Attack.impact — CraftedSignal Threat Feed

Okta Policy Rule Modification or Deletion

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

Okta is a widely used identity and access management platform. Threat actors may target Okta configurations to weaken an organization’s security posture. This activity involves modifications or deletions of policy rules within Okta. Such changes can reduce the effectiveness of multi-factor authentication (MFA) requirements, bypass access controls, or disable security logging. Detection of these changes is crucial to maintaining a strong security baseline and preventing unauthorized access to sensitive resources. Defenders should monitor Okta logs for unexpected or unauthorized policy rule modifications or deletions.

Attack Chain

Initial Access: The attacker gains unauthorized access to an Okta administrator account, possibly through credential theft or phishing.
Authentication: The attacker authenticates to the Okta admin dashboard using the compromised credentials.
Discovery: The attacker enumerates existing policy rules to understand the current security configuration.
Modification: The attacker modifies an existing policy rule to weaken its security controls. This could involve disabling MFA, bypassing location restrictions, or altering group membership requirements.
Deletion: Alternatively, the attacker deletes a policy rule entirely, effectively removing a layer of security.
Privilege Escalation: With weakened or removed policy rules, the attacker escalates privileges, gaining access to sensitive applications or data.
Lateral Movement: The attacker leverages the compromised Okta environment to move laterally within the organization’s network, accessing additional systems and resources.
Impact: The attacker achieves their final objective, such as data exfiltration, financial fraud, or system disruption, due to the weakened security posture.

Impact

Successful modification or deletion of Okta policy rules can severely compromise an organization’s security. Consequences include unauthorized access to sensitive data, privilege escalation, lateral movement, and ultimately, data breaches or financial loss. The number of affected users and systems depends on the scope of the compromised policy rules and the attacker’s subsequent actions. Organizations in all sectors that rely on Okta for identity management are vulnerable.

Recommendation

Deploy the “Okta Policy Rule Modified or Deleted” Sigma rule to your SIEM to detect unauthorized changes (rule reference).
Review Okta system logs regularly for policy rule modifications or deletions, focusing on unusual source IPs or user agents.
Implement multi-factor authentication (MFA) for all Okta administrator accounts to prevent unauthorized access (reference: Okta documentation).
Enforce the principle of least privilege for Okta administrator roles, limiting the number of users who can modify policy rules.
Alert on eventType policy.rule.update or policy.rule.delete in Okta logs using the provided Sigma rule (rule reference).

Linux Service Stop and Disable Detection

hello@craftedsignal.io — Tue, 09 Jan 2024 14:30:00 +0000

Attackers may attempt to stop or disable services on a compromised Linux system to impair security tools, disrupt operations, or facilitate further malicious activities. This can involve disabling security software, logging mechanisms, or other critical services that could hinder the attacker’s objectives. This activity often forms part of a broader attack campaign aimed at maintaining persistence, evading detection, or causing system-wide disruption. The commands systemctl, service, and…

Azure Network Firewall Policy Modification or Deletion

hello@craftedsignal.io — Wed, 03 Jan 2024 18:12:00 +0000

Attackers may target Azure Network Firewall Policies to weaken an organization’s security posture. By modifying existing policies, adversaries can introduce rules that allow malicious traffic, disable existing protections, or create backdoors for future access. Deleting firewall policies altogether removes a critical layer of defense, potentially exposing internal resources to external threats. This activity is typically conducted after gaining initial access to the Azure environment through compromised credentials or other means. Monitoring for unauthorized changes to firewall policies is critical for maintaining network security and preventing potential data breaches or service disruptions.

Attack Chain

The attacker gains initial access to the Azure environment, possibly through compromised credentials or a vulnerability in a deployed application.
The attacker enumerates existing Azure Network Firewall Policies using Azure CLI or PowerShell commands.
The attacker identifies a firewall policy to modify or delete to achieve their objectives.
If modifying, the attacker uses commands such as Set-AzNetworkFirewallPolicy or the Azure portal to alter the policy rules, potentially adding permissive rules or disabling existing restrictions.
If deleting, the attacker uses commands such as Remove-AzNetworkFirewallPolicy or the Azure portal to remove the firewall policy entirely.
The changes are applied to the Azure Network Firewall, impacting network traffic filtering.
The attacker validates the effectiveness of the modified or deleted policy by testing network connectivity to previously protected resources.
The attacker proceeds to exploit the newly exposed resources for data exfiltration, lateral movement, or other malicious activities.

Impact

Successful modification or deletion of Azure Network Firewall policies can lead to significant security breaches. Attackers may be able to bypass network segmentation, gain unauthorized access to sensitive data, disrupt critical services, or deploy malicious code within the network. The impact can range from data theft and financial loss to reputational damage and regulatory penalties. The number of affected resources depends on the scope of the compromised firewall policy and the attacker’s subsequent actions.

Recommendation

Implement the Sigma rule “Azure Network Firewall Policy Modified or Deleted” to detect unauthorized changes to firewall policies (logsource: azure, service: activitylogs).
Review user identities and user agents associated with detected events to determine if the changes were made by authorized personnel or malicious actors, as detailed in the false positives section.
Enable multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.
Enforce the principle of least privilege by granting users only the necessary permissions to manage firewall policies.
Implement continuous monitoring and alerting for all Azure resources, including network firewalls, to detect suspicious activity and potential security breaches.

Adversaries Disabling Important Scheduled Tasks

hello@craftedsignal.io — Wed, 03 Jan 2024 15:30:00 +0000

Attackers are increasingly targeting scheduled tasks to disable critical system functions. This tactic involves using schtasks.exe to disable essential tasks related to security, backup, and update mechanisms. By disabling tasks like Windows Defender scans, System Restore points, BitLocker encryption, and Windows Update, adversaries can significantly weaken a system’s defenses, making it more vulnerable to data destruction or ransomware attacks. The observed behavior involves the execution of…

System Restore Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

Attackers may attempt to disable the Windows System Restore feature to hinder forensic analysis and recovery efforts. This involves modifying specific registry keys related to System Restore configuration and operation, effectively preventing the system from creating or using restore points. The commands are executed via cmd, PowerShell or other scripting engines. Disabling System Restore can allow malware to operate without the risk of easy rollback, potentially increasing the impact of a…

Okta Unauthorized Application Access Attempt

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies instances where a user attempts to access an application within an Okta environment without proper authorization. The activity is logged within the Okta system logs, providing a clear indication of the unauthorized access attempt. This type of event is crucial for defenders as it may signify several issues, including compromised user accounts, misconfigured application permissions, or internal users attempting to escalate their privileges. This detection focuses specifically on the “User attempted unauthorized access to app” message within Okta logs. Identifying and investigating these events promptly can prevent data breaches and maintain the integrity of the Okta environment.

Attack Chain

A user attempts to access a protected application integrated with Okta.
Okta evaluates the user’s authentication status and group memberships against the application’s access policies.
The user lacks the necessary permissions or roles assigned to access the requested application.
Okta denies access to the application for the user.
Okta generates a system log event with the “User attempted unauthorized access to app” message.
The security monitoring system ingests the Okta log event.
The detection rule triggers based on the specific log message.
An alert is generated, prompting security analysts to investigate the unauthorized access attempt and take appropriate remedial actions.

Impact

Successful unauthorized access to applications can lead to significant data breaches, compromise sensitive information, and disrupt business operations. While this detection identifies attempted unauthorized access, repeated attempts or eventual success due to misconfiguration can result in severe consequences. A single successful breach can lead to data exfiltration, financial loss, and reputational damage. Identifying and remediating these attempts is crucial to preventing these outcomes.

Recommendation

Deploy the provided Sigma rule to your SIEM or security monitoring platform to detect unauthorized application access attempts in Okta (Sigma rule: “Okta Unauthorized Access to App”).
Investigate all triggered alerts promptly to determine the root cause of the unauthorized access attempt (Okta logs).
Review and validate application access policies within Okta to ensure users have appropriate permissions and roles assigned.
Implement multi-factor authentication (MFA) for all users to reduce the risk of compromised accounts being used for unauthorized access (Okta configuration).
Monitor Okta system logs for related events, such as account lockouts or password reset attempts, which might indicate account compromise (Okta logs).

Okta Policy Modification or Deletion Detected

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This alert identifies modifications or deletions of Okta policies, which govern authentication, authorization, and access control within the Okta Identity Cloud platform. While legitimate administrators routinely update policies, unauthorized changes can weaken security postures and grant malicious actors elevated privileges or bypass security controls. The source event indicates a potential compromise or insider threat activity within the Okta environment. Because Okta serves as a critical identity provider for many organizations, any unauthorized change to its policies can have far-reaching consequences. Detecting policy changes is crucial for maintaining the integrity and security of the Okta environment and preventing potential breaches. The targeted scope includes all Okta-managed applications and resources protected by the modified or deleted policy.

Attack Chain

Initial Access: The attacker gains access to an Okta administrator account, either through compromised credentials (e.g., phishing, credential stuffing) or insider access.
Authentication: The attacker authenticates to the Okta admin console using the compromised or legitimate administrator account.
Policy Enumeration: The attacker identifies target Okta policies to modify or delete using the Okta admin console or API.
Policy Modification/Deletion: The attacker modifies or deletes the targeted Okta policy through the Okta admin console or API. This generates an policy.lifecycle.update or policy.lifecycle.delete event.
Privilege Escalation (Potential): By modifying policies, the attacker may escalate privileges, granting themselves or other unauthorized users access to sensitive applications and resources.
Lateral Movement (Potential): With escalated privileges, the attacker moves laterally within the Okta environment, accessing other applications and resources.
Data Exfiltration/Damage (Potential): The attacker leverages the compromised Okta environment to exfiltrate sensitive data or cause damage to connected systems.

Impact

A successful Okta policy modification or deletion can have significant consequences. Unauthorized policy changes can weaken security controls, allowing attackers to bypass authentication mechanisms, escalate privileges, and gain unauthorized access to sensitive applications and data. This could lead to data breaches, financial loss, and reputational damage. The impact depends on the scope of the affected policy and the applications it protects. The number of victims could range from a few individuals to the entire organization, depending on the scope of the compromised policy.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect Okta policy modifications or deletions (policy.lifecycle.update, policy.lifecycle.delete event types).
Investigate any detected policy changes to verify their legitimacy and identify the user responsible.
Review Okta administrator account activity for any signs of compromise or unauthorized access.
Implement multi-factor authentication (MFA) for all Okta administrator accounts to prevent unauthorized access.
Regularly review and audit Okta policies to ensure they are configured securely and in accordance with security best practices.

Deletion of Critical Scheduled Tasks

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may attempt to delete scheduled tasks to disable security mechanisms or prevent system recovery, creating an environment conducive to data destruction. This involves using the schtasks.exe utility to remove scheduled tasks related to critical system functions. This activity is designed to impair incident response, prevent restoration of systems, and generally increase the impact of an attack. This is done by removing the scheduled tasks, which prevents the execution of security…