https://feed.craftedsignal.io/tags/account-manipulation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-never-expiring-password/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-never-expiring-password/Detects the creation and modification of an account with the 'Don't Expire Password' option enabled, which attackers can abuse to persist in the domain and maintain long-term access.Attackers may abuse accounts configured with never-expiring passwords to maintain long-term access within a compromised environment. This persistence technique leverages the Active Directory setting that prevents password expiration. While sometimes legitimately used for service accounts, this configuration weakens security posture and exposes environments to credential access attacks. The rule detects Event ID 4738 (User Account Modified) with the NewUACList containing “USER_DONT_EXPIRE_PASSWORD”, and Event ID 5136 (Directory Service Changes) where the userAccountControl attribute is modified with specific values (66048 or 66080). These values indicate that the ‘Password never expires’ flag has been set on the account. Defender should monitor for such events and take immediate remediation actions.

Attack Chain

1. An attacker gains initial access to a domain-joined system, potentially through phishing or exploiting a public-facing application.
2. The attacker performs reconnaissance to identify accounts suitable for long-term persistence, focusing on privileged accounts or those with minimal monitoring.
3. The attacker uses compromised credentials or exploits a privilege escalation vulnerability to gain administrative access to Active Directory.
4. The attacker modifies the target account’s attributes using tools like net user or PowerShell cmdlets from the Active Directory module.
5. Specifically, the attacker sets the userAccountControl attribute to disable password expiration for the chosen account.
6. The attacker validates the configuration change to ensure the password expiration is disabled, allowing for persistent access.
7. With a never-expiring password, the attacker can maintain access to the compromised account indefinitely, even after password resets or other security measures are implemented on other accounts.

Impact

Successful exploitation allows attackers to maintain a persistent presence within the compromised domain. This can lead to data theft, further lateral movement, or disruption of services. The impact is increased if the affected account has elevated privileges, granting the attacker broader access to sensitive resources. While the number of affected organizations is unknown, the technique is applicable to any organization using Active Directory.

Recommendation

• Enable and monitor Windows audit policies for User Account Management and Directory Service Changes to generate relevant events.
• Deploy the Sigma rule “Account Configured with Never-Expiring Password” to your SIEM and tune for your environment.
• Regularly review and audit accounts with the “Don’t Expire Password” option enabled, and enforce the use of Group Managed Service Accounts (gMSA) where appropriate.
• Use the provided PowerShell command (get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft) to identify accounts with passwordNeverExpires enabled across the domain.

]]>mediumadvisorypersistencewindowsaccount-manipulationhttps://feed.craftedsignal.io/briefs/2024-01-azure-short-lived-account/Tue, 02 Jan 2024 15:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azure-short-lived-account/Detection of Azure Active Directory accounts that are created and deleted within a short timeframe, potentially indicating malicious activity such as privilege escalation or persistence attempts.The creation and immediate deletion of user accounts within Azure Active Directory can be indicative of various malicious activities. Attackers may create accounts to escalate privileges, establish persistence, or gain initial access to a system. The short lifespan of these accounts suggests an attempt to evade detection. This behavior is particularly concerning as it can be used to perform actions and then quickly remove the evidence of the account’s existence from standard audit logs. Monitoring for this activity helps defenders identify and respond to potential security breaches within their Azure environment. This technique is relevant for any organization utilizing Azure Active Directory for user management.

Attack Chain

1. An attacker gains initial access to an Azure AD environment, potentially through compromised credentials or a phishing attack.
2. The attacker creates a new user account within the Azure AD. This can be achieved through the Azure portal, PowerShell, or the Azure CLI.
3. The attacker assigns elevated privileges to the newly created account. This might involve adding the account to privileged roles such as Global Administrator or assigning specific permissions to access sensitive resources.
4. The attacker uses the newly created account to perform malicious activities, such as accessing confidential data, modifying system configurations, or deploying malicious applications.
5. After completing the malicious tasks, the attacker removes the elevated privileges from the account to reduce the chances of detection during privilege reviews.
6. The attacker deletes the created account from Azure AD. This step is performed to remove the traces of the account’s existence and hinder forensic investigations.
7. The actions performed by the short-lived account may leave other traces in logs, such as access logs or activity logs related to the resources the account interacted with.
8. The attacker aims to maintain stealth and evade detection while gaining unauthorized access to resources or establishing persistence within the Azure AD environment.

Impact

Successful exploitation can lead to unauthorized access to sensitive resources, data breaches, and system compromise. The creation and deletion of short-lived accounts can mask malicious activities, making it difficult to trace the attacker’s actions. Organizations using Azure AD could experience data exfiltration, financial loss, and reputational damage. Detecting such activity early is critical to preventing further damage and mitigating the impact of the attack.

Recommendation

• Deploy the Sigma rule “Account Created And Deleted Within A Close Time Frame” to your SIEM and tune for your environment to detect suspicious account creation/deletion events in Azure AD audit logs.
• Investigate any alerts generated by the Sigma rule “Account Created And Deleted Within A Close Time Frame” to determine the scope and impact of the potential compromise.
• Implement multi-factor authentication (MFA) for all user accounts, especially those with elevated privileges, to reduce the risk of credential compromise (reference: attack.initial-access).
• Regularly review Azure AD audit logs for unusual account activity, focusing on accounts created and deleted within a short timeframe (logsource: azure, service: auditlogs).

]]>highadvisoryprivilege-escalationpersistenceinitial-accessstealthaccount-manipulation