{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/entra-id-privileged-identity-management/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID Privileged Identity Management"],"_cs_severities":["medium"],"_cs_tags":["azure","persistence","privileged-identity-management"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that organizations use to manage, control, and monitor access to important resources. PIM manages built-in Azure resource roles like Global Administrator and Application Administrator. Attackers with sufficient privileges may modify PIM role assignments or settings to weaken the target's security posture or grant themselves persistent access. This activity can be indicative of prior compromise or lateral movement within the Azure environment. This activity could allow the attacker to escalate privileges or maintain access to critical resources even after initial compromise is remediated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker compromises an account with existing privileges in the Azure environment, potentially through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker leverages the compromised account's permissions to gain access to the Azure Active Directory Privileged Identity Management (PIM) service.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker enumerates existing PIM roles and settings to identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003eModify Role Setting: The attacker modifies a PIM role's settings, such as the approval requirements, activation duration, or notification settings, to weaken security controls.\u003c/li\u003e\n\u003cli\u003eAssign Role: The attacker assigns a new user account (potentially controlled by the attacker) to a PIM role with elevated privileges, such as Global Administrator or Application Administrator.\u003c/li\u003e\n\u003cli\u003eActivate Role: The attacker activates the newly assigned role for the attacker-controlled account.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker maintains persistent access to the Azure environment through the newly acquired role, bypassing standard access controls.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker leverages the elevated privileges to access sensitive data, modify system configurations, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Entra ID PIM roles can grant attackers persistent, elevated privileges within the Azure environment. This can lead to unauthorized access to sensitive data, modification of critical system configurations, and disruption of services. The impact can range from data breaches and financial loss to complete system compromise, depending on the scope and nature of the affected roles.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID PIM Role Modified\u0026quot; to detect unauthorized modifications to PIM role settings based on the \u003ccode\u003eazure.auditlogs.operation_name:\u0026quot;Update role setting in PIM\u0026quot;\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the user account that performed the action and validating the legitimacy of the changes.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication for all users, especially those with privileged roles, to prevent credential theft and unauthorized access to the Azure environment.\u003c/li\u003e\n\u003cli\u003eReview and enforce the organization's change management policies for all modifications to PIM role settings to ensure that changes are properly authorized and documented.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-role-modification/","summary":"Attackers may modify Entra ID Privileged Identity Management (PIM) roles to persist in the environment and weaken security controls, potentially leading to privilege escalation and unauthorized access.","title":"Entra ID Privileged Identity Management (PIM) Role Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-role-modification/"}],"language":"en","title":"CraftedSignal Threat Feed - Entra ID Privileged Identity Management","version":"https://jsonfeed.org/version/1.1"}