{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/federated-credentials/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID"],"_cs_severities":["medium"],"_cs_tags":["entra-id","federated-credentials","byoidp","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies when a service principal authenticates using a federated identity credential for the first time within a defined historical window. This event indicates that Entra ID has validated a JWT token, potentially against an external OIDC identity provider, and subsequently issued an access token. While this process is standard for CI/CD workflows like GitHub Actions and Azure DevOps, adversaries may exploit it by configuring rogue identity providers (BYOIDP) to authenticate as compromised applications. Detecting the first-time usage of a federated credential for a service principal is critical for identifying potential BYOIDP attacks. The rule examines Azure Sign-In Logs for service principals using federated identity credentials, excluding known good tenant IDs, to surface potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary compromises an application or service principal within the target Entra ID environment.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a rogue identity provider (BYOIDP) that they control.\u003c/li\u003e\n\u003cli\u003eThe adversary creates a federated identity credential on the compromised application, linking it to their rogue identity provider.\u003c/li\u003e\n\u003cli\u003eThe compromised application requests authentication, triggering Entra ID to validate a JWT token against the attacker's rogue identity provider.\u003c/li\u003e\n\u003cli\u003eEntra ID issues an access token to the compromised application based on the validation from the rogue identity provider.\u003c/li\u003e\n\u003cli\u003eThe adversary uses the access token to access resources and data within the Entra ID environment, masquerading as the legitimate application.\u003c/li\u003e\n\u003cli\u003eThe adversary escalates privileges or moves laterally within the environment using the compromised application's permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BYOIDP attack can grant an adversary unauthorized access to sensitive data and resources within an Entra ID environment. This can lead to data breaches, service disruptions, and significant reputational damage. The impact depends on the permissions and access rights of the compromised service principal. Undetected, this attack can persist, allowing continued unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable collection of Microsoft Entra ID Sign-In Logs and stream them into your SIEM (per the rule's setup instructions) to gain visibility into federated credential usage.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eEntra ID Service Principal Federated Credential Authentication by Unusual Client\u003c/code\u003e to detect initial federated credential usage by service principals. Tune the rule based on your environment and known CI/CD deployments.\u003c/li\u003e\n\u003cli\u003eWhen the rule triggers, investigate the federated credential configuration in Entra ID, focusing on the issuer URL, creation time, and the user who added the credential as described in the rule's \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview audit logs for recent changes to application federated credentials, correlating with sign-in logs to identify unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eBaseline applications expected to use federated credentials and maintain a list of approved identity providers, as suggested in the rule's \u003ccode\u003efalse_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts where the \u003ccode\u003eazure.signinlogs.caller_ip_address\u003c/code\u003e originates from an unexpected location or infrastructure, as described in the rule's \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-federated-login/","summary":"Detection of initial Entra ID service principal authentication using a federated identity credential, potentially indicating a rogue identity provider abusing compromised applications.","title":"Entra ID Service Principal Federated Credential Authentication by Unusual Client","url":"https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-federated-login/"}],"language":"en","title":"CraftedSignal Threat Feed - Federated-Credentials","version":"https://jsonfeed.org/version/1.1"}