<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Privileged Identity Management - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/privileged-identity-management/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 04 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/privileged-identity-management/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID: Global Administrator Role Assigned to PIM User</title><link>https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-global-admin-role-addition/</link><pubDate>Thu, 04 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-entra-id-pim-global-admin-role-addition/</guid><description>An adversary may add an account to the Global Administrator role within Azure AD Privileged Identity Management (PIM) to establish persistence and gain privileged access.</description><content:encoded><![CDATA[<p>This alert identifies when a user is added to the Global Administrator role in Azure Active Directory (Azure AD) through Privileged Identity Management (PIM). Azure AD Global Administrator roles grant extensive permissions allowing modification of any administrative setting within the Azure AD organization. Privileged Identity Management (PIM) is used to manage, control, and monitor access to important resources. An adversary might add themselves, or another account they control, to the Global Administrator role via PIM to gain persistent, highly privileged access to the Azure environment. This could lead to data exfiltration, service disruption, or further lateral movement within the cloud environment. The rule specifically looks for &quot;Add eligible member to role in PIM completed (permanent)&quot; or &quot;Add member to role in PIM completed (timebound)&quot; events.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises an existing user account with sufficient privileges to manage roles in Azure AD PIM, possibly via phishing (T1566).</li>
<li>The attacker authenticates to the Azure portal using the compromised account.</li>
<li>The attacker navigates to the Privileged Identity Management (PIM) service within Azure AD.</li>
<li>The attacker initiates a request to add a target user account (potentially themselves or an account they control) to the Global Administrator role.</li>
<li>The attacker completes the process of assigning the Global Administrator role to the target user, either permanently or with a time-bound assignment, using the compromised account's permissions.</li>
<li>Azure AD logs an audit event indicating the successful addition of the user to the Global Administrator role in PIM. The <code>azure.auditlogs.operation_name</code> will contain &quot;Add eligible member to role in PIM completed (permanent)&quot; or &quot;Add member to role in PIM completed (timebound)&quot;.</li>
<li>The attacker leverages the newly assigned Global Administrator privileges to perform malicious actions such as modifying security settings, accessing sensitive data, or deploying malicious applications.</li>
<li>The attacker maintains persistence by ensuring the Global Administrator role assignment remains active, allowing continued access to the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows the attacker to gain full control over the Azure AD environment. A Global Administrator can read and modify any administrative setting. This includes the ability to create new users, reset passwords, modify security policies, access all data stored in the cloud environment, and disrupt critical services. The impact could range from data breaches and financial losses to complete compromise of the organization's cloud infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Entra ID Global Administrator Role Assigned (PIM User)&quot; to your SIEM and tune for your environment to detect unauthorized role assignments (rule).</li>
<li>Review Azure AD audit logs for any unexpected additions of users to highly privileged roles, especially the Global Administrator role (logsource).</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to reduce the risk of account compromise (T1566).</li>
<li>Enforce the principle of least privilege by granting users only the minimum necessary permissions to perform their job functions.</li>
<li>Regularly review and audit role assignments in Azure AD to identify and remove any unnecessary or excessive privileges.</li>
<li>Implement alerts for any changes to PIM settings to detect potential tampering with privileged access management controls (logsource).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>entra_id</category><category>persistence</category><category>privilege_escalation</category></item><item><title>Azure AD PIM Role Activation Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-ad-pim-activation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-ad-pim-activation/</guid><description>Detection of Azure AD Privileged Identity Management (PIM) role activation, indicating potential privilege escalation or unauthorized access.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the activation of Azure AD Privileged Identity Management (PIM) roles, a critical security concern. PIM allows users to activate elevated privileges on demand, but unauthorized or malicious activation can lead to significant security breaches. The detection leverages Azure Active Directory audit logs, specifically targeting the &quot;Add member to role completed (PIM activation)&quot; event. Successful exploitation can enable adversaries to perform administrative actions, exfiltrate sensitive data, or further compromise the Azure environment. Defenders should closely monitor PIM role activations to identify and respond to potentially malicious activity. The analytic is designed for use with the azure:monitor:aad sourcetype, which uses the AuditLog log category.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a user account within the Azure AD environment (e.g., through phishing or credential stuffing).</li>
<li>The attacker identifies a PIM role that would grant them elevated privileges necessary to achieve their objectives.</li>
<li>The attacker attempts to activate the targeted PIM role. This triggers an &quot;Add member to role completed (PIM activation)&quot; event in the Azure AD audit logs.</li>
<li>Azure AD validates the activation request based on configured policies (e.g., MFA, approval workflows).</li>
<li>If the activation is successful, the attacker's account is temporarily granted the privileges associated with the PIM role.</li>
<li>The attacker leverages the elevated privileges to perform malicious actions, such as creating new user accounts with administrative rights, modifying security policies, or accessing sensitive data.</li>
<li>The attacker attempts to maintain persistence by creating backdoors or modifying existing configurations to ensure continued access even after the PIM role expires.</li>
<li>The attacker achieves their final objective, which may include data exfiltration, service disruption, or further lateral movement within the Azure environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment. The number of potential victims depends on the scope of the compromised account and the permissions granted by the activated PIM role. Industries relying heavily on Azure AD for identity and access management are particularly vulnerable. The financial impact could be substantial due to data loss, regulatory fines, and incident response costs.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure AD PIM Role Activated</code> to your SIEM to detect unauthorized PIM role activations based on the &quot;Add member to role completed (PIM activation)&quot; operation.</li>
<li>Investigate any detected PIM role activations where the <code>initiatedBy</code> field does not match expected administrative accounts.</li>
<li>Review and harden PIM policies to require multi-factor authentication (MFA) and approval workflows for role activation, as referenced in the Microsoft documentation.</li>
<li>Enable Azure AD audit log collection and ensure that the <code>azure:monitor:aad</code> sourcetype is properly configured in Splunk.</li>
<li>Use the provided drilldown searches to investigate the user and associated risk events.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>pim</category><category>privilege-escalation</category><category>persistence</category></item></channel></rss>