{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/accounttakeover/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","azuread","serviceprincipal","accounttakeover"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic focuses on detecting suspicious authentication patterns of service principals within Azure Active Directory. Service principals are non-human identities used by applications and services to access Azure resources. Monitoring their authentication activity is crucial because compromised service principal credentials can grant attackers unauthorized access to sensitive data and services. The detection logic analyzes Azure AD sign-in logs (ServicePrincipalSignInLogs) to identify anomalies in sign-in frequency, source IP addresses, accessed resources, and other relevant attributes. Analyzing service principal authentication is vital for SOC teams as it allows them to distinguish between legitimate application behavior and potentially malicious activities, such as account takeovers. This detection is designed to work with data ingested via the Splunk Add-on for Microsoft Cloud Services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a service principal's credentials through credential stuffing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised service principal credentials to authenticate to Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the authenticated service principal to access resources within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to elevate privileges by accessing resources and services that the service principal is authorized to manage.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises sensitive data by accessing storage accounts, databases, or other data repositories.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the Azure environment by using the compromised service principal to authenticate to other resources and services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new service principals or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the Azure environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting Azure AD service principals can have severe consequences, including unauthorized access to critical resources, data breaches, and lateral movement within the Azure environment. Attackers can leverage compromised service principals to steal sensitive data, disrupt services, and escalate privileges. Depending on the scope of access, the damage could range from a targeted data breach to a widespread compromise of the entire Azure environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure AD Service Principal Authentication Anomaly\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026quot;Azure AD Service Principal Authentication Anomaly\u0026quot; to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnable Azure Active Directory Sign-in activity logging to capture the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview service principal permissions regularly to ensure that they are least-privilege and appropriate for the service's function.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for service principals where possible to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eazure_monitor_aad\u003c/code\u003e data source, specifically targeting \u0026quot;Sign-in activity\u0026quot; within ServicePrincipalSignInLogs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-service-principal-auth/","summary":"This analytic identifies authentication events of service principals in Azure Active Directory, monitoring sign-in frequency, timing, source IPs, and accessed resources to detect potential anomalies indicative of compromised credentials or malicious activities.","title":"Azure AD Service Principal Authentication Monitoring","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-service-principal-auth/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Exchange","Outlook Web Application"],"_cs_severities":["high"],"_cs_tags":["azuread","devicecode","phishing","accounttakeover","credentialaccess"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using Device Code Phishing to bypass Multi-Factor Authentication (MFA) and Conditional Access Policies in Azure Active Directory. This technique involves tricking users into entering a device code on a fake Microsoft login page, granting the attacker access to their accounts. This attack leverages the legitimate device code authentication flow, making it harder to detect than traditional phishing attacks. Successful device code phishing can lead to account takeover, data breaches, and unauthorized access to sensitive resources within the Azure AD environment, including Exchange mailboxes and Outlook Web Application (OWA). Defenders need to monitor for unusual device code authentication activity to mitigate the risk of these attacks. The technique abuses the OAuth 2.0 device authorization grant flow, designed for devices without a browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to the target user. This email contains a link to a fake Microsoft login page.\u003c/li\u003e\n\u003cli\u003eThe user clicks the link and is prompted to enter a code. The attacker initiates a device code authentication flow on a compromised or attacker-controlled device.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a device code and presents it to the victim through the phishing page.\u003c/li\u003e\n\u003cli\u003eThe user enters the device code on the fake Microsoft login page, unknowingly authorizing the attacker's device.\u003c/li\u003e\n\u003cli\u003eThe attacker's device requests an access token from Azure AD using the device code.\u003c/li\u003e\n\u003cli\u003eAzure AD validates the device code and, if valid, prompts the user (via the legitimate Microsoft authentication flow, but on the attacker's device) to authenticate and grant permissions.\u003c/li\u003e\n\u003cli\u003eThe user authenticates and grants the requested permissions, completing the device code authentication flow on the attacker's device.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains an access token and can now access the user's Azure AD resources, such as Exchange mailboxes and OWA, without needing to bypass MFA on their primary device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Azure AD device code phishing attacks can result in account takeovers, data breaches, and unauthorized access to sensitive resources. Attackers can gain access to Exchange mailboxes, Outlook Web Application (OWA), and other Azure AD-protected applications. The impact can range from data exfiltration and business email compromise to lateral movement within the Azure environment. This can lead to significant financial losses, reputational damage, and compliance violations. The number of victims and sectors targeted can vary, but the potential for widespread impact is high, especially in organizations with weak security awareness training.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure AD Device Code Authentication Activity\u003c/code\u003e to detect suspicious device code authentication requests in Azure AD SignInLogs.\u003c/li\u003e\n\u003cli\u003eImplement enhanced security awareness training to educate users about device code phishing attacks and how to identify fake login pages.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD SignInLogs for unusual authentication patterns, such as device code authentications from unfamiliar locations or devices.\u003c/li\u003e\n\u003cli\u003eConfigure Conditional Access Policies to restrict device code authentication to trusted devices and locations.\u003c/li\u003e\n\u003cli\u003eReview and harden Conditional Access Policies to prevent bypasses via device code authentication, referencing the Microsoft documentation on device code flows: \u003ca href=\"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code\"\u003ehttps://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEnable logging of Azure AD sign-in events and ensure that logs are ingested into a SIEM or security analytics platform for analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-device-code-phishing/","summary":"This brief details the detection of Azure AD Device Code Phishing attacks, where attackers bypass MFA and Conditional Access Policies (CAPs) to gain unauthorized access to Azure AD resources by abusing the device code authentication protocol.","title":"Azure AD Device Code Phishing Attack Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-device-code-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed - Accounttakeover","version":"https://jsonfeed.org/version/1.1"}