{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/privileged-identity-management/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Privileged Identity Management"],"_cs_severities":["high"],"_cs_tags":["azure","entra_id","persistence","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies when a user is added to the Global Administrator role in Azure Active Directory (Azure AD) through Privileged Identity Management (PIM). Azure AD Global Administrator roles grant extensive permissions allowing modification of any administrative setting within the Azure AD organization. Privileged Identity Management (PIM) is used to manage, control, and monitor access to important resources. An adversary might add themselves, or another account they control, to the Global Administrator role via PIM to gain persistent, highly privileged access to the Azure environment. This could lead to data exfiltration, service disruption, or further lateral movement within the cloud environment. The rule specifically looks for \u0026quot;Add eligible member to role in PIM completed (permanent)\u0026quot; or \u0026quot;Add member to role in PIM completed (timebound)\u0026quot; events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an existing user account with sufficient privileges to manage roles in Azure AD PIM, possibly via phishing (T1566).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Privileged Identity Management (PIM) service within Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a request to add a target user account (potentially themselves or an account they control) to the Global Administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker completes the process of assigning the Global Administrator role to the target user, either permanently or with a time-bound assignment, using the compromised account's permissions.\u003c/li\u003e\n\u003cli\u003eAzure AD logs an audit event indicating the successful addition of the user to the Global Administrator role in PIM. The \u003ccode\u003eazure.auditlogs.operation_name\u003c/code\u003e will contain \u0026quot;Add eligible member to role in PIM completed (permanent)\u0026quot; or \u0026quot;Add member to role in PIM completed (timebound)\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly assigned Global Administrator privileges to perform malicious actions such as modifying security settings, accessing sensitive data, or deploying malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the Global Administrator role assignment remains active, allowing continued access to the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain full control over the Azure AD environment. A Global Administrator can read and modify any administrative setting. This includes the ability to create new users, reset passwords, modify security policies, access all data stored in the cloud environment, and disrupt critical services. The impact could range from data breaches and financial losses to complete compromise of the organization's cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID Global Administrator Role Assigned (PIM User)\u0026quot; to your SIEM and tune for your environment to detect unauthorized role assignments (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for any unexpected additions of users to highly privileged roles, especially the Global Administrator role (logsource).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to reduce the risk of account compromise (T1566).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting users only the minimum necessary permissions to perform their job functions.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit role assignments in Azure AD to identify and remove any unnecessary or excessive privileges.\u003c/li\u003e\n\u003cli\u003eImplement alerts for any changes to PIM settings to detect potential tampering with privileged access management controls (logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-global-admin-role-addition/","summary":"An adversary may add an account to the Global Administrator role within Azure AD Privileged Identity Management (PIM) to establish persistence and gain privileged access.","title":"Entra ID: Global Administrator Role Assigned to PIM User","url":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-global-admin-role-addition/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Privileged Identity Management"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting the activation of Azure AD Privileged Identity Management (PIM) roles, a critical security concern. PIM allows users to activate elevated privileges on demand, but unauthorized or malicious activation can lead to significant security breaches. The detection leverages Azure Active Directory audit logs, specifically targeting the \u0026quot;Add member to role completed (PIM activation)\u0026quot; event. Successful exploitation can enable adversaries to perform administrative actions, exfiltrate sensitive data, or further compromise the Azure environment. Defenders should closely monitor PIM role activations to identify and respond to potentially malicious activity. The analytic is designed for use with the azure:monitor:aad sourcetype, which uses the AuditLog log category.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account within the Azure AD environment (e.g., through phishing or credential stuffing).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a PIM role that would grant them elevated privileges necessary to achieve their objectives.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate the targeted PIM role. This triggers an \u0026quot;Add member to role completed (PIM activation)\u0026quot; event in the Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eAzure AD validates the activation request based on configured policies (e.g., MFA, approval workflows).\u003c/li\u003e\n\u003cli\u003eIf the activation is successful, the attacker's account is temporarily granted the privileges associated with the PIM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform malicious actions, such as creating new user accounts with administrative rights, modifying security policies, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating backdoors or modifying existing configurations to ensure continued access even after the PIM role expires.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, service disruption, or further lateral movement within the Azure environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment. The number of potential victims depends on the scope of the compromised account and the permissions granted by the activated PIM role. Industries relying heavily on Azure AD for identity and access management are particularly vulnerable. The financial impact could be substantial due to data loss, regulatory fines, and incident response costs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure AD PIM Role Activated\u003c/code\u003e to your SIEM to detect unauthorized PIM role activations based on the \u0026quot;Add member to role completed (PIM activation)\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected PIM role activations where the \u003ccode\u003einitiatedBy\u003c/code\u003e field does not match expected administrative accounts.\u003c/li\u003e\n\u003cli\u003eReview and harden PIM policies to require multi-factor authentication (MFA) and approval workflows for role activation, as referenced in the Microsoft documentation.\u003c/li\u003e\n\u003cli\u003eEnable Azure AD audit log collection and ensure that the \u003ccode\u003eazure:monitor:aad\u003c/code\u003e sourcetype is properly configured in Splunk.\u003c/li\u003e\n\u003cli\u003eUse the provided drilldown searches to investigate the user and associated risk events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-pim-activation/","summary":"Detection of Azure AD Privileged Identity Management (PIM) role activation, indicating potential privilege escalation or unauthorized access.","title":"Azure AD PIM Role Activation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-pim-activation/"}],"language":"en","title":"CraftedSignal Threat Feed - Privileged Identity Management","version":"https://jsonfeed.org/version/1.1"}