{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-manipulation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["persistence","windows","account-manipulation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse accounts configured with never-expiring passwords to maintain long-term access within a compromised environment. This persistence technique leverages the Active Directory setting that prevents password expiration. While sometimes legitimately used for service accounts, this configuration weakens security posture and exposes environments to credential access attacks. The rule detects Event ID 4738 (User Account Modified) with the NewUACList containing \u0026ldquo;USER_DONT_EXPIRE_PASSWORD\u0026rdquo;, and Event ID 5136 (Directory Service Changes) where the userAccountControl attribute is modified with specific values (66048 or 66080). These values indicate that the \u0026lsquo;Password never expires\u0026rsquo; flag has been set on the account. Defender should monitor for such events and take immediate remediation actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a domain-joined system, potentially through phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify accounts suitable for long-term persistence, focusing on privileged accounts or those with minimal monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised credentials or exploits a privilege escalation vulnerability to gain administrative access to Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the target account\u0026rsquo;s attributes using tools like \u003ccode\u003enet user\u003c/code\u003e or PowerShell cmdlets from the Active Directory module.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker sets the \u003ccode\u003euserAccountControl\u003c/code\u003e attribute to disable password expiration for the chosen account.\u003c/li\u003e\n\u003cli\u003eThe attacker validates the configuration change to ensure the password expiration is disabled, allowing for persistent access.\u003c/li\u003e\n\u003cli\u003eWith a never-expiring password, the attacker can maintain access to the compromised account indefinitely, even after password resets or other security measures are implemented on other accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain a persistent presence within the compromised domain. This can lead to data theft, further lateral movement, or disruption of services.  The impact is increased if the affected account has elevated privileges, granting the attacker broader access to sensitive resources. While the number of affected organizations is unknown, the technique is applicable to any organization using Active Directory.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows audit policies for User Account Management and Directory Service Changes to generate relevant events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Account Configured with Never-Expiring Password\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit accounts with the \u0026ldquo;Don\u0026rsquo;t Expire Password\u0026rdquo; option enabled, and enforce the use of Group Managed Service Accounts (gMSA) where appropriate.\u003c/li\u003e\n\u003cli\u003eUse the provided PowerShell command (\u003ccode\u003eget-aduser -filter { passwordNeverExpires -eq $true  -and enabled -eq $true } | ft\u003c/code\u003e) to identify accounts with passwordNeverExpires enabled across the domain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-never-expiring-password/","summary":"Detects the creation and modification of an account with the 'Don't Expire Password' option enabled, which attackers can abuse to persist in the domain and maintain long-term access.","title":"Account Configured with Never-Expiring Password","url":"https://feed.craftedsignal.io/briefs/2024-01-never-expiring-password/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","persistence","initial-access","stealth","account-manipulation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation and immediate deletion of user accounts within Azure Active Directory can be indicative of various malicious activities. Attackers may create accounts to escalate privileges, establish persistence, or gain initial access to a system. The short lifespan of these accounts suggests an attempt to evade detection. This behavior is particularly concerning as it can be used to perform actions and then quickly remove the evidence of the account\u0026rsquo;s existence from standard audit logs. Monitoring for this activity helps defenders identify and respond to potential security breaches within their Azure environment. This technique is relevant for any organization utilizing Azure Active Directory for user management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD environment, potentially through compromised credentials or a phishing attack.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new user account within the Azure AD. This can be achieved through the Azure portal, PowerShell, or the Azure CLI.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns elevated privileges to the newly created account. This might involve adding the account to privileged roles such as Global Administrator or assigning specific permissions to access sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created account to perform malicious activities, such as accessing confidential data, modifying system configurations, or deploying malicious applications.\u003c/li\u003e\n\u003cli\u003eAfter completing the malicious tasks, the attacker removes the elevated privileges from the account to reduce the chances of detection during privilege reviews.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the created account from Azure AD. This step is performed to remove the traces of the account\u0026rsquo;s existence and hinder forensic investigations.\u003c/li\u003e\n\u003cli\u003eThe actions performed by the short-lived account may leave other traces in logs, such as access logs or activity logs related to the resources the account interacted with.\u003c/li\u003e\n\u003cli\u003eThe attacker aims to maintain stealth and evade detection while gaining unauthorized access to resources or establishing persistence within the Azure AD environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive resources, data breaches, and system compromise. The creation and deletion of short-lived accounts can mask malicious activities, making it difficult to trace the attacker\u0026rsquo;s actions. Organizations using Azure AD could experience data exfiltration, financial loss, and reputational damage. Detecting such activity early is critical to preventing further damage and mitigating the impact of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Account Created And Deleted Within A Close Time Frame\u0026rdquo; to your SIEM and tune for your environment to detect suspicious account creation/deletion events in Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Account Created And Deleted Within A Close Time Frame\u0026rdquo; to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with elevated privileges, to reduce the risk of credential compromise (reference: attack.initial-access).\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD audit logs for unusual account activity, focusing on accounts created and deleted within a short timeframe (logsource: azure, service: auditlogs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:30:00Z","date_published":"2024-01-02T15:30:00Z","id":"/briefs/2024-01-azure-short-lived-account/","summary":"Detection of Azure Active Directory accounts that are created and deleted within a short timeframe, potentially indicating malicious activity such as privilege escalation or persistence attempts.","title":"Azure AD Account Created and Deleted Within a Close Time Frame","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-short-lived-account/"}],"language":"en","title":"CraftedSignal Threat Feed — Account-Manipulation","version":"https://jsonfeed.org/version/1.1"}