<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Accounttakeover - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/accounttakeover/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/accounttakeover/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD Service Principal Authentication Monitoring</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-ad-service-principal-auth/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-ad-service-principal-auth/</guid><description>This analytic identifies authentication events of service principals in Azure Active Directory, monitoring sign-in frequency, timing, source IPs, and accessed resources to detect potential anomalies indicative of compromised credentials or malicious activities.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting suspicious authentication patterns of service principals within Azure Active Directory. Service principals are non-human identities used by applications and services to access Azure resources. Monitoring their authentication activity is crucial because compromised service principal credentials can grant attackers unauthorized access to sensitive data and services. The detection logic analyzes Azure AD sign-in logs (ServicePrincipalSignInLogs) to identify anomalies in sign-in frequency, source IP addresses, accessed resources, and other relevant attributes. Analyzing service principal authentication is vital for SOC teams as it allows them to distinguish between legitimate application behavior and potentially malicious activities, such as account takeovers. This detection is designed to work with data ingested via the Splunk Add-on for Microsoft Cloud Services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to a service principal's credentials through credential stuffing or other means.</li>
<li>The attacker uses the compromised service principal credentials to authenticate to Azure AD.</li>
<li>The attacker leverages the authenticated service principal to access resources within the Azure environment.</li>
<li>The attacker attempts to elevate privileges by accessing resources and services that the service principal is authorized to manage.</li>
<li>The attacker compromises sensitive data by accessing storage accounts, databases, or other data repositories.</li>
<li>The attacker moves laterally within the Azure environment by using the compromised service principal to authenticate to other resources and services.</li>
<li>The attacker establishes persistence by creating new service principals or modifying existing ones.</li>
<li>The attacker exfiltrates sensitive data from the Azure environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack targeting Azure AD service principals can have severe consequences, including unauthorized access to critical resources, data breaches, and lateral movement within the Azure environment. Attackers can leverage compromised service principals to steal sensitive data, disrupt services, and escalate privileges. Depending on the scope of access, the damage could range from a targeted data breach to a widespread compromise of the entire Azure environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure AD Service Principal Authentication Anomaly&quot; to your SIEM and tune for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule &quot;Azure AD Service Principal Authentication Anomaly&quot; to determine if the activity is legitimate or malicious.</li>
<li>Enable Azure Active Directory Sign-in activity logging to capture the necessary data for this detection.</li>
<li>Review service principal permissions regularly to ensure that they are least-privilege and appropriate for the service's function.</li>
<li>Implement multi-factor authentication (MFA) for service principals where possible to prevent unauthorized access.</li>
<li>Monitor the <code>azure_monitor_aad</code> data source, specifically targeting &quot;Sign-in activity&quot; within ServicePrincipalSignInLogs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>azuread</category><category>serviceprincipal</category><category>accounttakeover</category></item><item><title>Azure AD Device Code Phishing Attack Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-device-code-phishing/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-device-code-phishing/</guid><description>This brief details the detection of Azure AD Device Code Phishing attacks, where attackers bypass MFA and Conditional Access Policies (CAPs) to gain unauthorized access to Azure AD resources by abusing the device code authentication protocol.</description><content:encoded><![CDATA[<p>Attackers are increasingly using Device Code Phishing to bypass Multi-Factor Authentication (MFA) and Conditional Access Policies in Azure Active Directory. This technique involves tricking users into entering a device code on a fake Microsoft login page, granting the attacker access to their accounts. This attack leverages the legitimate device code authentication flow, making it harder to detect than traditional phishing attacks. Successful device code phishing can lead to account takeover, data breaches, and unauthorized access to sensitive resources within the Azure AD environment, including Exchange mailboxes and Outlook Web Application (OWA). Defenders need to monitor for unusual device code authentication activity to mitigate the risk of these attacks. The technique abuses the OAuth 2.0 device authorization grant flow, designed for devices without a browser.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a phishing email to the target user. This email contains a link to a fake Microsoft login page.</li>
<li>The user clicks the link and is prompted to enter a code. The attacker initiates a device code authentication flow on a compromised or attacker-controlled device.</li>
<li>The attacker obtains a device code and presents it to the victim through the phishing page.</li>
<li>The user enters the device code on the fake Microsoft login page, unknowingly authorizing the attacker's device.</li>
<li>The attacker's device requests an access token from Azure AD using the device code.</li>
<li>Azure AD validates the device code and, if valid, prompts the user (via the legitimate Microsoft authentication flow, but on the attacker's device) to authenticate and grant permissions.</li>
<li>The user authenticates and grants the requested permissions, completing the device code authentication flow on the attacker's device.</li>
<li>The attacker obtains an access token and can now access the user's Azure AD resources, such as Exchange mailboxes and OWA, without needing to bypass MFA on their primary device.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful Azure AD device code phishing attacks can result in account takeovers, data breaches, and unauthorized access to sensitive resources. Attackers can gain access to Exchange mailboxes, Outlook Web Application (OWA), and other Azure AD-protected applications. The impact can range from data exfiltration and business email compromise to lateral movement within the Azure environment. This can lead to significant financial losses, reputational damage, and compliance violations. The number of victims and sectors targeted can vary, but the potential for widespread impact is high, especially in organizations with weak security awareness training.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure AD Device Code Authentication Activity</code> to detect suspicious device code authentication requests in Azure AD SignInLogs.</li>
<li>Implement enhanced security awareness training to educate users about device code phishing attacks and how to identify fake login pages.</li>
<li>Monitor Azure AD SignInLogs for unusual authentication patterns, such as device code authentications from unfamiliar locations or devices.</li>
<li>Configure Conditional Access Policies to restrict device code authentication to trusted devices and locations.</li>
<li>Review and harden Conditional Access Policies to prevent bypasses via device code authentication, referencing the Microsoft documentation on device code flows: <a href="https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code">https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code</a></li>
<li>Enable logging of Azure AD sign-in events and ensure that logs are ingested into a SIEM or security analytics platform for analysis.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azuread</category><category>devicecode</category><category>phishing</category><category>accounttakeover</category><category>credentialaccess</category></item></channel></rss>