<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Graphapi - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/graphapi/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/graphapi/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD Privileged Graph API Permission Assignment</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-ad-graph-permissions/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-ad-graph-permissions/</guid><description>Detection of high-risk Graph API permission assignments (Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory) in Azure AD, potentially leading to unauthorized modifications and security breaches.</description><content:encoded><![CDATA[<p>This threat brief focuses on the assignment of privileged Graph API permissions within Azure Active Directory (Azure AD). Attackers, including groups like NOBELIUM, may attempt to assign themselves or compromised applications excessive permissions to maintain persistence, escalate privileges, or achieve other malicious objectives within the cloud environment. The permissions of concern are Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory, as these grant broad control over applications, role assignments, and directory settings. The detection leverages Azure AD audit logs specifically monitoring 'Update application' operations. Successful exploitation can lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. This activity became particularly relevant after the Midnight Blizzard attack, highlighting the need for robust monitoring of Azure AD permission changes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.</li>
<li>The attacker authenticates to the Azure portal or uses the Azure CLI with the compromised account.</li>
<li>The attacker identifies an existing application registration within Azure AD that they can modify.</li>
<li>Using the compromised account, the attacker attempts to update the application registration.</li>
<li>The attacker assigns one or more of the following high-risk Graph API permissions to the application: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, or RoleManagement.ReadWrite.Directory. This involves modifying the <code>requiredAppPermissions</code> property of the application object.</li>
<li>The Azure AD audit log records an &quot;Update application&quot; event with the modified <code>requiredAppPermissions</code>.</li>
<li>The attacker uses the application's newly acquired permissions to perform malicious actions, such as reading or modifying application configurations, role assignments, or directory settings.</li>
<li>The attacker maintains persistence by leveraging the application's elevated privileges for ongoing unauthorized access and control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful assignment of these permissions can lead to a complete compromise of the Azure AD environment. An attacker can modify application configurations, create or delete users, assign roles, and potentially gain access to other connected resources and services. The impact can range from data breaches and service disruption to complete control over the organization's cloud identity infrastructure. This is a critical issue, especially in light of recent nation-state attacks targeting Azure AD, as highlighted by Microsoft's guidance on the Midnight Blizzard attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Azure AD Privileged Graph API Permission Assigned</code> to your SIEM, ensuring it is tuned to your environment, and enable the data source: <code>azure_monitor_aad</code> with category <code>AuditLogs</code>.</li>
<li>Investigate any alerts triggered by the Sigma rule <code>Azure AD Privileged Graph API Permission Assigned</code> immediately to determine if the permission assignment was authorized.</li>
<li>Review application registrations in Azure AD and identify any applications with excessive or unnecessary permissions.</li>
<li>Monitor Azure AD audit logs for any modifications to application registrations, focusing on changes to the <code>requiredAppPermissions</code> property.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>azuread</category><category>cloud</category><category>graphapi</category><category>privilegeescalation</category><category>persistence</category></item><item><title>Microsoft Graph API Email Access by Unusual Client and User</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/</link><pubDate>Tue, 09 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/</guid><description>Detects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.</description><content:encoded><![CDATA[<p>This rule identifies access to email resources via Microsoft Graph API using a first-party application on behalf of a user principal, which may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. This behavior can lead to unauthorized email access, data exfiltration, and business email compromise. The detection focuses on requests to Microsoft Graph API endpoints related to email, such as <code>/me/mailFolders/inbox/messages</code> or <code>/users/{user_id}/messages</code>, using a public client application ID and a user principal object ID. The rule uses a new_terms aggregation, only signaling if the application ID and user principal object ID combination have not been seen doing this activity in the last 14 days, reducing false positives from common or expected application usage. The detection logic incorporates activity from Microsoft Graph Activity Logs to identify anomalous email access patterns.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to a user's credentials, either through phishing, credential stuffing, or by compromising a Primary Refresh Token (PRT). (T1566, T1110)</li>
<li><strong>Token Exploitation:</strong> The attacker uses the compromised OAuth refresh token or PRT to authenticate to the Microsoft Graph API.</li>
<li><strong>Application Registration (Optional):</strong> The attacker might register a malicious application within Azure AD to facilitate access. (Not explicitly covered but a possibility.)</li>
<li><strong>Graph API Interaction:</strong> The attacker makes requests to the Microsoft Graph API, specifically targeting email resources using email-related scopes such as <code>Mail.Read</code>, <code>Mail.ReadWrite</code>, or <code>Mail.Send</code>.</li>
<li><strong>Email Access:</strong> The attacker accesses sensitive email data, potentially reading inbox contents, sending emails, or enumerating mail folders via the <code>/me/mailFolders/inbox/messages</code> or <code>/users/{user_id}/messages</code> endpoints. (T1114)</li>
<li><strong>Data Exfiltration/Manipulation:</strong> The attacker exfiltrates sensitive information or manipulates email content for malicious purposes.</li>
<li><strong>Persistence:</strong> The attacker maintains access by continuously using the compromised token or by establishing new persistence mechanisms.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain unauthorized access to sensitive email communications, intellectual property, and customer data. Business email compromise (BEC) is a likely outcome, enabling attackers to conduct fraudulent activities. The number of potential victims is vast, encompassing any organization using Microsoft 365 and relying on Azure Active Directory (Entra ID) for authentication.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Unusual Graph API Email Access by Client and User</code> to your SIEM to detect anomalous access patterns. Tune the rule by allowlisting known good <code>app_id</code> and <code>user_principal_object_id</code> combinations to reduce false positives.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the <code>azure.graphactivitylogs.properties.app_id</code>, <code>user.id</code>, <code>source.ip</code>, and <code>azure.graphactivitylogs.properties.scopes</code> fields in the logs.</li>
<li>Implement Conditional Access policies to restrict OAuth consent and risky sign-ins, mitigating the initial access vector. Refer to the references for guidance.</li>
<li>Regularly audit and review application permissions within Azure AD to identify and remove any suspicious or overly permissive applications.</li>
<li>Monitor <code>azure.auditlogs</code> and <code>azure.signinlogs</code> for recent application grants and risky sign-ins occurring before or after email access.</li>
<li>Block known malicious applications by <code>azure.graphactivitylogs.properties.app_id</code> in your Azure AD tenant based on threat intelligence feeds.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>graphapi</category><category>email</category><category>oauth</category><category>credentialtheft</category></item><item><title>Unusual Microsoft Graph Email Access via OAuth Application</title><link>https://feed.craftedsignal.io/briefs/2024-01-graph-email-access/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-graph-email-access/</guid><description>An adversary might use a phished OAuth refresh token or Primary Refresh Token (PRT) with a first-party application to access email resources via Microsoft Graph API, particularly focusing on unusual application and user combinations.</description><content:encoded><![CDATA[<p>This detection identifies potentially malicious access to email resources through the Microsoft Graph API. Attackers may leverage compromised OAuth refresh tokens or Primary Refresh Tokens (PRTs) to access sensitive email data. The activity is characterized by requests to Microsoft Graph API endpoints such as <code>/me/mailFolders/inbox/messages</code> or <code>/users/{user_id}/messages</code>, using a public client application ID on behalf of a user. The rule focuses on identifying novel combinations of application ID and user principal object ID accessing email resources within a 14-day timeframe, as this may indicate a compromised or newly deployed malicious application. This behavior could be related to campaigns similar to those observed by Volexity targeting Microsoft 365 OAuth workflows.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises a user's credentials or obtains a valid OAuth refresh token or PRT through phishing or other means (T1566).</li>
<li>The attacker uses the compromised token to authenticate to the Microsoft Graph API via a custom or existing application.</li>
<li>The application requests access to email-related scopes such as <code>Mail.Read</code>, <code>Mail.ReadWrite</code>, or <code>Mail.Send</code> (T1550.001).</li>
<li>The application makes API calls to enumerate mail folders, read messages, or send emails on behalf of the compromised user (T1114.002).</li>
<li>The attacker may exfiltrate sensitive email content or use the compromised account to send phishing emails to other users (TA0009).</li>
<li>The unusual combination of application ID and user principal triggers a detection due to the novel access pattern.</li>
<li>The attacker persists by continuing to use the stolen token for ongoing access to email resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive email data, potentially resulting in data breaches, financial loss, and reputational damage. The compromise of user accounts can also enable attackers to send phishing emails or conduct further malicious activities within the organization. If undetected, the attacker can maintain persistent access to email resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Microsoft Graph Unusual App Email Access</code> to detect novel app/user combinations accessing email data via Graph API, using <code>logs-azure.graphactivitylogs-*</code> as the index.</li>
<li>Investigate applications flagged by the rule by pivoting to Azure Portal -&gt; Enterprise Applications and searching by the <code>azure.graphactivitylogs.properties.app_id</code> to determine app details, publisher, and consent status.</li>
<li>Review and restrict risky OAuth permissions in Conditional Access and App Governance policies, as mentioned in the triage steps within the rule's description.</li>
<li>Monitor for suspicious automation tools in the <code>user_agent.original</code> field within the <code>logs-azure.graphactivitylogs-*</code> index to identify potential scripted access.</li>
<li>Revoke the application's consent in Azure AD and revoke user refresh tokens via Microsoft Entra or PowerShell if unauthorized access is suspected.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>graphapi</category><category>oauth</category><category>email</category></item><item><title>Microsoft Graph API Request User Impersonation by Unusual Client</title><link>https://feed.craftedsignal.io/briefs/2024-01-graph-api-user-impersonation/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-graph-api-user-impersonation/</guid><description>Detection of the first-time use of a Microsoft Graph API request by a specific client application ID, user principal object ID, and tenant ID, potentially indicating unauthorized access via phishing, token theft, or OAuth abuse.</description><content:encoded><![CDATA[<p>This detection identifies the initial use of a Microsoft Graph API request originating from a specific client application ID (<code>azure.graphactivitylogs.properties.app_id</code>) tied to a user principal object ID (<code>azure.graphactivitylogs.properties.user_principal_object_id</code>) and a tenant ID (<code>azure.tenant_id</code>). This activity may signify unauthorized access achieved through methods like phishing, stolen tokens, or exploitation of OAuth workflows. Threat actors may leverage legitimate Microsoft or third-party application IDs to evade suspicion while performing actions on behalf of compromised users. The rule focuses on identifying unusual combinations of these three identifiers within a defined timeframe to highlight potentially malicious activity that bypasses standard authentication alerts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises user credentials through phishing or other means (T1566).</li>
<li>The attacker obtains or steals a legitimate application access token (T1528).</li>
<li>The attacker uses the stolen access token to make authenticated requests to the Microsoft Graph API, impersonating the compromised user.</li>
<li>The attacker queries the Graph API for sensitive information such as user details, email, or files.</li>
<li>The attacker accesses and potentially downloads sensitive data through the Graph API.</li>
<li>The attacker leverages the compromised account to perform actions such as sending emails or creating resources.</li>
<li>The attacker maintains persistence by creating new OAuth applications or modifying existing ones.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, including emails, files, and user information, within a Microsoft 365 environment. Attackers can leverage compromised accounts to perform malicious actions, such as sending phishing emails or creating new resources. The scope of impact depends on the permissions granted to the compromised application and the data accessible through the Graph API. Detecting the initial unusual use of a client ID helps in early identification before significant damage occurs.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Microsoft Graph Request User Impersonation by Unusual Client&quot; to your SIEM and tune the <code>history_window_start</code> parameter to your environment needs.</li>
<li>Review <code>azure.graphactivitylogs.properties.user_principal_object_id</code> and correlate with recent sign-in logs for the associated user as mentioned in the rule's note section.</li>
<li>Inspect <code>azure.graphactivitylogs.properties.scopes</code> to understand the level of access being requested by the app, as suggested in the rule's note section.</li>
<li>Implement Conditional Access policies to restrict Graph API access based on app type, IP address, or device state as described in the rule's note section.</li>
<li>Monitor usage of new or uncommon <code>app_id</code> values across your tenant.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>graphapi</category><category>initial_access</category></item></channel></rss>