{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/adminconsent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","office365","serviceprincipal","adminconsent","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where a service principal within an Office 365 Azure Active Directory environment assigns application roles without undergoing the standard administrative consent process. This activity is identified through the analysis of \u003ccode\u003eo365_management_activity\u003c/code\u003e logs, specifically focusing on events related to the 'Add app role assignment to service principal' operation. This bypass can lead to significant security breaches as it circumvents critical administrative controls and allows for unauthorized privilege escalation. The activity was observed in January 2024. Successful exploitation could enable attackers to assign sensitive permissions through automated processes, leading to a compromise of the environment's overall security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a service principal within the Azure Active Directory environment, potentially through credential stuffing or other means of initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised service principal to initiate the \u0026quot;Add app role assignment to service principal\u0026quot; operation, bypassing normal admin consent workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns elevated privileges or roles, such as Global Administrator or Application Administrator, to a target user or service principal.\u003c/li\u003e\n\u003cli\u003eThe target user or service principal, now possessing elevated privileges, can access sensitive data, modify configurations, or create new accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to establish persistence within the environment, such as creating backdoor accounts or modifying authentication policies.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems or applications within the organization, leveraging the compromised Azure AD environment as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, disrupts critical services, or deploys ransomware, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this bypass can lead to unauthorized access to sensitive data, modification of critical configurations, and the creation of persistent backdoors within the Office 365 environment. The Microsoft Security Response Center has published guidance related to this technique in January 2024 in response to activity by the nation-state actor Midnight Blizzard. This type of attack can affect organizations of any size that rely on Office 365 services, potentially leading to significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Admin Consent Bypassed by Service Principal\u003c/code\u003e to your SIEM to detect this activity.\u003c/li\u003e\n\u003cli\u003eReview service principal configurations within Azure AD and ensure that appropriate consent policies are in place to prevent unauthorized role assignments.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eo365_management_activity\u003c/code\u003e logs for events related to \u0026quot;Add app role assignment to service principal\u0026quot; and investigate any anomalies.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including service principals, to reduce the risk of compromise.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege when assigning roles and permissions to service principals.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure AD logs for suspicious activity patterns that may indicate a compromised service principal.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-o365-admin-consent-bypass/","summary":"A service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent, potentially bypassing critical administrative controls and leading to unauthorized access or privilege escalation.","title":"O365 Admin Consent Bypassed by Service Principal","url":"https://feed.craftedsignal.io/briefs/2024-11-o365-admin-consent-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Adminconsent","version":"https://jsonfeed.org/version/1.1"}