{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/azuread/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","authentication","geo-location","unauthorized-access","credential-compromise","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the risk of unauthorized access to Azure Active Directory (Azure AD) resources stemming from successful authentication events originating from unexpected geographic locations. While the source material does not attribute this activity to a specific threat actor, such access can be indicative of compromised user accounts, sophisticated phishing attacks, or insider threats. The focus is on detecting deviations from established operational norms, where user logins typically originate from known and trusted countries. By monitoring sign-in logs, security teams can identify potentially malicious activity that bypasses standard security controls and warrants further investigation. Effective detection relies on maintaining an accurate list of countries where the organization operates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains valid user credentials through phishing, malware, or credential stuffing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker leverages the compromised credentials to attempt authentication to Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Request:\u003c/strong\u003e The attacker initiates a sign-in request to Azure AD from an IP address associated with an unexpected geographic location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass MFA (if present):\u003c/strong\u003e If multi-factor authentication (MFA) is enabled, the attacker may attempt to bypass it through techniques like MFA fatigue or SIM swapping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication:\u003c/strong\u003e The attacker successfully authenticates to Azure AD, gaining access to cloud resources and applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges within the Azure AD environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the cloud environment, accessing sensitive data and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Persistence:\u003c/strong\u003e The attacker exfiltrates sensitive data or establishes persistent access for future malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, financial loss, and reputational damage. The extent of the impact depends on the level of access gained by the attacker and the sensitivity of the compromised data. Organizations may face regulatory fines, legal action, and loss of customer trust. The absence of geographic restrictions on authentication increases the attack surface and elevates the risk of unauthorized access from malicious actors operating outside of the organization\u0026rsquo;s control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect successful authentications from countries outside of the organization\u0026rsquo;s operational footprint, based on the \u003ccode\u003eLocation\u003c/code\u003e field in Azure AD sign-in logs.\u003c/li\u003e\n\u003cli\u003eMaintain and regularly update a whitelist of countries where the organization operates to ensure the accuracy of the \u003ccode\u003efilter\u003c/code\u003e in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the sign-in event and the potential compromise of the user account.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise, although attackers may attempt to bypass MFA.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T18:22:00Z","date_published":"2024-01-29T18:22:00Z","id":"/briefs/2024-01-azure-auth-bypass/","summary":"Detection of successful authentications originating from geographic locations outside of an organization's expected operational footprint, potentially indicating compromised credentials or unauthorized access.","title":"Azure AD Authentication from Unexpected Geo-locations","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","threat-intelligence","risk-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAzure AD Threat Intelligence identifies suspicious user activities that deviate from established patterns or align with known attack tactics. These alerts, surfaced within the Azure AD Identity Protection framework, are crucial for detecting stealthy maneuvers, persistence attempts, unauthorized privilege escalations, and initial access attempts. The alerts are triggered by unusual sign-ins, potentially originating from unfamiliar locations or devices. Defenders should prioritize investigation into these alerts as they can be indicative of compromised accounts or malicious actors attempting to gain unauthorized access to resources within the Azure environment. Successfully identifying and mitigating these threats prevents further lateral movement, data exfiltration, and potential damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises user credentials through phishing, credential stuffing, or other means (Initial Access).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to sign in to Azure AD using the compromised credentials, potentially from an unusual location or device.\u003c/li\u003e\n\u003cli\u003eAzure AD Threat Intelligence detects the unusual sign-in activity based on risk indicators and flags it as \u0026lsquo;investigationsThreatIntelligence\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker, if successful in the initial sign-in, attempts to access sensitive resources or applications within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by modifying user profiles or application settings.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges by exploiting vulnerabilities or misconfigurations within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other resources and accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting Azure AD can compromise user accounts and lead to unauthorized access to sensitive data and resources. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Organizations relying heavily on Azure AD for identity and access management are particularly vulnerable. The number of affected users and the extent of the damage will depend on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;investigationsThreatIntelligence\u0026rsquo; events within Azure AD risk detection logs (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by the detection, correlating with other sign-in events from the same user to identify potential false positives or confirm malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of compromised credentials and unauthorized sign-ins.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other risk factors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-azuread-threatintel/","summary":"This brief focuses on detecting unusual user activity and sign-in patterns flagged by Azure AD Threat Intelligence, which may indicate stealthy attacks, persistence attempts, privilege escalation, or initial access.","title":"Azure AD Threat Intelligence Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-threatintel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","anonymous-proxy","identity-protection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on identifying malicious activity within Azure Active Directory environments where users are observed originating traffic from anonymous IP addresses. These IP addresses are typically associated with VPNs, Tor exit nodes, or proxy services, often used by threat actors to obfuscate their true location and evade detection. The activity is flagged within Azure AD Identity Protection as a \u0026lsquo;riskyIPAddress\u0026rsquo;. Detecting and investigating these events is crucial, as they often precede or accompany other malicious behaviors such as account compromise, privilege escalation, and data exfiltration. It allows defenders to proactively identify and respond to potential security incidents before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure AD user account through various means, such as credential theft, phishing, or brute-force attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an anonymous proxy service (e.g., VPN, Tor) to mask their true IP address and location.\u003c/li\u003e\n\u003cli\u003eThe compromised user account is used to sign in to Azure AD from the anonymous IP address.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the sign-in attempt as \u0026lsquo;riskyIPAddress\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges within the Azure AD environment, potentially targeting sensitive roles or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by creating new user accounts or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eThe attacker may then try to access sensitive data or resources within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker exfiltrates sensitive data or launches further attacks against other systems within the organization\u0026rsquo;s network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging anonymous IP addresses can lead to significant damage, including unauthorized access to sensitive data, compromise of critical systems, and financial losses. The use of anonymous proxies makes attribution and incident response more difficult, potentially prolonging the duration of the attack. Organizations may experience data breaches, reputational damage, and regulatory fines as a result of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;riskyIPAddress\u0026rsquo; events in Azure AD logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any sign-in events flagged as \u0026lsquo;riskyIPAddress\u0026rsquo; in the context of other sign-ins from the same user to identify potential account compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access from untrusted locations or devices.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity, such as changes to user accounts, group memberships, or application permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-azure-anonymous-ip/","summary":"Detection of user activity originating from an IP address identified as an anonymous proxy, potentially indicating unauthorized access, privilege escalation, or persistence within an Azure Active Directory environment.","title":"Azure AD Activity From Anonymous IP Address","url":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-anonymous-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","role-assignment","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often target identity and access management systems like Azure Active Directory (Azure AD) to gain control over an organization\u0026rsquo;s resources. By adding users to highly privileged roles such as Global Administrator or Device Administrator, adversaries can achieve persistence, allowing them to regain access even after initial compromises are remediated. This activity often occurs after an initial foothold has been established, enabling privilege escalation and stealthy movement within the cloud environment. Monitoring role assignments in Azure AD is crucial for detecting and preventing unauthorized access and maintaining the integrity of the organization\u0026rsquo;s cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure AD roles and identifies potential targets like Global Administrator or Device Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAdd-AzureADGroupMember\u003c/code\u003e or similar cmdlets to add a compromised or newly created user account to the target role.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit logs record the \u0026ldquo;Add member to role\u0026rdquo; operation with the specific role GUIDs (e.g., \u0026lsquo;7698a772-787b-4ac8-901f-60d6b08affd2\u0026rsquo; or \u0026lsquo;62e90394-69f5-4237-9190-012177145e10\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe newly added user account inherits the privileges associated with the Global Administrator or Device Administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating new administrative accounts or modifying existing ones to maintain control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to a Global Administrator or Device Administrator role grants the attacker unrestricted access to the Azure AD tenant, potentially impacting all resources connected to it. This can lead to data breaches, service disruptions, financial losses, and reputational damage. The scope of the impact depends on the extent to which the attacker leverages the compromised privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious additions of users to Global or Device Admin roles in Azure AD Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the context of the user account being added and the source of the role assignment operation.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft (T1078.004).\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD role assignments to identify and remove any unauthorized or unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for other suspicious Azure AD activity, such as unusual sign-in patterns, application registrations, and resource deployments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:27:00Z","date_published":"2024-01-03T18:27:00Z","id":"/briefs/2024-01-03-azuread-role-assignment/","summary":"An attacker may attempt to add a user to a high-privilege Azure AD role, such as Global Administrator or Device Administrator, to establish persistence, gain initial access, escalate privileges, or operate stealthily within the compromised environment.","title":"Azure AD User Added to Global or Device Admin Role","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-role-assignment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","temporary-access-pass","privilege-escalation","initial-access","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies when a temporary access pass (TAP) is added to an Azure Active Directory (Azure AD) account. TAPs are intended for temporary use, allowing users to access resources or perform actions without needing a password. While legitimate use cases exist, adversaries can leverage TAPs to gain unauthorized access, escalate privileges, establish persistence, or move laterally within an Azure environment. This activity warrants investigation, especially if the TAP is added to a privileged account. The source material does not indicate a specific campaign or threat actor, but the technique aligns with common cloud-based attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Optional):\u003c/strong\u003e An attacker gains initial access to an Azure AD account through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges to an account with sufficient permissions to manage TAPs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTAP Generation:\u003c/strong\u003e The attacker, using an account with appropriate permissions, generates a temporary access pass (TAP) for a target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTAP Activation:\u003c/strong\u003e The attacker uses the TAP to authenticate to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access:\u003c/strong\u003e Once authenticated, the attacker gains access to resources and applications associated with the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to access other resources or accounts within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence by creating new credentials or modifying existing ones, if permissions allow.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and applications within the Azure environment. Compromised privileged accounts can grant attackers control over critical infrastructure, leading to data breaches, service disruptions, and reputational damage. The impact depends on the permissions associated with the compromised account and the resources accessible through the TAP.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect TAP additions in Azure AD audit logs (see rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where TAPs are added to privileged accounts in Azure AD, as highlighted in the rule description and references.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for suspicious activity surrounding the TAP generation event, including the source IP address and user agent (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor for anomalous sign-in activity using TAPs, specifically focusing on unusual locations or devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-azure-tap-added/","summary":"Detection of a temporary access pass (TAP) being added to an Azure AD account, which could indicate potential privilege escalation, initial access, persistence, or stealth activity.","title":"Azure AD Temporary Access Pass Added to Account","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-tap-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","brute-force","credential-stuffing","authentication"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting abnormal increases in failed authentication attempts within Azure Active Directory (Azure AD). An adversary attempting to gain unauthorized access to user accounts or systems often performs brute-force or credential stuffing attacks. These attacks result in a higher-than-normal number of failed sign-in attempts. Monitoring and detecting such increases can provide early warning of potential breaches or compromised accounts. Defenders should investigate any significant spikes in failed authentications as they might indicate malicious activity targeting user accounts or application access. The detection is based on analysis of Azure AD sign-in logs to identify when the number of failed sign-ins increases by 10% or greater, warranting further investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain initial access through various methods, such as phishing, compromised credentials, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Stuffing/Brute-Force:\u003c/strong\u003e The attacker uses lists of known usernames and passwords (credential stuffing) or systematically tries different password combinations (brute-force) against Azure AD accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Attempts:\u003c/strong\u003e Each failed authentication attempt is logged within Azure AD sign-in logs, recording details such as username, IP address, and failure reason.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThreshold Exceeded:\u003c/strong\u003e The number of failed sign-in attempts reaches a threshold, triggering the detection rule based on a 10% or greater increase.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout (Potential):\u003c/strong\u003e Multiple failed authentication attempts may lead to account lockouts, disrupting legitimate user access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Potential):\u003c/strong\u003e If the attacker guesses the correct credentials, they gain unauthorized access to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e After gaining access, the attacker attempts to escalate privileges or move laterally within the network to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data or causes disruption to services depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force or credential stuffing attack can lead to unauthorized access to user accounts, data breaches, and service disruptions. Depending on the compromised account\u0026rsquo;s privileges, the attacker may gain access to sensitive information, escalate privileges, or move laterally within the organization\u0026rsquo;s network. The impact could range from minor data leaks to significant financial losses and reputational damage. Early detection and mitigation are crucial to minimize the impact of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect increases in failed Azure AD sign-in attempts and tune the threshold (10%) based on your environment (\u003ccode\u003eCount: \u0026quot;\u0026lt;10%\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule to determine the source and scope of the increased failed authentications.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential-based attacks.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent attackers from repeatedly attempting to guess passwords.\u003c/li\u003e\n\u003cli\u003eMonitor sign-in logs for unusual patterns, such as sign-ins from unfamiliar locations or devices, to identify potential compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-azure-ad-failed-auth-increase/","summary":"Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.","title":"Azure AD Failed Authentication Increase","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-ad-failed-auth-increase/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azure"],"_cs_severities":["medium"],"_cs_tags":["azuread","guest-user","privilege-escalation","persistence","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting the invitation of guest users to an Azure Active Directory (AD) tenant by accounts that are not pre-approved to perform this action. Unauthorized guest user invitations can be an indicator of various malicious activities. An attacker could be attempting to escalate privileges by adding an account they control, establish persistence by creating a backdoor account, or gain initial access to the environment. This activity might be part of a broader attack aimed at gaining unauthorized access to sensitive resources or data within the organization\u0026rsquo;s Azure environment. It is important to ensure that only authorized personnel can invite external users to maintain security and prevent potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a low-privilege user account within the Azure AD tenant or uses existing compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to invite an external guest user to the tenant using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit logs record the \u0026ldquo;Invite external user\u0026rdquo; operation under the UserManagement category.\u003c/li\u003e\n\u003cli\u003eThe audit log event is generated, capturing details such as the user who initiated the invitation (InitiatedBy) and the target guest user\u0026rsquo;s information.\u003c/li\u003e\n\u003cli\u003eThe detection logic evaluates if the InitiatedBy user is within the list of approved guest inviters.\u003c/li\u003e\n\u003cli\u003eIf the inviting user is not on the approved list, the detection rule triggers, indicating a potentially unauthorized guest invitation.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to leverage the newly invited guest account for lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the guest account to access resources and data within the Azure AD environment, potentially leading to data breaches or other security incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and resources within the Azure AD tenant. While the precise number of potential victims is unknown, the impact could range from a limited breach affecting a small set of resources to a widespread compromise impacting the entire organization. The addition of unauthorized guest accounts can facilitate lateral movement, data exfiltration, and other malicious activities, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unauthorized guest user invitations in Azure AD audit logs and tune the \u003ccode\u003efilter\u003c/code\u003e with a list of approved inviters.\u003c/li\u003e\n\u003cli\u003eReview and restrict the number of users authorized to invite guest users to the Azure AD tenant based on business needs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including guest accounts, to prevent unauthorized access (related to audit logs).\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure AD logs for any suspicious activity related to user management (related to audit logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-azuread-guest-invite/","summary":"Detection of unauthorized guest user invitations within an Azure Active Directory tenant, indicating potential privilege escalation, persistence, or initial access attempts.","title":"Unauthorized Guest User Invitations in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azuread-guest-invite/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","identity-protection","impossible-travel","account-compromise","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects \u0026ldquo;impossible travel\u0026rdquo; events within Azure Active Directory (Azure AD), a common indicator of account compromise. The scenario involves a user account exhibiting login activity from two geographically distant locations in a timeframe that makes physical travel between them impossible. This anomalous behavior often signifies that an attacker has gained unauthorized access to the account and is operating from a different location than the legitimate user. The rule leverages Azure AD Identity Protection\u0026rsquo;s risk detection capabilities to identify such instances. This detection is crucial for defenders as it highlights potential breaches and enables swift remediation actions to prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials, potentially through phishing (T1566), credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure AD from a geographic location different from the legitimate user\u0026rsquo;s typical location.\u003c/li\u003e\n\u003cli\u003eShortly after the initial authentication, the legitimate user authenticates to Azure AD from their usual location.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the activity as \u0026ldquo;impossible travel\u0026rdquo; due to the conflicting geographic locations and the short timeframe between the authentications.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;impossibleTravel\u0026rdquo; risk event is logged within Azure AD\u0026rsquo;s risk detection logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the compromised account (T1068) to gain broader access to resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may move laterally within the organization (T1021) to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s ultimate goal could be data exfiltration, financial theft, or disruption of services, depending on the organization\u0026rsquo;s profile.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful \u0026ldquo;impossible travel\u0026rdquo; attack can lead to a full compromise of the user\u0026rsquo;s account, granting the attacker access to sensitive data, internal systems, and other resources accessible to the user. Depending on the user\u0026rsquo;s role and permissions, the impact could range from data breaches to financial losses and significant reputational damage. Organizations in all sectors are vulnerable, with a higher risk for those handling sensitive data or operating critical infrastructure. The number of affected users depends on the attacker\u0026rsquo;s ability to move laterally and escalate privileges after compromising the initial account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;impossible travel\u0026rdquo; events flagged by Azure AD Identity Protection, focusing on the \u003ccode\u003eriskEventType: 'impossibleTravel'\u003c/code\u003e (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the user account involved and the geographic locations of the login attempts (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eReview and enhance user training programs to educate employees on the risks of phishing and credential compromise (T1566).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of unauthorized access even if credentials are compromised (T1110).\u003c/li\u003e\n\u003cli\u003eReview and adjust the sensitivity of Azure AD Identity Protection\u0026rsquo;s risk detection policies to align with your organization\u0026rsquo;s risk tolerance.\u003c/li\u003e\n\u003cli\u003eConsider implementing conditional access policies that restrict access based on geographic location or require MFA for logins from unfamiliar locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-impossible-travel/","summary":"This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.","title":"Impossible Travel Detection in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-impossible-travel/"}],"language":"en","title":"CraftedSignal Threat Feed — Azuread","version":"https://jsonfeed.org/version/1.1"}