control over the targeted Azure resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect changes to authentication methods within Azure audit logs (logsource: azure, service: auditlogs).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where the \u003ccode\u003eOperationName\u003c/code\u003e is \u003ccode\u003eUser registered security info\u003c/code\u003e in the Azure Audit Logs, as this indicates a change in authentication method.\u003c/li\u003e\n\u003cli\u003eReview the referenced Microsoft documentation on privileged account security to understand best practices for securing administrative accounts (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-azure-auth-method-change/","summary":"An attacker may add an authentication method to a compromised Azure account for persistent access, which can be detected by monitoring changes to authentication methods in Azure audit logs.","title":"Azure Authentication Method Change Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-23-azure-auth-method-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privileged-identity-management","invalid-license"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies scenarios where an organization lacks the necessary Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses required for proper Privileged Identity Management (PIM) functionality. Attackers may attempt to exploit misconfigured or unlicensed PIM deployments to gain unauthorized privileged access to critical Azure resources. This detection is crucial as it indicates a compliance issue that can be leveraged to escalate privileges, bypass security controls, and potentially lead to data breaches or system compromise. The absence of appropriate licensing hinders the effectiveness of PIM controls, creating opportunities for malicious actors to operate undetected. Defenders need to ensure appropriate licenses are in place.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Azure environment lacking a valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance license for Privileged Identity Management (PIM).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate a privileged role within the Azure environment through PIM.\u003c/li\u003e\n\u003cli\u003eDue to the invalid license, the PIM activation process may not enforce proper multi-factor authentication (MFA) or approval workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the privileged role without proper authorization or auditing.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised privileged role to access sensitive Azure resources, such as virtual machines, databases, or storage accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration, modification of system configurations, or deployment of malware.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence within the Azure environment by creating rogue user accounts or modifying existing access controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of an invalid PIM license can be severe. Organizations may experience unauthorized access to critical Azure resources, leading to data breaches, system compromise, and compliance violations. The absence of proper PIM controls can enable attackers to escalate privileges, bypass security measures, and operate undetected within the Azure environment. Identifying invalid PIM licenses is crucial for maintaining the security and integrity of Azure deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003einvalidLicenseAlertIncident\u003c/code\u003e events in Azure PIM logs (logsource: azure, service: pim).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003einvalidLicenseAlertIncident\u003c/code\u003e to determine the scope of the issue and potential unauthorized access.\u003c/li\u003e\n\u003cli\u003eVerify that all Azure subscriptions utilizing PIM have valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses.\u003c/li\u003e\n\u003cli\u003eImplement automated monitoring to proactively identify and alert on invalid PIM licenses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-invalid-pim-license/","summary":"Detection of unauthorized access or privilege escalation attempts within Azure environments due to invalid or missing Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for Privileged Identity Management (PIM).","title":"Azure Privileged Identity Management (PIM) Invalid License Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-invalid-pim-license/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","firewall","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies potentially malicious modifications or deletions of Azure firewalls. Azure firewalls are critical components for network security, controlling inbound and outbound traffic based on defined rules. An attacker who gains sufficient privileges within an Azure environment may attempt to disable or modify these firewalls to facilitate lateral movement, data exfiltration, or other malicious activities. This activity is particularly concerning as it represents a direct attempt to weaken the victim\u0026rsquo;s security posture. The activity is detected via Azure Activity Logs. While legitimate administrative actions can trigger this alert, any unexpected or unauthorized changes to firewall configurations should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to an Azure environment, possibly through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges within the Azure subscription to gain permissions to manage network resources, including firewalls.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the Azure firewalls in the target environment using Azure Resource Manager APIs or the Azure portal.\u003c/li\u003e\n\u003cli\u003eAttacker modifies firewall rules to allow unauthorized traffic, such as opening ports for command and control communication or disabling security rules. This is achieved via the \u003ccode\u003eMICROSOFT.NETWORK/AZUREFIREWALLS/WRITE\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker deletes the Azure firewall using the \u003ccode\u003eMICROSOFT.NETWORK/AZUREFIREWALLS/DELETE\u003c/code\u003e operation, effectively removing network protections.\u003c/li\u003e\n\u003cli\u003eAttacker validates that their changes have been successfully applied by testing network connectivity or by reviewing the firewall configuration.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities such as lateral movement, data exfiltration, or deploying additional resources without firewall restrictions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure firewalls can have severe consequences. An attacker can bypass network security controls, leading to data breaches, unauthorized access to sensitive resources, and the potential for widespread disruption. This can result in financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized firewall modifications or deletions in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on unfamiliar user identities and user agents.\u003c/li\u003e\n\u003cli\u003eReview Azure RBAC roles and permissions to ensure the principle of least privilege is enforced, limiting the ability of users and service principals to modify or delete firewalls.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for other suspicious activities, such as unusual resource deployments or changes to security settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-azure-firewall-modified-or-deleted/","summary":"An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.","title":"Azure Firewall Modification or Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-modified-or-deleted/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe compromise of privileged accounts within cloud environments is a significant risk. Azure Privileged Identity Management (PIM) is designed to mitigate this risk by enforcing time-bound and approval-based role activation. This brief focuses on the detection of PIM elevation requests that are either approved or denied. While legitimate administrator actions will trigger these events, unexpected or unauthorized approvals/denials, especially those occurring outside of normal business hours or originating from unusual locations, warrant immediate investigation. This activity can indicate attempts at unauthorized privilege escalation, lateral movement, or data exfiltration within the Azure environment. Monitoring these events provides an opportunity to identify and respond to potential breaches before significant damage can occur.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a low-privileged Azure account, possibly through credential phishing or password reuse.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate a privileged role (e.g., Global Administrator, Security Administrator) through Azure PIM.\u003c/li\u003e\n\u003cli\u003eThe PIM request triggers an approval workflow, requiring authorization from designated approvers.\u003c/li\u003e\n\u003cli\u003eAn attacker compromises an approver account, enabling them to approve their own malicious PIM request or deny a legitimate one.\u003c/li\u003e\n\u003cli\u003eAlternatively, an unwitting approver approves a malicious request, potentially due to social engineering.\u003c/li\u003e\n\u003cli\u003eUpon approval, the attacker\u0026rsquo;s account is temporarily elevated to the requested privileged role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform malicious actions, such as creating new accounts, modifying security policies, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating backdoor accounts or modifying access controls, potentially circumventing PIM restrictions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full control over the Azure environment, potentially impacting hundreds or thousands of users and services. A compromised Global Administrator role grants the attacker the ability to access and modify all resources within the Azure tenant, leading to data breaches, service disruptions, and financial losses. The targeted sectors include any organization leveraging Azure PIM for privileged access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure PIM Elevation Approved or Denied\u003c/code\u003e to your SIEM to detect unusual PIM activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any PIM approval or denial events occurring outside of normal business hours or originating from unexpected locations, focusing on the \u003ccode\u003eproperties.message\u003c/code\u003e field in the logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with approval permissions for PIM requests.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit PIM role assignments and approval workflows to ensure they align with the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eEnable alerting on changes to PIM policies and configurations to detect any unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit Logs for suspicious activity following PIM role activation, looking for actions associated with common attack techniques (e.g., account creation, policy modification).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:27:00Z","date_published":"2024-01-03T18:27:00Z","id":"/briefs/2024-01-azure-pim-elevation/","summary":"Detection of Azure Privileged Identity Management (PIM) elevation approvals or denials, which, if unexpected, may indicate unauthorized privilege escalation or malicious activity within an Azure environment.","title":"Azure PIM Elevation Approved or Denied","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-elevation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","mfa","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe absence of multi-factor authentication (MFA) during the activation of privileged roles in Azure Privileged Identity Management (PIM) poses a significant security risk. When roles can be activated without MFA, attackers who have already compromised a user account can escalate their privileges without needing to bypass an MFA challenge. This scenario circumvents a critical security control, making the environment vulnerable to lateral movement, data exfiltration, and other malicious activities. This brief is based on Sigma rule 94a66f46-5b64-46ce-80b2-75dcbe627cc0, published on 2023-09-14. Defenders need to monitor PIM configurations to ensure that MFA is enforced for all privileged role activations, mitigating the risk of unauthorized access and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account, potentially through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged role within Azure PIM that the compromised user is eligible to activate.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate the privileged role using the compromised user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eDue to misconfiguration, MFA is not required for the role activation process.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully activates the privileged role without providing a second factor of authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly acquired privileges to access sensitive resources and data within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as creating new accounts, modifying configurations, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating backdoors or modifying access control policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe absence of MFA during PIM role activation can lead to significant damage, potentially affecting all resources within the Azure environment accessible to the compromised privileged role. Successful exploitation allows attackers to bypass a critical security control, leading to privilege escalation, data breaches, and system compromise. The impact spans data confidentiality, integrity, and availability, and could result in regulatory fines, reputational damage, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Roles Activation Doesn\u0026rsquo;t Require MFA\u0026rdquo; to your SIEM and tune for your environment to detect instances where privileged roles are activated without MFA based on \u003ccode\u003eriskEventType: 'noMfaOnRoleActivationAlertIncident'\u003c/code\u003e in Azure PIM logs.\u003c/li\u003e\n\u003cli\u003eReview and enforce MFA policies for all privileged role activations within Azure PIM, as recommended in the Microsoft documentation (\u003ca href=\"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\"\u003ehttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-azure-pim-no-mfa/","summary":"Detection of Azure Privileged Identity Management (PIM) roles being activated without requiring multi-factor authentication, potentially leading to unauthorized privilege escalation and persistence.","title":"Azure PIM Role Activation Without MFA","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-no-mfa/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","application","deletion","impact","t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where an application is deleted within an Azure environment. While legitimate application deletions occur as part of IT administration, malicious actors might delete applications to disrupt services, remove evidence of their presence, or prepare for a larger attack by removing security controls or access points. This activity is logged within Azure Activity Logs and includes events such as \u0026ldquo;Delete application\u0026rdquo; and \u0026ldquo;Hard Delete application\u0026rdquo;. Monitoring these events can provide early warning of potential security incidents or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates their privileges within the Azure environment to gain sufficient permissions to manage and delete applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies target applications for deletion, potentially those critical for business operations or those used for security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Monitoring (Optional):\u003c/strong\u003e The attacker attempts to disable logging or monitoring related to application management to avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Deletion:\u003c/strong\u003e The attacker initiates the deletion of the targeted application using the Azure portal, Azure CLI, or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfirmation/Hard Delete:\u003c/strong\u003e Depending on the application\u0026rsquo;s configuration and Azure policies, the attacker may need to confirm the deletion or perform a \u0026ldquo;hard delete\u0026rdquo; to permanently remove the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCover Tracks:\u003c/strong\u003e The attacker attempts to remove any remaining logs or traces of their activity to hinder forensic investigation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Service disruption or data loss due to the deleted application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an Azure application can lead to significant service disruption, data loss, and potential financial damages. The impact depends on the criticality of the deleted application and the organization\u0026rsquo;s disaster recovery capabilities. Successful deletion can interrupt business processes, impacting both internal users and external customers. It may also lead to reputational damage and compliance violations if the application handled sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect application deletion events in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions in Azure Active Directory (Entra ID) and enforce the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEnable auditing and logging for all Azure resources, including application management activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected application deletion events promptly to determine the root cause and potential impact.\u003c/li\u003e\n\u003cli\u003eEstablish a process for reviewing and approving application deletion requests to prevent accidental or malicious deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:27:00Z","date_published":"2024-01-03T15:27:00Z","id":"/briefs/2024-01-azure-app-deletion/","summary":"This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.","title":"Detection of Azure Application Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-app-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.initial-access","attack.stealth","attack.t1078"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized elevation of privileges within Azure environments. Specifically, it addresses the assignment of the \u0026lsquo;User Access Administrator\u0026rsquo; role to a user, which allows managing access to all Azure subscriptions. This activity can be indicative of malicious actors attempting to gain control over an Azure environment or an insider threat escalating their privileges without proper authorization. The detection is based on Azure Audit Logs and can help identify potentially compromised accounts or misconfigurations. A successful elevation can lead to unauthorized access, data breaches, and service disruptions. Defenders should closely monitor these events and investigate any unexpected privilege escalations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to assign the \u0026lsquo;User Access Administrator\u0026rsquo; role to themselves or another account they control.\u003c/li\u003e\n\u003cli\u003eThis assignment generates an \u0026lsquo;Administrative\u0026rsquo; audit log event with the OperationName \u0026lsquo;Assigns the caller to user access admin\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker now has the ability to manage user access to all Azure subscriptions within the tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new user accounts with elevated privileges within the subscriptions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created accounts to access sensitive resources and data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities to identify critical assets and data stores.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious workloads within the compromised subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation to the \u0026lsquo;User Access Administrator\u0026rsquo; role can have severe consequences. It grants the attacker complete control over the Azure subscriptions, allowing them to access sensitive data, disrupt services, and potentially compromise the entire cloud environment. The number of affected subscriptions depends on the scope of the compromised account. This attack targets any organization utilizing Azure subscriptions and is particularly impactful for those storing sensitive data or running critical applications in the cloud.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Azure Subscription Permission Elevation Via AuditLogs\u0026rdquo; to your SIEM and tune it for your environment to detect the \u0026lsquo;Assigns the caller to user access admin\u0026rsquo; event in the Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of this event to determine if the privilege elevation was authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all Azure accounts to minimize the impact of potential compromises; reference the Microsoft Entra documentation for guidance.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to prevent unauthorized access via compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-azure-privilege-elevation/","summary":"Detection of a user being assigned the 'User Access Administrator' role, which grants the ability to manage all Azure Subscriptions, potentially leading to privilege escalation and unauthorized access.","title":"Detection of Azure Subscription Permission Elevation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-privilege-elevation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","global_admin","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe presence of an excessive number of Global Administrator accounts in an Azure tenant poses a significant security risk. While the source does not attribute this activity to a specific threat actor, the risk event indicates a potential compromise of existing accounts, internal privilege abuse, or misconfiguration within the Azure environment. The alert triggers when the number of Global Administrator assignments exceeds a predefined threshold within Privileged Identity Management (PIM). Attackers may abuse highly privileged accounts to gain broad control over the Azure environment, deploy malicious workloads, exfiltrate data, or establish persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker compromises a low-privilege user account through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate privileges by exploiting misconfigured permissions or vulnerabilities within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGlobal Admin Role Assignment:\u003c/strong\u003e The attacker assigns the Global Administrator role to multiple accounts, including the compromised account, either directly or through PIM bypass.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With Global Administrator privileges, the attacker moves laterally within the Azure environment, accessing sensitive resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data from cloud storage, databases, or virtual machines.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistent access by creating backdoors, modifying access controls, or deploying rogue applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker attempts to remove audit logs or disable security features to hide their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of Global Administrator accounts can lead to significant damage, including data breaches, financial loss, and reputational damage. Excessive admin accounts significantly widen the attack surface and increase the likelihood of successful attacks. The impact includes unauthorized access to sensitive data, disruption of business operations, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Too Many Global Admins\u0026rdquo; to your SIEM and tune the threshold for your environment to detect excessive Global Administrator assignments in Azure PIM.\u003c/li\u003e\n\u003cli\u003eReview and reduce the number of Global Administrator accounts to the minimum necessary.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all privileged accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for suspicious activity related to role assignments and privilege elevation.\u003c/li\u003e\n\u003cli\u003eRegularly review and update PIM policies to ensure appropriate access controls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-too-many-global-admins/","summary":"Detection of an excessive number of Global Administrator accounts assigned within an Azure tenant, indicating potential privilege escalation or compromised accounts.","title":"Excessive Global Administrator Accounts in Azure PIM","url":"https://feed.craftedsignal.io/briefs/2024-01-too-many-global-admins/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","cloud","service principal","persistence","lateral movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of service principals in Azure can be a legitimate administrative task, but it can also be an indicator of malicious activity. Attackers may create service principals to establish persistence, move laterally within the Azure environment, or gain unauthorized access to resources. This activity is particularly concerning when performed by unfamiliar users or from unusual locations. Monitoring for unexpected service principal creation is crucial for detecting potential security breaches in Azure environments. This alert focuses on detecting the \u0026ldquo;Add service principal\u0026rdquo; message within Azure Activity Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure CLI with the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to create a new service principal using tools like Azure CLI or PowerShell.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the \u0026ldquo;Add service principal\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns roles and permissions to the newly created service principal, granting it access to specific resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the service principal for lateral movement, accessing resources or services within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe service principal is used for persistence, allowing the attacker to maintain access even if the initial access method is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation and misuse of a service principal can lead to unauthorized access to sensitive data, resources, and services within the Azure environment. The impact can range from data breaches and service disruption to complete control over the Azure subscription, potentially affecting hundreds or thousands of resources and users. The attacker can leverage the compromised service principal to perform actions with the permissions assigned to it, leading to significant damage and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Service Principal Created\u0026rdquo; to your SIEM and tune for your environment to detect suspicious service principal creations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Azure Service Principal Created\u0026rdquo; rule (logsource: azure) by verifying the user identity, user agent, and hostname associated with the event.\u003c/li\u003e\n\u003cli\u003eReview and audit existing service principals and their assigned permissions to identify any anomalies or overly permissive configurations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise and unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-azure-sp-creation/","summary":"Detects the creation of a service principal in Azure, which could indicate potential attacker activity for lateral movement or persistence.","title":"Detection of Azure Service Principal Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-sp-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","service principal","stealth","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe removal of a service principal within an Azure environment can be indicative of various activities, ranging from legitimate administrative tasks to malicious actions undertaken by threat actors attempting to cover their tracks. While service principals are routinely removed as part of lifecycle management, unauthorized or unexpected removals should be investigated promptly. This detection focuses on identifying such removals through Azure Activity Logs, allowing security teams to quickly respond to potentially suspicious events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an Azure account through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a service principal used for malicious purposes or to maintain persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the service principal to evade detection or disrupt incident response efforts.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the necessary commands or uses the Azure portal to initiate the service principal removal. This action is logged in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record an event with the message \u0026ldquo;Remove service principal\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the \u0026ldquo;Remove service principal\u0026rdquo; message in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the event, examining the user identity, user agent, and hostname associated with the removal.\u003c/li\u003e\n\u003cli\u003eIf the removal is deemed unauthorized or suspicious, further incident response procedures are initiated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal of a service principal by a malicious actor can disrupt legitimate applications relying on that principal for authentication and authorization. It can also hinder incident response efforts by eliminating a potential avenue for investigation or remediation. The impact can range from service disruptions to prolonged breaches if the attacker successfully covers their tracks. The number of affected applications and the severity of the disruption depend on the role and permissions associated with the removed service principal.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Service Principal Removed\u0026rdquo; to your SIEM and tune for your environment, focusing on identifying legitimate administrator activity to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instance of service principal removal, focusing on the user identity, user agent, and hostname from the Azure Activity Logs to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for related activities occurring before and after the service principal removal.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-azure-service-principal-removed/","summary":"Detection of a service principal removal in Azure, potentially indicating malicious activity or an attempt to remove evidence of a compromise.","title":"Azure Service Principal Removal Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-service-principal-removed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","pim","privileged-identity-management","role-based-access-control","initial-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a condition where users have been assigned privileged roles within Azure\u0026rsquo;s Privileged Identity Management (PIM) but are not actively utilizing those roles. This situation can arise from various factors, including misconfiguration of PIM settings, over-allocation of privileged roles due to process gaps or lack of oversight, or the presence of dormant accounts with elevated privileges. Such unused roles represent a potential security risk, as they can be exploited by malicious actors or misused inadvertently, especially if MFA or conditional access policies are not enforced. Regularly auditing and addressing unused PIM roles is crucial for maintaining a strong security posture and optimizing license utilization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator assigns a privileged role to a user within Azure PIM.\u003c/li\u003e\n\u003cli\u003eThe user is granted the role but does not activate or use it to perform any privileged actions.\u003c/li\u003e\n\u003cli\u003eAzure PIM monitors role usage and detects the lack of activity for the assigned role.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;redundantAssignmentAlertIncident\u0026rdquo; event is triggered within the Azure PIM logs.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the user\u0026rsquo;s account through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker activates the unused privileged role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-active privileged role to perform unauthorized actions, such as modifying system configurations, accessing sensitive data, or escalating privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise, without being detected due to the pre-existing role assignment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe presence of unused privileged roles can lead to significant security breaches and compliance violations. An attacker exploiting an unused role can gain immediate access to sensitive resources and perform unauthorized actions, potentially leading to data breaches, system outages, or financial losses. The number of affected users and resources depends on the scope of the unused role and the attacker\u0026rsquo;s objectives. Failure to identify and address these unused roles can also result in unnecessary license costs and increased attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eredundantAssignmentAlertIncident\u003c/code\u003e events indicating unused PIM roles in Azure (see \u0026ldquo;Roles Are Not Being Used\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eInvestigate all detected instances of unused PIM roles to determine the reason for inactivity and potential risks.\u003c/li\u003e\n\u003cli\u003eRevoke the assigned role if the user no longer requires it, or provide training and guidance to ensure proper role utilization.\u003c/li\u003e\n\u003cli\u003eReview and refine PIM role assignment policies to minimize the allocation of unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eImplement regular audits of PIM role assignments to identify and address unused roles promptly.\u003c/li\u003e\n\u003cli\u003eConfigure security alerts within Azure PIM to receive notifications about unused roles and other potential security incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-not-used/","summary":"Detection of assigned but unused privileged roles in Azure's Privileged Identity Management (PIM) service, indicating potential misconfiguration, license overuse, or dormant privileged access that could be exploited.","title":"Unused Privileged Identity Management (PIM) Roles in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-not-used/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","initial-access","persistence","stealth","azure"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert detects instances where a user attempts to invite an external guest user to an Azure environment but fails due to insufficient permissions. This activity can signify several potential security risks, including unauthorized privilege escalation attempts by internal users or malicious insiders attempting to expand access without proper authorization. While legitimate failed attempts may occur, repeated or targeted failures should be investigated. The activity is logged within the Azure Audit Logs. Detecting this activity is crucial for maintaining control over user access and preventing potential data breaches. The relevant log data resides within Azure\u0026rsquo;s audit logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal user (either compromised or malicious) attempts to invite an external guest user via the Azure portal or API.\u003c/li\u003e\n\u003cli\u003eThe Azure Active Directory service checks the inviter\u0026rsquo;s permissions against the organization\u0026rsquo;s guest invitation policies.\u003c/li\u003e\n\u003cli\u003eThe system determines the user lacks the necessary permissions to invite guest users.\u003c/li\u003e\n\u003cli\u003eAzure Audit Logs record the \u0026ldquo;Invite external user\u0026rdquo; event with a \u0026ldquo;failure\u0026rdquo; status.\u003c/li\u003e\n\u003cli\u003eThe failed invitation attempt is blocked, preventing the external user from gaining access.\u003c/li\u003e\n\u003cli\u003eThe attacker may retry the invitation with different accounts or methods, attempting to bypass access controls.\u003c/li\u003e\n\u003cli\u003eIf successful through other means (not detected by this rule), the guest user could be used for lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation could grant unauthorized access to sensitive data and resources within the Azure environment. While this specific detection focuses on failed attempts, repeated failures may indicate a concerted effort to bypass security controls. If successful, unauthorized guest users could be used for lateral movement, data exfiltration, or other malicious activities. The number of affected resources depends on the permissions granted to the guest user if the invitation had been successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Guest User Invited By Non Approved Inviters\u0026rdquo; to your SIEM to detect unauthorized invitation attempts within Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the invitation attempt and the intent of the user.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for user roles and permissions within Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eMonitor for repeated failed invitation attempts from the same user account (correlate with the Azure Audit Logs data).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-guest-invite-failure/","summary":"Detection of a failed attempt to invite an external guest user by an Azure user lacking the necessary permissions, potentially indicating privilege escalation or malicious insider activity.","title":"Unauthorized Guest User Invitation Attempt in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-guest-invite-failure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Agent Auditd Manager","EKS","Azure","gcloud","Docker"],"_cs_severities":["high"],"_cs_tags":["credential-access","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic","Amazon","Microsoft","Google","Docker"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized access to sensitive identity files on Linux systems. It leverages Auditd to monitor file access events and flags processes that are commonly used for copying, scripting, or staging files from temporary directories. The targeted files include Kubernetes service account tokens, kubelet configurations, cloud CLI configurations for AWS, Azure, and Google Cloud, root SSH keys, and Docker configurations. These files are critical for authentication and authorization within the system, and unauthorized access could lead to credential theft, privilege escalation, or lateral movement. This is especially important in cloud environments and containerized deployments where these files are commonly used for managing access to resources. The rule is designed to exclude user home paths to avoid false positives and focus on system-level access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system through various means, such as exploiting a vulnerability or compromising credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a utility like \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ecat\u003c/code\u003e, or \u003ccode\u003ecurl\u003c/code\u003e to access sensitive files such as \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e or \u003ccode\u003e/root/.ssh/id_rsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAuditd logs the file access event, capturing details about the process, user, and file path.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the suspicious process based on its name, executable path (e.g., \u003ccode\u003e/tmp/*\u003c/code\u003e), or command-line arguments.\u003c/li\u003e\n\u003cli\u003eThe rule checks if the accessed file is in the list of sensitive identity files.\u003c/li\u003e\n\u003cli\u003eIf both conditions are met, the rule triggers an alert, indicating potential unauthorized access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access cloud resources or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, service disruptions, and financial losses. The targeted files contain credentials for Kubernetes clusters, cloud environments (AWS, Azure, Google Cloud), and SSH keys, potentially impacting a wide range of resources. The impact is particularly severe in environments where these credentials are used for managing critical infrastructure or accessing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Auditd Manager integration with the specified audit rules in the provided setup steps to monitor access to sensitive identity files on Linux systems. Ensure auditd is properly configured and running (\u003ccode\u003eauditctl -l\u003c/code\u003e) to generate the necessary logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect suspicious processes accessing sensitive identity files and tune them for your environment by excluding legitimate processes or users as needed.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the process name, executable, parent command line, and the accessed file path to determine the legitimacy of the access.\u003c/li\u003e\n\u003cli\u003eReview and harden file permissions on shared credential stores to prevent unauthorized access. Rotate exposed keys and tokens and invalidate cloud sessions if a compromise is suspected, as suggested in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-sensitive-identity-file-access/","summary":"This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.","title":"Suspicious Process Accessing Sensitive Identity Files via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-sensitive-identity-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","alerts","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable PIM alerts within Azure environments to weaken security monitoring and maintain a low profile while escalating privileges. This involves modifying alert settings within the Azure Privileged Identity Management service to prevent notifications of suspicious or unauthorized activity. This technique enables attackers to operate with reduced scrutiny, making it easier to establish persistence and move laterally within the compromised environment. Successful disabling of PIM alerts allows malicious actors to abuse privileged roles without triggering immediate alarms. This allows for potentially long-term access and control over critical resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the Azure Active Directory, potentially by exploiting misconfigured roles or vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePIM Access: The attacker accesses the Azure Privileged Identity Management (PIM) service.\u003c/li\u003e\n\u003cli\u003eAlert Configuration Discovery: The attacker enumerates existing PIM alert configurations to identify the alerts to be disabled.\u003c/li\u003e\n\u003cli\u003eAlert Modification: The attacker modifies the alert settings, setting them to disabled. This is often done through the Azure portal or via API calls.\u003c/li\u003e\n\u003cli\u003ePersistence: With alerts disabled, the attacker can maintain persistence by assigning themselves privileged roles without generating notifications.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the newly acquired privileged roles to move laterally within the Azure environment, accessing sensitive resources and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling PIM alerts significantly reduces an organization\u0026rsquo;s visibility into privileged access activities. This can lead to delayed detection of malicious activities, enabling attackers to maintain a persistent presence, escalate privileges, and exfiltrate sensitive data without triggering alarms. The impact includes potential data breaches, financial losses, and reputational damage. The lack of alerts hinders incident response efforts and prolongs the duration of the attack, compounding the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where PIM alerts are disabled by monitoring \u003ccode\u003eauditlogs\u003c/code\u003e for \u003ccode\u003eproperties.message: Disable PIM Alert\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly review PIM alert configurations to ensure critical alerts are enabled and properly configured.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate initial access (T1078).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the scope of potential damage from compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for unusual activity related to PIM configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-pim-alerts-disabled/","summary":"An adversary disables Privileged Identity Management (PIM) alerts in Azure to evade detection and maintain persistent access with escalated privileges.","title":"Privileged Identity Management (PIM) Alerting Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-pim-alerts-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","role-activation","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses suspicious activity within Azure Privileged Identity Management (PIM), specifically the repeated activation of privileged roles by the same user. The alert, triggered by \u0026lsquo;sequentialActivationRenewalsAlertIncident\u0026rsquo; events, suggests that an attacker may be attempting to escalate privileges or maintain persistent access to sensitive resources. This activity can be indicative of compromised credentials or malicious insider activity. The detection is based on Azure PIM logs and aims to identify deviations from normal user behavior related to role activation. Defenders should investigate these alerts promptly to determine the legitimacy of the role activations and mitigate potential risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to an Azure account, possibly through compromised credentials (T1078).\u003c/li\u003e\n\u003cli\u003ePrivilege Discovery: The attacker identifies available privileged roles within Azure PIM.\u003c/li\u003e\n\u003cli\u003eRole Activation Request: The attacker initiates a request to activate a privileged role.\u003c/li\u003e\n\u003cli\u003eRole Activation: The attacker successfully activates the privileged role.\u003c/li\u003e\n\u003cli\u003eResource Access: With the activated role, the attacker accesses sensitive resources or performs privileged actions.\u003c/li\u003e\n\u003cli\u003eRepeated Activation: The attacker deactivates and reactivates the same role shortly after, potentially to bypass monitoring or maintain persistent access.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker uses the elevated privileges to move laterally within the Azure environment.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or System Damage (Impact): The attacker achieves their ultimate objective, such as exfiltrating sensitive data or causing damage to systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to critical resources, data breaches, and significant damage to the organization\u0026rsquo;s Azure environment. The repeated activation of privileged roles can be used to bypass security controls and maintain persistent access, making it difficult to detect malicious activity. A single compromised account with PIM access can lead to widespread impact across the entire Azure infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Roles Activated Too Frequently\u0026rdquo; to your SIEM and tune it based on your environment to reduce false positives (logsource: azure, service: pim).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Roles Activated Too Frequently\u0026rdquo;, focusing on the context of the role activated and the user involved.\u003c/li\u003e\n\u003cli\u003eReview the active time period for roles in PIM to ensure they are not set too short, which can lead to frequent legitimate activations and false positives, as noted in the \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users, especially those with privileged roles, to mitigate the risk of credential compromise (T1078).\u003c/li\u003e\n\u003cli\u003eMonitor Azure Active Directory sign-in logs for suspicious activity, such as logins from unusual locations or devices.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles and regularly review role assignments to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-activation/","summary":"Detection of frequent role activation in Azure Privileged Identity Management (PIM) by the same user may indicate potential privilege escalation or account compromise.","title":"Frequent Azure PIM Role Activation Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-activation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","privileged-account","initial-access","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of new privileged account creation within Azure environments. Attackers often create new admin accounts to establish persistence, escalate privileges, or move laterally within a compromised environment. Monitoring for such activity is crucial, especially given that compromised accounts are a common entry point for various attacks. This activity, if malicious, can lead to significant data breaches, service disruptions, and reputational damage. This detection focuses on identifying \u0026ldquo;Add user\u0026rdquo; and \u0026ldquo;Add member to role\u0026rdquo; events within Azure audit logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure environment, possibly through compromised credentials (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their access to enumerate existing accounts and roles within the Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new user account with elevated privileges, such as Global Administrator or other custom administrative roles.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the newly created user account to one or more privileged roles, granting it administrative access to the Azure environment. This action is logged as \u0026ldquo;Add member to role\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created privileged account to perform reconnaissance, identify sensitive data, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by maintaining access through the newly created account, even if the initial entry point is detected and remediated.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain control over critical resources and services within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the privileged account to exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation of a privileged account can provide an attacker with persistent access and the ability to escalate privileges, leading to widespread damage. The attacker can gain control over critical resources, exfiltrate sensitive data, deploy ransomware, or disrupt business operations. This can lead to significant financial losses, reputational damage, and legal liabilities. While the scope and number of victims are unknown, all organizations using Azure Active Directory are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect privileged account creation events within Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of privileged account creation to determine whether the activity is legitimate.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with privileged roles, to mitigate the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user account privileges to identify and remove unnecessary or excessive permissions.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit Logs for suspicious activities, such as unusual sign-in attempts, changes to security settings, and modifications to privileged roles.\u003c/li\u003e\n\u003cli\u003eImplement alerting for changes to privileged roles and groups within Azure AD.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-privileged-account-creation/","summary":"Detects the creation of new privileged accounts in Azure environments, potentially indicating initial access, persistence, privilege escalation, or stealth activities by malicious actors.","title":"Detection of Privileged Account Creation in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-privileged-account-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","privilege-escalation","persistence","initial-access","stealth"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the elevation of user permissions within an Azure environment to manage all Azure subscriptions. While legitimate administrators may perform this action, unauthorized elevation of permissions can grant an attacker significant control over the entire Azure environment. This could be an insider threat or a compromised account being used to broaden access. The activity is logged within Azure Activity Logs, providing an opportunity for detection. Defenders should be aware of this potential escalation path and monitor for unexpected or unauthorized permission changes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account, potentially through compromised credentials (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure CLI/PowerShell with the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to elevate their permissions using the \u003ccode\u003eMICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the attempt to elevate permissions.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains management access to all Azure subscriptions within the tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker can then provision resources, modify configurations, and access data within those subscriptions.\u003c/li\u003e\n\u003cli\u003eThe attacker might establish persistence by creating new user accounts with elevated privileges or modifying existing roles.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate sensitive data or disrupt services within the Azure environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful elevation of permissions to manage all Azure subscriptions allows an attacker to control all resources, data, and configurations within the Azure environment. This can lead to data breaches, service disruptions, financial loss, and reputational damage. The scope of impact depends on the sensitivity of the data stored within Azure and the criticality of the services hosted there.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized \u003ccode\u003eMICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION\u003c/code\u003e operations in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eMICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION\u003c/code\u003e immediately, as outlined in the rule description.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for Azure role assignments.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for other suspicious activities, such as unusual resource creation or modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-subscription-elevation/","summary":"An attacker elevates their Azure subscription permissions to manage all subscriptions, potentially leading to unauthorized access and control over the environment.","title":"Azure Subscription Permission Elevation via Activity Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-subscription-elevation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["attack.stealth","azure"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe removal of an owner from an Azure application or service principal can be indicative of malicious activity. An attacker who has gained initial access to an Azure environment might attempt to remove owners from service principals or applications to hinder incident response, establish persistence, or escalate their privileges. This action could be part of a broader attack aimed at compromising cloud resources and data. Detecting this activity is crucial for identifying potentially compromised accounts and preventing further damage within the Azure environment. The activity is logged within the Azure Activity Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account through compromised credentials or by exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available applications and service principals within the Azure environment to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an application or service principal with elevated permissions that would be beneficial to compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the existing owner from the target application or service principal via the Azure portal, PowerShell, or Azure CLI.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record an event indicating \u0026ldquo;Remove owner from service principal\u0026rdquo; or \u0026ldquo;Remove owner from application\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker may assign themselves as the new owner or further modify the permissions of the application or service principal to achieve their objectives.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised application or service principal to access sensitive resources, exfiltrate data, or deploy malicious workloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal of an owner from an Azure application or service principal can lead to a significant compromise of cloud resources. This action can disrupt normal operations, allow unauthorized access to sensitive data, and provide a persistent foothold for attackers within the Azure environment. The lack of an owner can prevent proper oversight and incident response, potentially leading to prolonged compromise and increased damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Owner Removed From Application or Service Principal\u0026rdquo; to your SIEM and tune for your environment to detect suspicious owner removal activity in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on unfamiliar user identities and unusual user agents in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise, which is often the initial access vector.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the permissions assigned to applications and service principals to identify and remediate any excessive or unnecessary privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-owner-removed/","summary":"An adversary may remove an owner from an Azure application or service principal to weaken access controls, persist in the environment, or escalate privileges.","title":"Azure Owner Removed from Application or Service Principal","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-owner-removed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["attack.stealth","attack.t1140"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can create inbox manipulation rules in cloud email environments like Microsoft 365 to hide their activity, exfiltrate data, or conduct further phishing attacks. These rules automatically delete, move, or forward emails based on sender, subject, or keywords. This can be used to hide evidence of a compromised account, or to intercept communications for Business Email Compromise (BEC). The \u003ccode\u003emcasSuspiciousInboxManipulationRules\u003c/code\u003e risk event type in Azure Identity Protection flags such suspicious rules, allowing defenders to proactively identify and remediate compromised accounts. This detection focuses on unusual mailbox rule activity indicative of malicious intent, rather than legitimate business workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a user\u0026rsquo;s Azure account, potentially through credential theft or phishing (T1140).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the user\u0026rsquo;s Microsoft 365 account.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new inbox rule or modifies an existing one using the Exchange admin center, PowerShell, or the Microsoft Graph API.\u003c/li\u003e\n\u003cli\u003eThe rule is configured to automatically delete emails containing specific keywords related to financial transactions or security alerts (T1566).\u003c/li\u003e\n\u003cli\u003eAlternatively, the rule might forward all emails from specific internal addresses to an external account controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the manipulated inbox to conceal their activities, such as unauthorized financial transactions or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe legitimate user remains unaware of the attacker\u0026rsquo;s actions due to the automatic deletion or redirection of relevant emails.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the inbox rule remains active and undetected, allowing for continued unauthorized access and activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to conceal malicious activity within the compromised account, intercept sensitive information, and maintain persistence. This can lead to significant financial losses due to BEC, data breaches, and reputational damage. Undetected inbox manipulation can also hinder incident response efforts by preventing security teams from identifying and containing the attack in a timely manner.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Inbox Manipulation Rules\u0026rdquo; to your SIEM and tune the \u003ccode\u003efalsepositives\u003c/code\u003e list with known good inbox rule behaviors in your organization.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the details of the created/modified inbox rules, focusing on their conditions and actions.\u003c/li\u003e\n\u003cli\u003eReview user sign-in logs for unusual activity preceding the creation of suspicious inbox rules, as described in the Microsoft documentation (\u003ca href=\"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins)\"\u003ehttps://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins)\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"/briefs/2024-01-suspicious-inbox-rules/","summary":"This brief focuses on detecting malicious inbox manipulation rules set within a user's Azure environment, often indicative of account compromise or insider threats aiming to conceal illicit activities.","title":"Detection of Suspicious Inbox Manipulation Rules in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-inbox-rules/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azure"],"_cs_severities":["medium"],"_cs_tags":["azuread","guest-user","privilege-escalation","persistence","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting the invitation of guest users to an Azure Active Directory (AD) tenant by accounts that are not pre-approved to perform this action. Unauthorized guest user invitations can be an indicator of various malicious activities. An attacker could be attempting to escalate privileges by adding an account they control, establish persistence by creating a backdoor account, or gain initial access to the environment. This activity might be part of a broader attack aimed at gaining unauthorized access to sensitive resources or data within the organization\u0026rsquo;s Azure environment. It is important to ensure that only authorized personnel can invite external users to maintain security and prevent potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a low-privilege user account within the Azure AD tenant or uses existing compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to invite an external guest user to the tenant using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit logs record the \u0026ldquo;Invite external user\u0026rdquo; operation under the UserManagement category.\u003c/li\u003e\n\u003cli\u003eThe audit log event is generated, capturing details such as the user who initiated the invitation (InitiatedBy) and the target guest user\u0026rsquo;s information.\u003c/li\u003e\n\u003cli\u003eThe detection logic evaluates if the InitiatedBy user is within the list of approved guest inviters.\u003c/li\u003e\n\u003cli\u003eIf the inviting user is not on the approved list, the detection rule triggers, indicating a potentially unauthorized guest invitation.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to leverage the newly invited guest account for lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the guest account to access resources and data within the Azure AD environment, potentially leading to data breaches or other security incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and resources within the Azure AD tenant. While the precise number of potential victims is unknown, the impact could range from a limited breach affecting a small set of resources to a widespread compromise impacting the entire organization. The addition of unauthorized guest accounts can facilitate lateral movement, data exfiltration, and other malicious activities, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unauthorized guest user invitations in Azure AD audit logs and tune the \u003ccode\u003efilter\u003c/code\u003e with a list of approved inviters.\u003c/li\u003e\n\u003cli\u003eReview and restrict the number of users authorized to invite guest users to the Azure AD tenant based on business needs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including guest accounts, to prevent unauthorized access (related to audit logs).\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure AD logs for any suspicious activity related to user management (related to audit logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-azuread-guest-invite/","summary":"Detection of unauthorized guest user invitations within an Azure Active Directory tenant, indicating potential privilege escalation, persistence, or initial access attempts.","title":"Unauthorized Guest User Invitations in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azuread-guest-invite/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure","version":"https://jsonfeed.org/version/1.1"}