{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/alerts/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","alerts","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable PIM alerts within Azure environments to weaken security monitoring and maintain a low profile while escalating privileges. This involves modifying alert settings within the Azure Privileged Identity Management service to prevent notifications of suspicious or unauthorized activity. This technique enables attackers to operate with reduced scrutiny, making it easier to establish persistence and move laterally within the compromised environment. Successful disabling of PIM alerts allows malicious actors to abuse privileged roles without triggering immediate alarms. This allows for potentially long-term access and control over critical resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the Azure Active Directory, potentially by exploiting misconfigured roles or vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePIM Access: The attacker accesses the Azure Privileged Identity Management (PIM) service.\u003c/li\u003e\n\u003cli\u003eAlert Configuration Discovery: The attacker enumerates existing PIM alert configurations to identify the alerts to be disabled.\u003c/li\u003e\n\u003cli\u003eAlert Modification: The attacker modifies the alert settings, setting them to disabled. This is often done through the Azure portal or via API calls.\u003c/li\u003e\n\u003cli\u003ePersistence: With alerts disabled, the attacker can maintain persistence by assigning themselves privileged roles without generating notifications.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the newly acquired privileged roles to move laterally within the Azure environment, accessing sensitive resources and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling PIM alerts significantly reduces an organization\u0026rsquo;s visibility into privileged access activities. This can lead to delayed detection of malicious activities, enabling attackers to maintain a persistent presence, escalate privileges, and exfiltrate sensitive data without triggering alarms. The impact includes potential data breaches, financial losses, and reputational damage. The lack of alerts hinders incident response efforts and prolongs the duration of the attack, compounding the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where PIM alerts are disabled by monitoring \u003ccode\u003eauditlogs\u003c/code\u003e for \u003ccode\u003eproperties.message: Disable PIM Alert\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly review PIM alert configurations to ensure critical alerts are enabled and properly configured.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate initial access (T1078).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the scope of potential damage from compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for unusual activity related to PIM configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-pim-alerts-disabled/","summary":"An adversary disables Privileged Identity Management (PIM) alerts in Azure to evade detection and maintain persistent access with escalated privileges.","title":"Privileged Identity Management (PIM) Alerting Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-pim-alerts-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Alerts","version":"https://jsonfeed.org/version/1.1"}