Attack.initial-Access — CraftedSignal Threat Feed

Malicious Usage of AWS IMDS Credentials Outside of Expected Services

hello@craftedsignal.io — Thu, 11 Jul 2024 00:00:00 +0000

This activity focuses on the potential misuse of AWS Instance Metadata Service (IMDS) credentials. When an EC2 instance is compromised, an attacker can extract the temporary credentials stored within the IMDS. These credentials, associated with an assumed role, grant the attacker the ability to interact with other AWS services. The abnormal use of these credentials outside of the expected AWS Simple Systems Manager (SSM) service may indicate malicious activity such as lateral movement, data exfiltration, or resource compromise. This is particularly concerning when the compromised instance is being used as a pivot point to access other AWS resources.

Attack Chain

An EC2 instance is compromised through an initial access vector (e.g., software vulnerability, misconfiguration, or credential compromise).
The attacker gains access to the compromised EC2 instance’s operating system.
The attacker queries the IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) to obtain temporary AWS credentials associated with the instance’s IAM role.
The attacker configures their local AWS CLI or SDK with the exfiltrated credentials.
The attacker attempts to perform actions against other AWS services using the exfiltrated credentials.
The attacker attempts to escalate privileges or move laterally within the AWS environment.
The attacker attempts to access, modify, or exfiltrate sensitive data from other AWS services.
The attacker maintains persistence by creating new IAM users or roles with excessive permissions.

Impact

Successful exploitation can lead to unauthorized access to sensitive data stored in AWS services such as S3, DynamoDB, and RDS. This could result in data breaches, financial loss, and reputational damage. Attackers can also leverage the compromised credentials to pivot to other AWS resources, potentially impacting critical infrastructure and services. Organizations with lax security configurations and overly permissive IAM roles are at higher risk.

Recommendation

Deploy the Sigma rule “Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure” to your SIEM and tune for your environment to detect anomalous use of IMDS credentials.
Review and restrict IAM roles assigned to EC2 instances to follow the principle of least privilege, limiting the scope of potential damage from credential exfiltration.
Monitor CloudTrail logs for unusual API calls originating from EC2 instances with assumed roles, specifically those not related to SSM.
Harden EC2 instances to prevent initial compromise by applying security patches, configuring strong authentication, and regularly scanning for vulnerabilities.

Azure AD Sign-in from New Country/Region

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting suspicious sign-in activity within Azure Active Directory (Azure AD). Specifically, it targets sign-ins originating from countries or regions that are new or unusual for a given user. This behavior can be indicative of compromised credentials, travel without notification, or the use of VPN/proxy services to mask the true origin of the sign-in. Microsoft Entra ID Protection identifies “new country” as a risk event when a user signs in from a location that is drastically different from their recent sign-in history. Detecting these anomalies is crucial for preventing unauthorized access and mitigating potential data breaches. The detection uses Azure AD’s risk detection logs to identify such events.

Attack Chain

Initial Access: An attacker gains access to a valid user’s credentials, potentially through phishing, credential stuffing, or malware. (T1078)
Anomalous Login: The attacker attempts to sign in to Azure AD using the compromised credentials from a country or region not typically associated with the user.
Risk Detection Trigger: Azure AD Identity Protection identifies the sign-in as high-risk due to the new country/region and logs a “newCountry” risk event.
Persistence: The attacker may establish persistent access by creating new accounts or modifying existing ones.
Privilege Escalation: If the compromised account has elevated privileges, the attacker may attempt to escalate their privileges within the Azure environment.
Lateral Movement: The attacker may use the compromised account to move laterally within the organization, accessing other resources and data.
Data Exfiltration: The attacker accesses sensitive data and attempts to exfiltrate it from the environment.
Impact: The attacker achieves their objectives, which could include data theft, financial fraud, or disruption of services.

Impact

A successful attack following a sign-in from a new country can result in unauthorized access to sensitive data, compromised user accounts, and potential data breaches. Organizations may experience financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the privileges of the compromised account and the attacker’s objectives. Immediate containment is crucial to prevent further damage if a new country sign-in is verified as malicious.

Recommendation

Deploy the provided Sigma rule to your SIEM or security analytics platform to detect “newCountry” risk events in Azure AD (logsource: azure, service: riskdetection).
Investigate any alerts generated by the Sigma rule in the context of other sign-in activities for the affected user to rule out false positives.
Implement multi-factor authentication (MFA) for all users to mitigate the risk of account compromise (T1078).
Monitor user activity logs for other suspicious behaviors, such as unusual access patterns or attempts to escalate privileges.
Review and enforce conditional access policies to restrict access based on location, device, and other factors.
Educate users about phishing and other social engineering tactics to prevent credential theft.

Azure AD Authentication to Important Apps Using Single-Factor Authentication

hello@craftedsignal.io — Wed, 03 Jan 2024 15:30:00 +0000

This alert focuses on detecting potentially risky authentication events within Azure Active Directory. Specifically, it flags successful logins to applications deemed “important” where the authentication process only involved a single factor. This bypasses the added security of multi-factor authentication (MFA), potentially exposing these applications to compromise if the single factor (e.g., password) is weak, stolen, or compromised. The alert is designed to identify deviations from a secure authentication baseline, particularly in environments where MFA is expected for sensitive resources. The applications considered “important” must be pre-defined by the defender for this detection to function effectively.

Attack Chain

An attacker gains access to a valid username and password through phishing, credential stuffing, or other means.
The attacker attempts to authenticate to a pre-defined, high-value application within the Azure AD environment.
Azure AD processes the authentication request.
The application is configured to allow single-factor authentication.
Azure AD verifies the supplied username and password against its directory.
Upon successful verification, Azure AD grants the attacker access to the application.
The attacker gains unauthorized access to the application’s data and functionality.
Depending on the application and attacker’s motives, this could lead to data exfiltration, privilege escalation, or other malicious activities.

Impact

The impact of successful single-factor authentication to critical applications can range from minor data breaches to significant compromises of sensitive systems. The number of potential victims depends on the application’s user base and the sensitivity of the data it manages. Sectors most at risk include those handling financial, healthcare, or sensitive personal information. A successful attack could lead to data theft, financial loss, reputational damage, and regulatory penalties.

Recommendation

Populate the AppId field in the Sigma rule with the Application IDs of your organization’s critical applications.
Investigate any alerts generated by the Sigma rule to determine the legitimacy of the single-factor authentication.
Enforce multi-factor authentication (MFA) for all users accessing critical applications to mitigate the risk of credential compromise.
Review and update Azure AD Conditional Access policies to ensure appropriate authentication requirements are in place.
Tune the Sigma rule based on observed false positives in your environment.

Detection of Azure Subscription Permission Elevation

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This threat brief focuses on detecting unauthorized elevation of privileges within Azure environments. Specifically, it addresses the assignment of the ‘User Access Administrator’ role to a user, which allows managing access to all Azure subscriptions. This activity can be indicative of malicious actors attempting to gain control over an Azure environment or an insider threat escalating their privileges without proper authorization. The detection is based on Azure Audit Logs and can help identify potentially compromised accounts or misconfigurations. A successful elevation can lead to unauthorized access, data breaches, and service disruptions. Defenders should closely monitor these events and investigate any unexpected privilege escalations.

Attack Chain

An attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.
The attacker attempts to assign the ‘User Access Administrator’ role to themselves or another account they control.
This assignment generates an ‘Administrative’ audit log event with the OperationName ‘Assigns the caller to user access admin’.
The attacker now has the ability to manage user access to all Azure subscriptions within the tenant.
The attacker creates new user accounts with elevated privileges within the subscriptions.
The attacker leverages the newly created accounts to access sensitive resources and data.
The attacker performs reconnaissance activities to identify critical assets and data stores.
The attacker exfiltrates sensitive data or deploys malicious workloads within the compromised subscriptions.

Impact

A successful privilege escalation to the ‘User Access Administrator’ role can have severe consequences. It grants the attacker complete control over the Azure subscriptions, allowing them to access sensitive data, disrupt services, and potentially compromise the entire cloud environment. The number of affected subscriptions depends on the scope of the compromised account. This attack targets any organization utilizing Azure subscriptions and is particularly impactful for those storing sensitive data or running critical applications in the cloud.

Recommendation

Deploy the provided Sigma rule “Azure Subscription Permission Elevation Via AuditLogs” to your SIEM and tune it for your environment to detect the ‘Assigns the caller to user access admin’ event in the Azure Audit Logs.
Investigate any detected instances of this event to determine if the privilege elevation was authorized and legitimate.
Review and enforce the principle of least privilege for all Azure accounts to minimize the impact of potential compromises; reference the Microsoft Entra documentation for guidance.
Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to prevent unauthorized access via compromised credentials.

Azure AD Successful Authentication Increase

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

This alert identifies a potentially malicious increase in successful sign-ins within an Azure Active Directory environment. An attacker who has compromised credentials may attempt to leverage them repeatedly, resulting in a higher-than-normal volume of successful authentications. While not definitive proof of compromise, a sudden spike warrants further investigation. This behavior is typically observed during the initial access, persistence, privilege escalation, or stealth phases of an attack. This detection focuses on identifying increases of 10% or greater, providing a starting point for identifying anomalous activity. Defenders should investigate the source of the increase, focusing on specific users, applications, or geographic locations involved.

Attack Chain

Credential Compromise: The attacker obtains valid user credentials through phishing, brute-force, or credential stuffing attacks against Azure AD.
Initial Access: The attacker uses the compromised credentials to successfully authenticate to Azure AD, gaining initial access to the environment (T1078).
Enumeration: The attacker enumerates available resources, applications, and user accounts within the Azure AD environment.
Privilege Escalation: The attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities in Azure AD or related applications. This may involve authenticating to multiple resources.
Persistence: The attacker establishes persistence mechanisms, such as creating new accounts or modifying existing ones, to maintain access to the environment. This may involve repeatedly authenticating to refresh tokens or maintain sessions.
Lateral Movement: The attacker uses the compromised account to access other resources or accounts within the Azure AD environment, potentially triggering further successful sign-ins.
Data Exfiltration or Damage: The attacker uses the compromised access to exfiltrate sensitive data or disrupt business operations.
Covering Tracks: The attacker attempts to cover their tracks by disabling logging or deleting audit trails to avoid detection.

Impact

A successful attack following a measurable increase in authentications can lead to unauthorized access to sensitive data, financial loss, reputational damage, and disruption of business operations. The specific impact depends on the level of access gained by the attacker and the resources they are able to compromise. For example, an attacker gaining access to an administrator account could potentially take control of the entire Azure AD environment.

Recommendation

Deploy the “Measurable Increase Of Successful Authentications” Sigma rule to your SIEM and tune for your environment. This rule detects increases of 10% or greater in successful sign-ins (rule, logsource: azure, service: signinlogs).
Investigate any alerts generated by the Sigma rule, focusing on identifying the source of the increased authentications and the users/applications involved.
Review the Microsoft Entra ID Protection reports for unusual sign-in activity, as referenced in the source material: https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins.
Implement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.
Monitor for other suspicious activities, such as unusual sign-in locations, access to sensitive resources, or changes to user accounts.

Azure AD User Added to Administrator Role

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may attempt to add new members to administrative roles in Azure Active Directory to establish persistence and elevate privileges. This allows them to perform actions as a highly privileged user, potentially bypassing security controls and accessing sensitive resources. The activity is logged within Azure Activity Logs, specifically when the ‘Add member to role’ operation is executed within the ‘AzureActiveDirectory’ workload, targeting roles with names ending in ‘Admins’ or ‘Administrator’. Monitoring these events can help detect unauthorized privilege escalation and potential malicious activity within the Azure environment. This activity could be the result of compromised credentials or an insider threat.

Attack Chain

Compromise an existing user account with sufficient permissions to modify Azure AD roles.
Authenticate to the Azure portal or utilize Azure CLI with the compromised account.
Identify a target Azure AD administrative role (e.g., Global Administrator, Security Administrator).
Execute the ‘Add member to role’ operation, adding the attacker-controlled user to the target role. This can be performed via the Azure portal, PowerShell, or Azure CLI.
The Azure Activity Logs record the ‘Add member to role.’ event, with the ‘Workload’ as ‘AzureActiveDirectory’.
The ModifiedProperties{}.NewValue field reflects the addition of the user to the admin role, containing strings like “Admins” or “Administrator.”
The attacker authenticates as the newly added user, inheriting the privileges of the administrative role.
The attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.

Impact

Successful addition of a user to an Azure AD administrative role grants the attacker extensive control over the Azure environment. This can lead to data breaches, service disruptions, and the deployment of malicious applications. Compromised administrator accounts can be used to disable security features, modify audit logs, and create backdoors for persistent access. Detection is critical to limit the scope and duration of the attack.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect instances of users being added to Azure AD administrative roles (logsource: azure, service: activitylogs).
Investigate any detected instances of the “Add member to role.” operation in Azure AD Activity Logs where the ModifiedProperties{}.NewValue ends with ‘Admins’ or ‘Administrator’ to validate legitimate administrative changes.
Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of compromised credentials.
Regularly review Azure AD role assignments to identify and remove unnecessary privileges.
Monitor for unusual activity from newly added members of administrative roles after the ‘Add member to role’ event.

Azure PIM - Role Assignment Outside of Privileged Identity Management

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The unauthorized assignment of privileged roles outside of Azure Privileged Identity Management (PIM) represents a significant security risk. Attackers may attempt to bypass PIM controls to gain persistent access, escalate privileges, or move laterally within the Azure environment. Detecting these anomalous role assignments is crucial for identifying potentially compromised accounts or malicious insiders. This activity is a common tactic used by attackers to establish persistence and maintain control over cloud resources. Monitoring for this behavior can help security teams quickly identify and respond to potential breaches, limiting the impact of successful attacks. This activity can be associated with lateral movement, privilege escalation, and persistence within the cloud environment.

Attack Chain

An attacker gains initial access to a compromised user account or service principal within the Azure environment.
The attacker attempts to identify existing privileged roles and permissions.
The attacker bypasses PIM to directly assign themselves a privileged role (e.g., Global Administrator, Security Administrator) using Azure CLI, PowerShell, or the Azure portal.
The attacker elevates their permissions without triggering PIM alerts or requiring approval.
The attacker uses the newly assigned privileged role to access sensitive data, modify configurations, or create new resources.
The attacker establishes persistence by creating new accounts or modifying existing ones with elevated privileges.
The attacker moves laterally to other Azure resources or subscriptions using their increased access.
The attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of malicious code.

Impact

Compromising privileged roles within Azure can have severe consequences, potentially impacting all resources within the affected Azure Active Directory tenant. Successful attacks can lead to unauthorized data access, service disruption, financial loss, and reputational damage. The scope of the impact depends on the level of privilege gained by the attacker and the sensitivity of the targeted resources. Without proper detection and response, organizations may remain unaware of the breach, allowing attackers to maintain persistent access and continue their malicious activities undetected.

Recommendation

Deploy the provided Sigma rule Roles Assigned Outside PIM to your SIEM to detect unauthorized role assignments within your Azure environment.
Investigate all instances flagged by the Sigma rule Roles Assigned Outside PIM to determine the legitimacy of the role assignment and the identity of the assigner.
Implement controls to restrict the ability to assign privileged roles outside of PIM, as described in the Microsoft documentation reference.
Review and enforce the principle of least privilege to minimize the potential impact of compromised accounts.