<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Applicationimpersonation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/applicationimpersonation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/applicationimpersonation/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 ApplicationImpersonation Role Assigned</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-o365-app-impersonation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-o365-app-impersonation/</guid><description>Detection of the ApplicationImpersonation role being assigned in Office 365, potentially leading to unauthorized mailbox access and impersonation.</description><content:encoded><![CDATA[<p>The ApplicationImpersonation role in Office 365 grants extensive privileges, allowing a user or application to impersonate any other user within the organization. Assignment of this role is a sensitive event that requires careful monitoring. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. Attackers, such as the NOBELIUM group, can abuse this role to gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user. The source detection logic leverages the Office 365 Management Activity API to monitor Azure Active Directory audit logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to an account with sufficient privileges to modify Office 365 roles.</li>
<li>Privilege Escalation: The attacker attempts to assign the ApplicationImpersonation role to a compromised user account or a newly created service principal. This can be achieved via PowerShell or the Azure AD portal.</li>
<li>Role Assignment: The &quot;New-ManagementRoleAssignment&quot; operation is executed within the Office 365 environment, assigning the ApplicationImpersonation role.</li>
<li>Persistence: The attacker leverages the newly assigned ApplicationImpersonation role to maintain persistent access to the target organization's mailboxes.</li>
<li>Data Access: The attacker uses the ApplicationImpersonation role to access and exfiltrate sensitive data from mailboxes.</li>
<li>Lateral Movement: With access to user mailboxes, the attacker gathers information to facilitate lateral movement within the organization.</li>
<li>Covering Tracks: The attacker may attempt to disable logging or remove audit trails to conceal their activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to complete compromise of sensitive email data, intellectual property theft, and potential business email compromise (BEC) attacks. An attacker with the ApplicationImpersonation role can read, modify, and delete emails from any user's mailbox, leading to significant data breaches and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>O365 ApplicationImpersonation Role Assigned</code> to your SIEM and tune for your environment.</li>
<li>Review existing ApplicationImpersonation role assignments to identify and revoke any unauthorized or suspicious grants.</li>
<li>Monitor O365 management activity logs for unusual &quot;New-ManagementRoleAssignment&quot; events.</li>
<li>Investigate any alerts triggered by the detection logic, focusing on the <code>target_user</code> and <code>user</code> fields in the logs.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.</li>
<li>Regularly audit Azure AD roles and permissions to ensure least privilege.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>cloud</category><category>o365</category><category>applicationimpersonation</category><category>persistence</category></item></channel></rss>