{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/admin-consent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Microsoft Entra ID"],"_cs_severities":["high"],"_cs_tags":["azuread","admin-consent","service-principal","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat focuses on the bypass of admin consent processes in Azure Active Directory (Azure AD) by service principals. Attackers can exploit service principals to assign application roles without undergoing the standard admin consent workflow. This activity is detected via Entra ID logs, specifically monitoring the \u0026quot;Add app role assignment to service principal\u0026quot; operation. While legitimate automation use cases exist, unauthorized assignment of sensitive permissions can severely compromise the security of the Azure AD environment. The observed activity allows attackers to automate the granting of permissions, bypassing security controls and potentially leading to privilege escalation or data exfiltration. This technique is particularly relevant given the increasing reliance on service principals for automation within cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control of a service principal, either through compromised credentials or a misconfigured application.\u003c/li\u003e\n\u003cli\u003eThe compromised service principal is used to interact with the Azure AD Graph API or Microsoft Graph API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts API requests to add app role assignments to other service principals or user accounts.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eoperationName\u003c/code\u003e is logged as \u0026quot;Add app role assignment to service principal\u0026quot; within the Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eThe API requests specify the \u003ccode\u003eroleId\u003c/code\u003e and \u003ccode\u003eprincipalId\u003c/code\u003e for the desired permission assignment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the automation capabilities of the service principal to rapidly assign multiple roles.\u003c/li\u003e\n\u003cli\u003eThe targeted service principals or user accounts gain elevated privileges within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker can access sensitive data, modify configurations, or create new administrative accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to a significant compromise of the Azure AD environment. Attackers can escalate privileges, gain unauthorized access to sensitive data, and potentially disrupt business operations. The automated nature of service principal-based attacks allows for rapid and widespread privilege escalation, impacting multiple users and resources. This can lead to data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where a service principal assigns app roles without admin consent, focusing on the \u003ccode\u003eazure_monitor_aad\u003c/code\u003e data source (Sigma rule).\u003c/li\u003e\n\u003cli\u003eReview and audit existing service principal configurations to identify potentially overly permissive roles and access rights.\u003c/li\u003e\n\u003cli\u003eImplement stricter controls and monitoring for service principal activities, including logging and alerting on unusual role assignments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule, focusing on the \u003ccode\u003esrc_user\u003c/code\u003e, \u003ccode\u003euser\u003c/code\u003e, \u003ccode\u003eroleId\u003c/code\u003e, and \u003ccode\u003eroleValue\u003c/code\u003e fields to determine the scope and impact of the activity.\u003c/li\u003e\n\u003cli\u003eFilter known legitimate service principal activity in the Sigma rule to reduce false positives, based on your organization's specific automation practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-admin-consent-bypass/","summary":"A service principal in Azure Active Directory is assigning app roles without standard admin consent, potentially leading to unauthorized privilege escalation by exploiting automation to assign sensitive permissions without proper oversight.","title":"Azure AD Admin Consent Bypassed by Service Principal","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-admin-consent-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Admin-Consent","version":"https://jsonfeed.org/version/1.1"}