Attack.credential-Access — CraftedSignal Threat Feed

Unauthorized Modification of Azure Conditional Access Policy

hello@craftedsignal.io — Wed, 29 May 2024 12:00:00 +0000

Compromised or malicious actors may attempt to modify Azure Conditional Access (CA) policies to weaken security controls, elevate privileges, or establish persistence within the Azure environment. Conditional Access policies are critical for enforcing organizational security standards, and unauthorized changes can have significant security implications. This activity is detected through Azure Audit Logs by monitoring for “Update conditional access policy” events. Defenders should investigate any modifications to Conditional Access policies to ensure they are legitimate and align with security best practices. Detecting and responding to unauthorized CA policy modifications is crucial for maintaining the integrity and security of the Azure environment.

Attack Chain

Initial Access: The attacker gains initial access through compromised credentials or other means (not specified in source).
Privilege Escalation: The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).
Policy Enumeration: The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.
Policy Modification: The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.
Persistence: By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.
Credential Access: With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.
Defense Impairment: The modification of CA policies impairs the organization’s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.

Impact

Successful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.

Recommendation

Deploy the “CA Policy Updated by Non Approved Actor” Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.
Review the properties.message field in the Azure Audit Logs for “Update conditional access policy” events and compare “old” vs “new” values to understand the nature of the changes.
Implement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.
Investigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
Enable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).

Azure AD Root Certificate Authority Added for Passwordless Authentication

hello@craftedsignal.io — Wed, 08 May 2024 18:22:00 +0000

The addition of a new root certificate authority (CA) in Azure Active Directory (Azure AD) to support certificate-based authentication (CBA) can be a sign of malicious activity. While CBA offers passwordless authentication benefits, attackers can abuse it to establish persistent access, escalate privileges, or evade detection. An attacker with sufficient privileges in the Azure AD tenant can add a rogue CA, enabling them to authenticate as any user within the directory, even without their password. This bypasses multi-factor authentication (MFA) and grants unauthorized access to sensitive resources and data. Defenders should monitor Azure AD audit logs for unexpected modifications to the TrustedCAsForPasswordlessAuth setting, as this could indicate a compromised administrator account or an insider threat attempting to establish a backdoor.

Attack Chain

Compromise an Azure AD administrator account with sufficient privileges to modify tenant-wide settings. This may be achieved through phishing, credential stuffing, or exploiting vulnerabilities.
The attacker authenticates to the Azure portal or uses PowerShell cmdlets to interact with Azure AD.
The attacker executes commands to add a new, attacker-controlled root certificate authority to the TrustedCAsForPasswordlessAuth setting. This involves modifying the Company Information object.
The attacker generates or obtains a certificate signed by the newly added root CA.
The attacker uses the certificate to authenticate to Azure AD as a targeted user, bypassing password requirements and multi-factor authentication.
The attacker gains access to the targeted user’s resources, such as email, files, and applications.
The attacker escalates privileges within the Azure AD tenant by impersonating highly privileged users or roles.
The attacker maintains persistent access to the Azure AD tenant, even if the compromised administrator account is remediated.

Impact

A successful attack can lead to complete compromise of the Azure AD tenant, including access to sensitive data, applications, and resources. Attackers can use the compromised tenant to move laterally to other systems, exfiltrate data, or disrupt business operations. The number of potential victims is dependent on the size of the Azure AD tenant. Organizations across all sectors are at risk, especially those heavily reliant on Azure AD for identity and access management.

Recommendation

Deploy the Sigma rule “New Root Certificate Authority Added” to your SIEM to detect unauthorized modifications to the TrustedCAsForPasswordlessAuth setting (rule).
Review Azure AD audit logs regularly for suspicious activity related to the “Set Company Information” operation (logsource).
Implement multi-factor authentication (MFA) for all Azure AD accounts, including administrators, but understand that CBA can bypass it.
Enforce the principle of least privilege and restrict the number of accounts with permissions to modify tenant-wide settings.
Monitor for the use of certificates signed by unknown or untrusted CAs to authenticate to Azure AD.
Consult the SpecterOps and Goodworkaround articles for more information on certificate-based authentication abuse in Azure AD (references).

Okta Password Entered in AlternateID Field

hello@craftedsignal.io — Thu, 29 Feb 2024 12:00:00 +0000

Okta, a leading identity and access management provider, retains login attempt data in its system logs. This data can be valuable for security monitoring and incident response. However, a misconfiguration or user error can lead to sensitive information, such as passwords, being inadvertently captured within these logs. Specifically, if a user mistakenly enters their password in the username field (referred to as ‘alternateId’ in Okta logs) during a failed login attempt, the password may be stored in plain text within the log entry. This exposes the password to anyone with access to Okta system logs. This issue was highlighted in a Mitiga blog post, underscoring the risk to user data. Defenders must implement measures to detect and prevent such occurrences to maintain the confidentiality of user credentials and the overall security posture.

Attack Chain

User attempts to log in to an Okta-protected application.
The user mistakenly enters their password in the username (alternateId) field.
The Okta authentication process fails due to incorrect credentials.
Okta logs the failed login attempt, including the ‘core.user_auth.login_failed’ event.
The password, entered in the alternateId field, is recorded in the Okta system log.
An attacker gains unauthorized access to Okta system logs, potentially through compromised credentials or a misconfigured integration.
The attacker searches for ‘core.user_auth.login_failed’ events and examines the ‘actor.alternateId’ field.
The attacker discovers exposed passwords within the ‘actor.alternateId’ field, potentially enabling account takeover or further lateral movement.

Impact

A successful attack exploiting this vulnerability could lead to widespread credential compromise. The number of potentially affected users depends on how frequently users make this mistake and the duration for which logs are retained. Sectors heavily reliant on Okta for authentication, such as technology, finance, and healthcare, are particularly at risk. If passwords are leaked, attackers can gain unauthorized access to sensitive data, applications, and systems, leading to data breaches, financial loss, and reputational damage.

Recommendation

Deploy the provided Sigma rule “Okta Password Entered in AlternateID Field” to your SIEM to detect instances of passwords potentially being logged in the actor.alternateId field.
Review and adjust the regular expression in the Sigma rule’s filter_main section to align with the specific character restrictions in your Okta username configuration.
Implement stricter input validation on Okta login pages to prevent users from entering passwords in the username field.
Regularly audit Okta system logs for sensitive information and enforce least privilege access to log data.
Educate users about the proper use of login forms to reduce the likelihood of entering passwords in the username field.
Implement multi-factor authentication (MFA) to mitigate the impact of compromised passwords, as referenced in security best practices.

Cisco 802.1X (dot1x) Disabled on Network Interface

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The disabling of 802.1X authentication on a Cisco network device can bypass Network Access Control (NAC) mechanisms, potentially granting unauthorized devices access to the internal network. Attackers or malicious insiders might disable dot1x to establish persistence or facilitate lateral movement by connecting rogue devices to the network. This can be accomplished through CLI commands such as ‘access-session port-control force-authorized’ or ’no dot1x system-auth-control’, depending on the IOS version. These commands either disable 802.1X on a specific interface or globally across the device. The targeted scope is Cisco network devices utilizing 802.1X for network access control.

Attack Chain

Attacker gains privileged access to a Cisco network device via compromised credentials or exploiting a vulnerability.
Attacker executes CLI commands to disable 802.1X authentication on a specific interface or globally.
Commands used may include ‘access-session port-control force-authorized’, ‘authentication port-control force-authorized’, ‘dot1x port-control force-authorized’, ’no access-session port-control’, ’no authentication port-control’, ’no dot1x port-control’, or ’no dot1x system-auth-control’.
The network interface transitions to a force-authorized state, bypassing the normal authentication process.
An unauthorized device is connected to the compromised network interface.
The unauthorized device gains network access without proper authentication or authorization.
The attacker leverages the unauthorized access for lateral movement to other systems on the network.
The attacker exfiltrates sensitive data or deploys malicious payloads across the network.

Impact

Successful disabling of dot1x can lead to unauthorized network access, allowing attackers to bypass security controls. This can result in the compromise of sensitive data, the spread of malware, and the disruption of network services. The number of affected devices and the scope of the compromise depend on the network architecture and the attacker’s objectives. The impact could range from a single compromised workstation to a full-scale network breach affecting thousands of devices and users.

Recommendation

Deploy the Sigma rule Cisco Dot1x Disabled to your SIEM to detect the execution of commands that disable 802.1X authentication.
Monitor Cisco AAA logs for events containing keywords such as ‘access-session port-control force-authorized’ and ’no dot1x system-auth-control’ to identify potential attempts to disable dot1x.
Implement multi-factor authentication (MFA) for all administrative access to Cisco network devices to prevent unauthorized command execution.
Regularly review and audit the configuration of Cisco network devices to ensure that 802.1X is enabled and properly configured on all relevant interfaces.

User Added to Group with Conditional Access Policy Modification Access

hello@craftedsignal.io — Wed, 03 Jan 2024 18:22:00 +0000

This activity involves the addition of a user to an Azure Active Directory group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are used to enforce authentication requirements based on various conditions (user, location, device, etc.). If an attacker gains the ability to modify these policies, they can weaken security controls to facilitate privilege escalation, credential access, persistence within the environment, and impair defenses. This type of attack can be initiated by an insider threat or external compromise of an account. The goal is to manipulate CA policies to bypass multi-factor authentication, grant unauthorized access, or maintain persistence.

Attack Chain

The attacker gains initial access to a user account or service principal with sufficient privileges to manage group memberships in Azure AD. This could be achieved through credential compromise or other initial access vectors.
The attacker identifies a target Azure AD group that has permissions to manage Conditional Access policies. These groups are often used to delegate administrative control over CA policies.
The attacker uses the Azure portal, PowerShell, or the Azure AD Graph API/Microsoft Graph API to add a malicious user account to the target group.
The Azure Audit Logs record the “Add member from group” event, indicating the change in group membership.
The newly added malicious user inherits the group’s permissions, which includes the ability to view, create, modify, and delete Conditional Access policies.
The attacker modifies existing CA policies to weaken security controls. For example, they might exclude themselves from MFA requirements or grant access to sensitive resources without proper authorization.
The attacker leverages their modified CA policies to gain unauthorized access to sensitive data or resources.
The attacker establishes persistence by creating new CA policies that ensure their continued access, even if their initial access is revoked.

Impact

Successful exploitation of this attack chain can lead to significant compromise of an organization’s Azure environment. Attackers can bypass MFA, gain access to sensitive resources, establish persistent access, and impair security defenses. The extent of the damage depends on the permissions associated with the compromised group and the scope of the modified Conditional Access policies. This can lead to data breaches, financial loss, and reputational damage.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect additions of users to groups with CA policy modification access and tune for your environment.
Regularly review and audit Azure AD group memberships, especially for groups with administrative privileges (as detected by the Sigma rule).
Implement multi-factor authentication for all users, especially those with administrative privileges.
Enforce the principle of least privilege when assigning permissions to Azure AD groups.
Monitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications.