{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/guest-account/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","azure","entra","guest-account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe conversion of a user account from \u0026ldquo;Guest\u0026rdquo; to \u0026ldquo;Member\u0026rdquo; within Azure Active Directory (Azure AD) can represent a significant privilege escalation. While legitimate use cases exist for such conversions, malicious actors can abuse this functionality to gain unauthorized access and persistence. By elevating a guest account, which typically has limited permissions, to a member account, attackers can inherit the broader access rights associated with the latter, potentially compromising sensitive data and systems. Monitoring this activity is crucial as it can be indicative of insider threats or compromised administrative accounts used to manipulate user roles.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Initial Account:\u003c/strong\u003e An attacker gains initial access, possibly through phishing or credential stuffing, to an account with sufficient privileges to modify user attributes in Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Target Guest Account:\u003c/strong\u003e The attacker identifies a guest account within the Azure AD environment that could provide valuable access if converted to a member account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify UserType Attribute:\u003c/strong\u003e Using the compromised account, the attacker modifies the \u003ccode\u003eUserType\u003c/code\u003e attribute of the target guest account from \u0026ldquo;Guest\u0026rdquo; to \u0026ldquo;Member\u0026rdquo; via the Azure AD portal, PowerShell, or the Microsoft Graph API. This action generates an \u0026ldquo;Update user\u0026rdquo; event in the Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInherit Member Privileges:\u003c/strong\u003e Once the \u003ccode\u003eUserType\u003c/code\u003e is changed to \u0026ldquo;Member\u0026rdquo;, the account inherits the privileges and group memberships associated with member accounts within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging the newly acquired member privileges, the attacker moves laterally within the Azure AD environment, accessing resources and services that were previously inaccessible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or System Compromise:\u003c/strong\u003e The attacker uses the elevated privileges to exfiltrate sensitive data, compromise critical systems, or establish persistent backdoors for future access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful conversion of a guest account to a member account can lead to significant privilege escalation, potentially granting attackers access to sensitive data, critical systems, and confidential resources. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The impact depends on the permissions assigned to member accounts and the sensitivity of the resources they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;User State Changed From Guest To Member\u0026rdquo; Sigma rule to your SIEM to detect unauthorized user type conversions in Azure AD audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of user type changes from \u0026ldquo;Guest\u0026rdquo; to \u0026ldquo;Member\u0026rdquo; to verify their legitimacy, focusing on the user performing the action and the reason for the change (as captured by the Azure AD audit logs).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of account compromise and unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all user accounts to minimize the potential impact of a successful privilege escalation attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-azure-guest-member/","summary":"An adversary may convert a guest user account to a member account in Azure Active Directory to elevate privileges and gain persistent access to resources.","title":"Azure AD Guest to Member User Type Conversion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-guest-member/"}],"language":"en","title":"CraftedSignal Threat Feed — Guest-Account","version":"https://jsonfeed.org/version/1.1"}