{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/application/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","appid","uri","application","serviceprincipal","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may modify the AppID URI of an application in Azure to facilitate various malicious activities, including gaining unauthorized access, establishing persistence, accessing credentials, escalating privileges, or maintaining stealth within the environment. The AppID URI serves as a unique identifier for an application within the Azure Active Directory (Azure AD) ecosystem. Changes to this URI could indicate that an attacker is attempting to impersonate a legitimate application or service, potentially bypassing security controls and gaining elevated access. Monitoring for these changes is crucial for defenders to identify and respond to potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available applications and service principals within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target application with a high-value AppID URI.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the AppID URI of the target application, potentially to impersonate another service or application (T1552).\u003c/li\u003e\n\u003cli\u003eThis change might be done to allow the attacker to request tokens for that application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified AppID URI to request access tokens, potentially gaining unauthorized access to resources (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired access tokens to move laterally within the Azure environment and access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the modified application for continued unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of an AppID URI can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. An attacker can impersonate legitimate applications, bypassing security controls and potentially affecting numerous resources and users. The scope of the impact depends on the permissions and access levels associated with the compromised application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Application AppID Uri Configuration Changes\u0026rdquo; to your SIEM to detect unauthorized modifications to AppID URIs (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the AppID URI changes.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit application permissions and configurations to identify and remediate any misconfigurations.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for other suspicious activities related to application and service principal management.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:24:00Z","date_published":"2024-01-03T17:24:00Z","id":"/briefs/2024-01-azure-appid-uri-change/","summary":"Detection of configuration changes to an application's AppID URI in Azure, potentially indicating malicious activity related to initial access, persistence, credential access, privilege escalation, or stealth.","title":"Detect Application AppID URI Configuration Changes in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-appid-uri-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","application","deletion","impact","t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where an application is deleted within an Azure environment. While legitimate application deletions occur as part of IT administration, malicious actors might delete applications to disrupt services, remove evidence of their presence, or prepare for a larger attack by removing security controls or access points. This activity is logged within Azure Activity Logs and includes events such as \u0026ldquo;Delete application\u0026rdquo; and \u0026ldquo;Hard Delete application\u0026rdquo;. Monitoring these events can provide early warning of potential security incidents or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates their privileges within the Azure environment to gain sufficient permissions to manage and delete applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies target applications for deletion, potentially those critical for business operations or those used for security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Monitoring (Optional):\u003c/strong\u003e The attacker attempts to disable logging or monitoring related to application management to avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Deletion:\u003c/strong\u003e The attacker initiates the deletion of the targeted application using the Azure portal, Azure CLI, or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfirmation/Hard Delete:\u003c/strong\u003e Depending on the application\u0026rsquo;s configuration and Azure policies, the attacker may need to confirm the deletion or perform a \u0026ldquo;hard delete\u0026rdquo; to permanently remove the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCover Tracks:\u003c/strong\u003e The attacker attempts to remove any remaining logs or traces of their activity to hinder forensic investigation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Service disruption or data loss due to the deleted application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an Azure application can lead to significant service disruption, data loss, and potential financial damages. The impact depends on the criticality of the deleted application and the organization\u0026rsquo;s disaster recovery capabilities. Successful deletion can interrupt business processes, impacting both internal users and external customers. It may also lead to reputational damage and compliance violations if the application handled sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect application deletion events in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions in Azure Active Directory (Entra ID) and enforce the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEnable auditing and logging for all Azure resources, including application management activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected application deletion events promptly to determine the root cause and potential impact.\u003c/li\u003e\n\u003cli\u003eEstablish a process for reviewing and approving application deletion requests to prevent accidental or malicious deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:27:00Z","date_published":"2024-01-03T15:27:00Z","id":"/briefs/2024-01-azure-app-deletion/","summary":"This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.","title":"Detection of Azure Application Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-app-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["cloud","azure","application","uri","modification","persistence","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may modify application URIs within Azure Active Directory to redirect users or applications to malicious resources, obtain unauthorized access, or establish persistence. The modification of an application\u0026rsquo;s URI can be a subtle but effective technique for gaining a foothold in an environment. By manipulating the URI settings, attackers can redirect traffic to attacker-controlled servers, intercept credentials, or perform other malicious actions. This activity is often difficult to detect because it can blend in with legitimate administrative tasks. Investigation is merited if URIs for domain names no longer exist, are not using HTTPS, have wildcards at the end of the domain, are not unique to that app, or point to domains that the organization does not control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account with sufficient privileges to modify application registrations.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Active Directory portal.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a target application registration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the application\u0026rsquo;s URI settings, such as the reply URLs or identifier URIs.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the URI to point to a malicious server or a phishing page.\u003c/li\u003e\n\u003cli\u003eUsers or applications are redirected to the malicious URI when attempting to authenticate or access the application.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts credentials or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by maintaining control over the application\u0026rsquo;s URI settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to credential theft, data breaches, or unauthorized access to sensitive resources. By compromising application URIs, attackers can redirect users to phishing pages, intercept credentials, or gain a foothold in the environment for further exploitation. This activity can be difficult to detect and can have a significant impact on the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eApplication URI Configuration Changes\u003c/code\u003e to your SIEM to detect suspicious modifications to application URIs in Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eApplication URI Configuration Changes\u003c/code\u003e to determine if the URI modification is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit Logs for any changes to application URI settings (as indicated by \u003ccode\u003eproperties.message: Update Application Sucess- Property Name AppAddress\u003c/code\u003e) and validate the legitimacy of the changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:21:00Z","date_published":"2024-01-03T14:21:00Z","id":"/briefs/2024-01-03-azure-app-uri-modification/","summary":"Detection of Azure application URI modifications that can be indicative of malicious activity, such as using dangling URIs, non-HTTPS URIs, wildcard domains, or URIs pointing to uncontrolled domains, potentially leading to initial access, stealth, persistence, credential access, and privilege escalation.","title":"Azure Application URI Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-app-uri-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Application","version":"https://jsonfeed.org/version/1.1"}