<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Byoidp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/byoidp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/byoidp/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID Service Principal Federated Credential Authentication by Unusual Client</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-federated-login/</link><pubDate>Tue, 09 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-federated-login/</guid><description>Detection of initial Entra ID service principal authentication using a federated identity credential, potentially indicating a rogue identity provider abusing compromised applications.</description><content:encoded><![CDATA[<p>This detection identifies when a service principal authenticates using a federated identity credential for the first time within a defined historical window. This event indicates that Entra ID has validated a JWT token, potentially against an external OIDC identity provider, and subsequently issued an access token. While this process is standard for CI/CD workflows like GitHub Actions and Azure DevOps, adversaries may exploit it by configuring rogue identity providers (BYOIDP) to authenticate as compromised applications. Detecting the first-time usage of a federated credential for a service principal is critical for identifying potential BYOIDP attacks. The rule examines Azure Sign-In Logs for service principals using federated identity credentials, excluding known good tenant IDs, to surface potentially malicious activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The adversary compromises an application or service principal within the target Entra ID environment.</li>
<li>The attacker configures a rogue identity provider (BYOIDP) that they control.</li>
<li>The adversary creates a federated identity credential on the compromised application, linking it to their rogue identity provider.</li>
<li>The compromised application requests authentication, triggering Entra ID to validate a JWT token against the attacker's rogue identity provider.</li>
<li>Entra ID issues an access token to the compromised application based on the validation from the rogue identity provider.</li>
<li>The adversary uses the access token to access resources and data within the Entra ID environment, masquerading as the legitimate application.</li>
<li>The adversary escalates privileges or moves laterally within the environment using the compromised application's permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful BYOIDP attack can grant an adversary unauthorized access to sensitive data and resources within an Entra ID environment. This can lead to data breaches, service disruptions, and significant reputational damage. The impact depends on the permissions and access rights of the compromised service principal. Undetected, this attack can persist, allowing continued unauthorized access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable collection of Microsoft Entra ID Sign-In Logs and stream them into your SIEM (per the rule's setup instructions) to gain visibility into federated credential usage.</li>
<li>Deploy the provided Sigma rule <code>Entra ID Service Principal Federated Credential Authentication by Unusual Client</code> to detect initial federated credential usage by service principals. Tune the rule based on your environment and known CI/CD deployments.</li>
<li>When the rule triggers, investigate the federated credential configuration in Entra ID, focusing on the issuer URL, creation time, and the user who added the credential as described in the rule's <code>note</code> section.</li>
<li>Review audit logs for recent changes to application federated credentials, correlating with sign-in logs to identify unauthorized modifications.</li>
<li>Baseline applications expected to use federated credentials and maintain a list of approved identity providers, as suggested in the rule's <code>false_positives</code> section.</li>
<li>Prioritize investigation of alerts where the <code>azure.signinlogs.caller_ip_address</code> originates from an unexpected location or infrastructure, as described in the rule's <code>note</code> section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>entra-id</category><category>federated-credentials</category><category>byoidp</category><category>initial-access</category></item></channel></rss>