{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/compromised_account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["critical"],"_cs_tags":["azure","entra_id","identity_protection","compromised_account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies when an administrator has manually confirmed a user or sign-in as compromised within Microsoft Entra ID Protection. This action signifies that the administrator has investigated and validated the risk detection, confirming a definitive account compromise. The event is a high-confidence indicator and requires immediate investigation. The compromise could have originated from various initial access vectors and may lead to lateral movement and data exfiltration. The detection relies on the presence of specific events in the Azure Identity Protection logs. The scope of targeting is all organizations utilizing Entra ID Protection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an unknown method (e.g., phishing, credential stuffing, or malware).\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates to a user account within the Entra ID environment.\u003c/li\u003e\n\u003cli\u003eEntra ID Protection detects suspicious activity based on configured risk detections.\u003c/li\u003e\n\u003cli\u003eAn administrator reviews the risk detection within the Entra ID Protection portal.\u003c/li\u003e\n\u003cli\u003eThe administrator confirms the user or sign-in as compromised based on the evidence.\u003c/li\u003e\n\u003cli\u003eThe compromised account may be used for lateral movement within the organization's cloud resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective may be data exfiltration, disruption of services, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful compromise of an Entra ID account can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the organization's cloud infrastructure, privilege escalation, and potential data exfiltration. The impact depends on the privileges and access rights of the compromised account, potentially affecting all resources and applications accessible to that user. If successful, an attacker can gain a foothold in the cloud environment, leading to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Microsoft Entra ID Protection logs to detect confirmed compromised accounts (Required Microsoft Entra ID Protection Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID Protection Admin Confirmed Compromise\u0026quot; to your SIEM to detect confirmed compromised accounts and sign-ins. Tune the rule based on your environment's specific configurations (Sigma rule).\u003c/li\u003e\n\u003cli\u003eUpon detection, immediately reset the password and revoke active sessions for the compromised user account as part of your incident response plan (note).\u003c/li\u003e\n\u003cli\u003eInvestigate the Azure logs for the affected user account to determine the initial access method and any subsequent malicious activity (azure.identityprotection.properties.*).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-compromise/","summary":"An administrator's confirmation of a compromised user or sign-in in Microsoft Entra ID Protection signals a high-confidence account compromise requiring immediate investigation and remediation.","title":"Entra ID Protection Admin Confirmed Compromise","url":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-compromise/"}],"language":"en","title":"CraftedSignal Threat Feed - Compromised_account","version":"https://jsonfeed.org/version/1.1"}