{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/federation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","federation","privilege-escalation","persistence","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can modify federation settings on Azure domains to gain unauthorized access and establish persistence. This involves manipulating the trust relationships between the Azure Active Directory and external identity providers. By altering these settings, an attacker can potentially bypass normal authentication mechanisms, assume identities, and maintain a foothold within the environment. This activity is typically carried out by users or applications with administrative privileges, making it crucial to monitor and validate any changes made to the federation settings. Detecting such modifications can be challenging due to the legitimate use of these settings by system administrators. This activity falls under tactics such as privilege escalation, persistence, initial access, and stealth.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to manage Azure Active Directory settings, such as a Global Administrator or Privileged Role Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell/CLI to interact with Azure resources.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing domain federation settings to understand the current configuration and identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the federation settings on the domain using commands like \u003ccode\u003eSet-MsolDomainFederationSettings\u003c/code\u003e or through the Azure portal interface. This may involve altering the trusted certificate, changing the issuer URI, or modifying other federation parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker tests the modified federation settings to ensure they can successfully authenticate using the altered configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified federation settings to impersonate users or applications, gaining unauthorized access to protected resources and services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating backdoors or alternate authentication methods using the modified federation settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Azure domain federation settings can lead to significant consequences, including unauthorized access to sensitive data, privilege escalation, and long-term persistence within the Azure environment. Attackers could potentially compromise entire domains, impacting all users and applications relying on the affected Azure Active Directory. This can result in data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Azure Domain Federation Settings Modified\u0026rdquo; to detect suspicious modifications to federation settings in Azure audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate changes to Azure domain federation settings, focusing on unfamiliar users and unexpected modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for the \u0026ldquo;Set federation settings on domain\u0026rdquo; event to identify potential tampering.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all accounts with administrative privileges to reduce the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement the principle of least privilege, granting users only the necessary permissions to perform their tasks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-azure-federation-modification/","summary":"An attacker may modify Azure domain federation settings to establish persistence, escalate privileges, or gain unauthorized access to resources.","title":"Azure Domain Federation Settings Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-federation-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Federation","version":"https://jsonfeed.org/version/1.1"}