Attack.t1556 — CraftedSignal Threat Feed

Unauthorized Modification of Azure Conditional Access Policy

hello@craftedsignal.io — Wed, 29 May 2024 12:00:00 +0000

Compromised or malicious actors may attempt to modify Azure Conditional Access (CA) policies to weaken security controls, elevate privileges, or establish persistence within the Azure environment. Conditional Access policies are critical for enforcing organizational security standards, and unauthorized changes can have significant security implications. This activity is detected through Azure Audit Logs by monitoring for “Update conditional access policy” events. Defenders should investigate any modifications to Conditional Access policies to ensure they are legitimate and align with security best practices. Detecting and responding to unauthorized CA policy modifications is crucial for maintaining the integrity and security of the Azure environment.

Attack Chain

Initial Access: The attacker gains initial access through compromised credentials or other means (not specified in source).
Privilege Escalation: The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).
Policy Enumeration: The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.
Policy Modification: The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.
Persistence: By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.
Credential Access: With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.
Defense Impairment: The modification of CA policies impairs the organization’s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.

Impact

Successful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.

Recommendation

Deploy the “CA Policy Updated by Non Approved Actor” Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.
Review the properties.message field in the Azure Audit Logs for “Update conditional access policy” events and compare “old” vs “new” values to understand the nature of the changes.
Implement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.
Investigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
Enable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).

Azure AD Root Certificate Authority Added for Passwordless Authentication

hello@craftedsignal.io — Wed, 08 May 2024 18:22:00 +0000

The addition of a new root certificate authority (CA) in Azure Active Directory (Azure AD) to support certificate-based authentication (CBA) can be a sign of malicious activity. While CBA offers passwordless authentication benefits, attackers can abuse it to establish persistent access, escalate privileges, or evade detection. An attacker with sufficient privileges in the Azure AD tenant can add a rogue CA, enabling them to authenticate as any user within the directory, even without their password. This bypasses multi-factor authentication (MFA) and grants unauthorized access to sensitive resources and data. Defenders should monitor Azure AD audit logs for unexpected modifications to the TrustedCAsForPasswordlessAuth setting, as this could indicate a compromised administrator account or an insider threat attempting to establish a backdoor.

Attack Chain

Compromise an Azure AD administrator account with sufficient privileges to modify tenant-wide settings. This may be achieved through phishing, credential stuffing, or exploiting vulnerabilities.
The attacker authenticates to the Azure portal or uses PowerShell cmdlets to interact with Azure AD.
The attacker executes commands to add a new, attacker-controlled root certificate authority to the TrustedCAsForPasswordlessAuth setting. This involves modifying the Company Information object.
The attacker generates or obtains a certificate signed by the newly added root CA.
The attacker uses the certificate to authenticate to Azure AD as a targeted user, bypassing password requirements and multi-factor authentication.
The attacker gains access to the targeted user’s resources, such as email, files, and applications.
The attacker escalates privileges within the Azure AD tenant by impersonating highly privileged users or roles.
The attacker maintains persistent access to the Azure AD tenant, even if the compromised administrator account is remediated.

Impact

A successful attack can lead to complete compromise of the Azure AD tenant, including access to sensitive data, applications, and resources. Attackers can use the compromised tenant to move laterally to other systems, exfiltrate data, or disrupt business operations. The number of potential victims is dependent on the size of the Azure AD tenant. Organizations across all sectors are at risk, especially those heavily reliant on Azure AD for identity and access management.

Recommendation

Deploy the Sigma rule “New Root Certificate Authority Added” to your SIEM to detect unauthorized modifications to the TrustedCAsForPasswordlessAuth setting (rule).
Review Azure AD audit logs regularly for suspicious activity related to the “Set Company Information” operation (logsource).
Implement multi-factor authentication (MFA) for all Azure AD accounts, including administrators, but understand that CBA can bypass it.
Enforce the principle of least privilege and restrict the number of accounts with permissions to modify tenant-wide settings.
Monitor for the use of certificates signed by unknown or untrusted CAs to authenticate to Azure AD.
Consult the SpecterOps and Goodworkaround articles for more information on certificate-based authentication abuse in Azure AD (references).

User Added to Group with Conditional Access Policy Modification Access

hello@craftedsignal.io — Wed, 03 Jan 2024 18:22:00 +0000

This activity involves the addition of a user to an Azure Active Directory group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are used to enforce authentication requirements based on various conditions (user, location, device, etc.). If an attacker gains the ability to modify these policies, they can weaken security controls to facilitate privilege escalation, credential access, persistence within the environment, and impair defenses. This type of attack can be initiated by an insider threat or external compromise of an account. The goal is to manipulate CA policies to bypass multi-factor authentication, grant unauthorized access, or maintain persistence.

Attack Chain

The attacker gains initial access to a user account or service principal with sufficient privileges to manage group memberships in Azure AD. This could be achieved through credential compromise or other initial access vectors.
The attacker identifies a target Azure AD group that has permissions to manage Conditional Access policies. These groups are often used to delegate administrative control over CA policies.
The attacker uses the Azure portal, PowerShell, or the Azure AD Graph API/Microsoft Graph API to add a malicious user account to the target group.
The Azure Audit Logs record the “Add member from group” event, indicating the change in group membership.
The newly added malicious user inherits the group’s permissions, which includes the ability to view, create, modify, and delete Conditional Access policies.
The attacker modifies existing CA policies to weaken security controls. For example, they might exclude themselves from MFA requirements or grant access to sensitive resources without proper authorization.
The attacker leverages their modified CA policies to gain unauthorized access to sensitive data or resources.
The attacker establishes persistence by creating new CA policies that ensure their continued access, even if their initial access is revoked.

Impact

Successful exploitation of this attack chain can lead to significant compromise of an organization’s Azure environment. Attackers can bypass MFA, gain access to sensitive resources, establish persistent access, and impair security defenses. The extent of the damage depends on the permissions associated with the compromised group and the scope of the modified Conditional Access policies. This can lead to data breaches, financial loss, and reputational damage.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect additions of users to groups with CA policy modification access and tune for your environment.
Regularly review and audit Azure AD group memberships, especially for groups with administrative privileges (as detected by the Sigma rule).
Implement multi-factor authentication for all users, especially those with administrative privileges.
Enforce the principle of least privilege when assigning permissions to Azure AD groups.
Monitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications.