{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/entra-id/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure CLI","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["azure","entra-id","user-management","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies the use of the Azure CLI on Windows systems to manage Entra ID user accounts. Threat actors may leverage the Azure CLI to create or manipulate user accounts for persistence, privilege escalation, or to maintain a covert presence within a compromised environment. This activity may be part of a larger attack chain targeting cloud resources and sensitive data. While legitimate administrative use of the Azure CLI is expected, anomalous execution patterns, unexpected users, or unusual parent processes should be carefully scrutinized. The detection focuses on the \u003ccode\u003eaz.cmd\u003c/code\u003e and \u003ccode\u003eazure.cli\u003c/code\u003e processes, filtering for command-line arguments related to Active Directory (\u003ccode\u003ead\u003c/code\u003e) and user management (\u003ccode\u003euser\u003c/code\u003e). Successful exploitation can lead to unauthorized access, data breaches, and long-term compromise of cloud resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised Windows system, potentially through phishing or exploitation of a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs or leverages an existing installation of the Azure CLI.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure using compromised credentials or a service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eaz ad user create\u003c/code\u003e command to create a new user account in Entra ID.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the newly created user account elevated privileges, such as Global Administrator, using \u003ccode\u003eaz ad role assignment create\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created account to access sensitive cloud resources, such as Azure VMs, storage accounts, or databases.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify existing user accounts using \u003ccode\u003eaz ad user update\u003c/code\u003e to add backdoors or modify authentication methods.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these accounts for lateral movement and further exploitation within the Azure environment, bypassing MFA if possible.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to create rogue accounts within the Entra ID environment, granting them persistent access even if the original compromised account is disabled. This can lead to unauthorized access to sensitive data, disruption of services, and long-term compromise of the organization\u0026rsquo;s cloud infrastructure. The impact can range from data breaches and financial loss to reputational damage and legal liabilities. Depending on the permissions granted to the attacker-created users, the blast radius can encompass the entire Entra ID tenant and connected resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging with command-line auditing to capture the execution of Azure CLI commands (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Entra User Management via Azure CLI\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security events with ID 4688 for process creation events related to Azure CLI.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on unusual parent processes, unexpected users, and anomalous execution patterns.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including administrative accounts, to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and restrict Azure AD role assignments to follow the principle of least privilege.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-entra-user-management-cli/","summary":"This analytic detects the usage of the Azure CLI to interact with user accounts, such as creating or deleting a user, potentially indicating malicious activity aimed at maintaining persistence and evading detection within an Entra ID environment.","title":"Detect Windows Entra User Management Via Azure CLI","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-user-management-cli/"}],"language":"en","title":"CraftedSignal Threat Feed — Entra-Id","version":"https://jsonfeed.org/version/1.1"}