<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Entra ID Privileged Identity Management - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/entra-id-privileged-identity-management/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/entra-id-privileged-identity-management/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID Privileged Identity Management (PIM) Role Modified</title><link>https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-role-modification/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-role-modification/</guid><description>Attackers may modify Entra ID Privileged Identity Management (PIM) roles to persist in the environment and weaken security controls, potentially leading to privilege escalation and unauthorized access.</description><content:encoded><![CDATA[<p>Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that organizations use to manage, control, and monitor access to important resources. PIM manages built-in Azure resource roles like Global Administrator and Application Administrator. Attackers with sufficient privileges may modify PIM role assignments or settings to weaken the target's security posture or grant themselves persistent access. This activity can be indicative of prior compromise or lateral movement within the Azure environment. This activity could allow the attacker to escalate privileges or maintain access to critical resources even after initial compromise is remediated.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker compromises an account with existing privileges in the Azure environment, potentially through credential theft or phishing.</li>
<li>Privilege Escalation: The attacker leverages the compromised account's permissions to gain access to the Azure Active Directory Privileged Identity Management (PIM) service.</li>
<li>Discovery: The attacker enumerates existing PIM roles and settings to identify potential targets for modification.</li>
<li>Modify Role Setting: The attacker modifies a PIM role's settings, such as the approval requirements, activation duration, or notification settings, to weaken security controls.</li>
<li>Assign Role: The attacker assigns a new user account (potentially controlled by the attacker) to a PIM role with elevated privileges, such as Global Administrator or Application Administrator.</li>
<li>Activate Role: The attacker activates the newly assigned role for the attacker-controlled account.</li>
<li>Persistence: The attacker maintains persistent access to the Azure environment through the newly acquired role, bypassing standard access controls.</li>
<li>Impact: The attacker leverages the elevated privileges to access sensitive data, modify system configurations, or disrupt services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of Entra ID PIM roles can grant attackers persistent, elevated privileges within the Azure environment. This can lead to unauthorized access to sensitive data, modification of critical system configurations, and disruption of services. The impact can range from data breaches and financial loss to complete system compromise, depending on the scope and nature of the affected roles.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Entra ID PIM Role Modified&quot; to detect unauthorized modifications to PIM role settings based on the <code>azure.auditlogs.operation_name:&quot;Update role setting in PIM&quot;</code> event.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on identifying the user account that performed the action and validating the legitimacy of the changes.</li>
<li>Enable multi-factor authentication for all users, especially those with privileged roles, to prevent credential theft and unauthorized access to the Azure environment.</li>
<li>Review and enforce the organization's change management policies for all modifications to PIM role settings to ensure that changes are properly authorized and documented.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>persistence</category><category>privileged-identity-management</category></item></channel></rss>