{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1098.003/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.initial-access","attack.persistence","attack.privilege-escalation","attack.stealth","attack.t1098.003","attack.t1078"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to add new members to administrative roles in Azure Active Directory to establish persistence and elevate privileges. This allows them to perform actions as a highly privileged user, potentially bypassing security controls and accessing sensitive resources. The activity is logged within Azure Activity Logs, specifically when the \u0026lsquo;Add member to role\u0026rsquo; operation is executed within the \u0026lsquo;AzureActiveDirectory\u0026rsquo; workload, targeting roles with names ending in \u0026lsquo;Admins\u0026rsquo; or \u0026lsquo;Administrator\u0026rsquo;. Monitoring these events can help detect unauthorized privilege escalation and potential malicious activity within the Azure environment. This activity could be the result of compromised credentials or an insider threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCompromise an existing user account with sufficient permissions to modify Azure AD roles.\u003c/li\u003e\n\u003cli\u003eAuthenticate to the Azure portal or utilize Azure CLI with the compromised account.\u003c/li\u003e\n\u003cli\u003eIdentify a target Azure AD administrative role (e.g., Global Administrator, Security Administrator).\u003c/li\u003e\n\u003cli\u003eExecute the \u0026lsquo;Add member to role\u0026rsquo; operation, adding the attacker-controlled user to the target role. This can be performed via the Azure portal, PowerShell, or Azure CLI.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record the \u0026lsquo;Add member to role.\u0026rsquo; event, with the \u0026lsquo;Workload\u0026rsquo; as \u0026lsquo;AzureActiveDirectory\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eModifiedProperties{}.NewValue\u003c/code\u003e field reflects the addition of the user to the admin role, containing strings like \u0026ldquo;Admins\u0026rdquo; or \u0026ldquo;Administrator.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates as the newly added user, inheriting the privileges of the administrative role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to an Azure AD administrative role grants the attacker extensive control over the Azure environment. This can lead to data breaches, service disruptions, and the deployment of malicious applications.  Compromised administrator accounts can be used to disable security features, modify audit logs, and create backdoors for persistent access. Detection is critical to limit the scope and duration of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of users being added to Azure AD administrative roles (logsource: azure, service: activitylogs).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of the \u0026ldquo;Add member to role.\u0026rdquo; operation in Azure AD Activity Logs where the ModifiedProperties{}.NewValue ends with \u0026lsquo;Admins\u0026rsquo; or \u0026lsquo;Administrator\u0026rsquo; to validate legitimate administrative changes.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD role assignments to identify and remove unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual activity from newly added members of administrative roles after the \u0026lsquo;Add member to role\u0026rsquo; event.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuread-admin-role-add/","summary":"An adversary adds a user to an Azure Active Directory administrative role to gain initial access, persist in the environment, escalate privileges, and potentially operate stealthily.","title":"Azure AD User Added to Administrator Role","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-admin-role-add/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1098.003","version":"https://jsonfeed.org/version/1.1"}