<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Compromised_account - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/compromised_account/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/compromised_account/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID Protection Admin Confirmed Compromise</title><link>https://feed.craftedsignal.io/briefs/2024-01-entra-id-compromise/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-entra-id-compromise/</guid><description>An administrator's confirmation of a compromised user or sign-in in Microsoft Entra ID Protection signals a high-confidence account compromise requiring immediate investigation and remediation.</description><content:encoded><![CDATA[<p>This alert identifies when an administrator has manually confirmed a user or sign-in as compromised within Microsoft Entra ID Protection. This action signifies that the administrator has investigated and validated the risk detection, confirming a definitive account compromise. The event is a high-confidence indicator and requires immediate investigation. The compromise could have originated from various initial access vectors and may lead to lateral movement and data exfiltration. The detection relies on the presence of specific events in the Azure Identity Protection logs. The scope of targeting is all organizations utilizing Entra ID Protection.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access is achieved through an unknown method (e.g., phishing, credential stuffing, or malware).</li>
<li>The attacker successfully authenticates to a user account within the Entra ID environment.</li>
<li>Entra ID Protection detects suspicious activity based on configured risk detections.</li>
<li>An administrator reviews the risk detection within the Entra ID Protection portal.</li>
<li>The administrator confirms the user or sign-in as compromised based on the evidence.</li>
<li>The compromised account may be used for lateral movement within the organization's cloud resources.</li>
<li>The attacker may attempt to escalate privileges or access sensitive data.</li>
<li>The ultimate objective may be data exfiltration, disruption of services, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful compromise of an Entra ID account can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the organization's cloud infrastructure, privilege escalation, and potential data exfiltration. The impact depends on the privileges and access rights of the compromised account, potentially affecting all resources and applications accessible to that user. If successful, an attacker can gain a foothold in the cloud environment, leading to data breaches, financial loss, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and monitor Microsoft Entra ID Protection logs to detect confirmed compromised accounts (Required Microsoft Entra ID Protection Logs).</li>
<li>Deploy the Sigma rule &quot;Entra ID Protection Admin Confirmed Compromise&quot; to your SIEM to detect confirmed compromised accounts and sign-ins. Tune the rule based on your environment's specific configurations (Sigma rule).</li>
<li>Upon detection, immediately reset the password and revoke active sessions for the compromised user account as part of your incident response plan (note).</li>
<li>Investigate the Azure logs for the affected user account to determine the initial access method and any subsequent malicious activity (azure.identityprotection.properties.*).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>azure</category><category>entra_id</category><category>identity_protection</category><category>compromised_account</category></item></channel></rss>