{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1548/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","policy-modification","attack.privilege-escalation","attack.credential-access","attack.persistence","attack.defense-impairment","attack.t1548","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCompromised or malicious actors may attempt to modify Azure Conditional Access (CA) policies to weaken security controls, elevate privileges, or establish persistence within the Azure environment. Conditional Access policies are critical for enforcing organizational security standards, and unauthorized changes can have significant security implications. This activity is detected through Azure Audit Logs by monitoring for \u0026ldquo;Update conditional access policy\u0026rdquo; events. Defenders should investigate any modifications to Conditional Access policies to ensure they are legitimate and align with security best practices. Detecting and responding to unauthorized CA policy modifications is crucial for maintaining the integrity and security of the Azure environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through compromised credentials or other means (not specified in source).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Impairment:\u003c/strong\u003e The modification of CA policies impairs the organization\u0026rsquo;s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;CA Policy Updated by Non Approved Actor\u0026rdquo; Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eproperties.message\u003c/code\u003e field in the Azure Audit Logs for \u0026ldquo;Update conditional access policy\u0026rdquo; events and compare \u0026ldquo;old\u0026rdquo; vs \u0026ldquo;new\u0026rdquo; values to understand the nature of the changes.\u003c/li\u003e\n\u003cli\u003eImplement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-29T12:00:00Z","date_published":"2024-05-29T12:00:00Z","id":"/briefs/2024-05-29-azure-ca-policy-update/","summary":"An unauthorized actor modifies an Azure Conditional Access policy, potentially leading to privilege escalation, credential access, persistence, or defense impairment.","title":"Unauthorized Modification of Azure Conditional Access Policy","url":"https://feed.craftedsignal.io/briefs/2024-05-29-azure-ca-policy-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.credential-access","attack.persistence","attack.defense-impairment","attack.t1548","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis activity involves the addition of a user to an Azure Active Directory group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are used to enforce authentication requirements based on various conditions (user, location, device, etc.). If an attacker gains the ability to modify these policies, they can weaken security controls to facilitate privilege escalation, credential access, persistence within the environment, and impair defenses. This type of attack can be initiated by an insider threat or external compromise of an account. The goal is to manipulate CA policies to bypass multi-factor authentication, grant unauthorized access, or maintain persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a user account or service principal with sufficient privileges to manage group memberships in Azure AD. This could be achieved through credential compromise or other initial access vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Azure AD group that has permissions to manage Conditional Access policies. These groups are often used to delegate administrative control over CA policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Azure portal, PowerShell, or the Azure AD Graph API/Microsoft Graph API to add a malicious user account to the target group.\u003c/li\u003e\n\u003cli\u003eThe Azure Audit Logs record the \u0026ldquo;Add member from group\u0026rdquo; event, indicating the change in group membership.\u003c/li\u003e\n\u003cli\u003eThe newly added malicious user inherits the group\u0026rsquo;s permissions, which includes the ability to view, create, modify, and delete Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies existing CA policies to weaken security controls. For example, they might exclude themselves from MFA requirements or grant access to sensitive resources without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their modified CA policies to gain unauthorized access to sensitive data or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new CA policies that ensure their continued access, even if their initial access is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this attack chain can lead to significant compromise of an organization\u0026rsquo;s Azure environment. Attackers can bypass MFA, gain access to sensitive resources, establish persistent access, and impair security defenses. The extent of the damage depends on the permissions associated with the compromised group and the scope of the modified Conditional Access policies. This can lead to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect additions of users to groups with CA policy modification access and tune for your environment.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Azure AD group memberships, especially for groups with administrative privileges (as detected by the Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all users, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege when assigning permissions to Azure AD groups.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"/briefs/2024-01-azure-group-add/","summary":"An attacker adds a user to a privileged Azure Active Directory group with permissions to modify Conditional Access policies, potentially leading to privilege escalation, credential access, persistence, and defense impairment.","title":"User Added to Group with Conditional Access Policy Modification Access","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-group-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","privilege-escalation","attack.privilege-escalation","attack.t1548"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the creation of a new Conditional Access (CA) policy within Azure Active Directory (Azure AD) by an actor not authorized to perform such actions. Conditional Access policies are critical security controls that enforce organizational policies based on various conditions, such as user identity, location, device, and application. Unauthorized modification or creation of these policies can lead to significant security breaches, allowing attackers to bypass security controls, escalate privileges, and gain unauthorized access to sensitive resources. This activity is detected via Azure Audit Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to an account with sufficient privileges to interact with Azure AD, potentially through compromised credentials or an insider threat.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e The attacker escalates privileges within Azure AD to a role that permits the creation or modification of Conditional Access policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker creates a new Conditional Access policy using the Azure portal, PowerShell, or Azure CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Configuration:\u003c/strong\u003e The attacker configures the CA policy to weaken security controls, such as disabling MFA for specific users, locations, or applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass Security Controls:\u003c/strong\u003e The newly created or modified CA policy allows the attacker to bypass intended security controls, granting them unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With bypassed security controls, the attacker moves laterally within the network, accessing sensitive resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker achieves their final objective, such as exfiltrating sensitive data or causing disruption to business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe creation of unauthorized Conditional Access policies can have severe consequences, including unauthorized access to sensitive data, privilege escalation, and circumvention of security controls. The impact can range from data breaches and financial loss to reputational damage and disruption of critical business services. If successful, attackers could gain complete control over the Azure AD environment, affecting all connected services and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized CA policy creation events in Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eReview Azure AD role assignments to ensure least privilege and restrict CA policy management to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to identify the actor and the details of the created CA policy.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for other suspicious activities, such as changes to user accounts, group memberships, and application registrations.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of expected CA policy configurations and alert on deviations from this baseline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-ca-policy-add/","summary":"An unauthorized actor created a new Conditional Access policy in Azure AD, potentially leading to privilege escalation and unauthorized access.","title":"Unauthorized Conditional Access Policy Creation in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-ca-policy-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS STS"],"_cs_severities":["medium"],"_cs_tags":["attack.lateral-movement","attack.privilege-escalation","attack.t1548","attack.t1550","attack.t1550.001"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) AssumeRole function allows users or applications to assume a different IAM role, granting temporary access to resources and permissions associated with that role.  Attackers who gain initial access to an AWS account can misuse AssumeRole to move laterally to other roles and escalate their privileges. This can occur if the initial role has overly permissive trust relationships or if an attacker can manipulate the role assumption process.  This activity is detected through CloudTrail logs that record the AssumeRole event. The impact of this activity can be significant, depending on the permissions associated with the roles assumed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies IAM roles within the AWS environment that they may be able to assume.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to use the \u003ccode\u003eAssumeRole\u003c/code\u003e API call to assume a different role. This call includes parameters specifying the target role ARN and a session name.\u003c/li\u003e\n\u003cli\u003eAWS STS validates the request.  Successful validation depends on the trust policy of the target role and the permissions of the initial user or role.\u003c/li\u003e\n\u003cli\u003eIf the validation is successful, AWS STS returns temporary security credentials (access key ID, secret access key, and session token) to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these temporary credentials to access AWS resources and perform actions authorized by the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to move laterally and escalate privileges by assuming additional roles.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as accessing sensitive data, modifying configurations, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of impacts, including unauthorized access to sensitive data stored in S3 buckets or databases, modification or deletion of critical infrastructure configurations, and disruption of AWS services. The scope of the impact depends on the permissions associated with the roles that the attacker is able to assume. This can affect any organization using AWS, and the consequences can range from data breaches and financial losses to reputational damage and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious \u003ccode\u003eAssumeRole\u003c/code\u003e activity based on \u003ccode\u003euserIdentity.type\u003c/code\u003e and \u003ccode\u003euserIdentity.sessionContext.sessionIssuer.type\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM role trust policies to ensure that only authorized entities can assume roles.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual patterns of \u003ccode\u003eAssumeRole\u003c/code\u003e API calls, especially those originating from unfamiliar user identities or locations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-assumerole-misuse/","summary":"Abuse of AWS STS AssumeRole can allow attackers to move laterally within an AWS environment and escalate privileges, potentially leading to unauthorized access to sensitive resources and data.","title":"AWS STS AssumeRole Misuse for Lateral Movement and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-assumerole-misuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1548","version":"https://jsonfeed.org/version/1.1"}