<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Adminconsent - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/adminconsent/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 02 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/adminconsent/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 Admin Consent Bypassed by Service Principal</title><link>https://feed.craftedsignal.io/briefs/2024-11-o365-admin-consent-bypass/</link><pubDate>Sat, 02 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-o365-admin-consent-bypass/</guid><description>A service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent, potentially bypassing critical administrative controls and leading to unauthorized access or privilege escalation.</description><content:encoded><![CDATA[<p>This detection identifies instances where a service principal within an Office 365 Azure Active Directory environment assigns application roles without undergoing the standard administrative consent process. This activity is identified through the analysis of <code>o365_management_activity</code> logs, specifically focusing on events related to the 'Add app role assignment to service principal' operation. This bypass can lead to significant security breaches as it circumvents critical administrative controls and allows for unauthorized privilege escalation. The activity was observed in January 2024. Successful exploitation could enable attackers to assign sensitive permissions through automated processes, leading to a compromise of the environment's overall security posture.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises a service principal within the Azure Active Directory environment, potentially through credential stuffing or other means of initial access.</li>
<li>The attacker leverages the compromised service principal to initiate the &quot;Add app role assignment to service principal&quot; operation, bypassing normal admin consent workflows.</li>
<li>The attacker assigns elevated privileges or roles, such as Global Administrator or Application Administrator, to a target user or service principal.</li>
<li>The target user or service principal, now possessing elevated privileges, can access sensitive data, modify configurations, or create new accounts.</li>
<li>The attacker uses the elevated privileges to establish persistence within the environment, such as creating backdoor accounts or modifying authentication policies.</li>
<li>The attacker moves laterally to other systems or applications within the organization, leveraging the compromised Azure AD environment as a pivot point.</li>
<li>The attacker exfiltrates sensitive data, disrupts critical services, or deploys ransomware, depending on their objectives.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this bypass can lead to unauthorized access to sensitive data, modification of critical configurations, and the creation of persistent backdoors within the Office 365 environment. The Microsoft Security Response Center has published guidance related to this technique in January 2024 in response to activity by the nation-state actor Midnight Blizzard. This type of attack can affect organizations of any size that rely on Office 365 services, potentially leading to significant financial losses, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>O365 Admin Consent Bypassed by Service Principal</code> to your SIEM to detect this activity.</li>
<li>Review service principal configurations within Azure AD and ensure that appropriate consent policies are in place to prevent unauthorized role assignments.</li>
<li>Monitor <code>o365_management_activity</code> logs for events related to &quot;Add app role assignment to service principal&quot; and investigate any anomalies.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, including service principals, to reduce the risk of compromise.</li>
<li>Enforce the principle of least privilege when assigning roles and permissions to service principals.</li>
<li>Regularly audit Azure AD logs for suspicious activity patterns that may indicate a compromised service principal.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azuread</category><category>office365</category><category>serviceprincipal</category><category>adminconsent</category><category>persistence</category></item></channel></rss>