{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/guest-user/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azure"],"_cs_severities":["medium"],"_cs_tags":["azuread","guest-user","privilege-escalation","persistence","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting the invitation of guest users to an Azure Active Directory (AD) tenant by accounts that are not pre-approved to perform this action. Unauthorized guest user invitations can be an indicator of various malicious activities. An attacker could be attempting to escalate privileges by adding an account they control, establish persistence by creating a backdoor account, or gain initial access to the environment. This activity might be part of a broader attack aimed at gaining unauthorized access to sensitive resources or data within the organization\u0026rsquo;s Azure environment. It is important to ensure that only authorized personnel can invite external users to maintain security and prevent potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a low-privilege user account within the Azure AD tenant or uses existing compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to invite an external guest user to the tenant using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit logs record the \u0026ldquo;Invite external user\u0026rdquo; operation under the UserManagement category.\u003c/li\u003e\n\u003cli\u003eThe audit log event is generated, capturing details such as the user who initiated the invitation (InitiatedBy) and the target guest user\u0026rsquo;s information.\u003c/li\u003e\n\u003cli\u003eThe detection logic evaluates if the InitiatedBy user is within the list of approved guest inviters.\u003c/li\u003e\n\u003cli\u003eIf the inviting user is not on the approved list, the detection rule triggers, indicating a potentially unauthorized guest invitation.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to leverage the newly invited guest account for lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the guest account to access resources and data within the Azure AD environment, potentially leading to data breaches or other security incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and resources within the Azure AD tenant. While the precise number of potential victims is unknown, the impact could range from a limited breach affecting a small set of resources to a widespread compromise impacting the entire organization. The addition of unauthorized guest accounts can facilitate lateral movement, data exfiltration, and other malicious activities, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unauthorized guest user invitations in Azure AD audit logs and tune the \u003ccode\u003efilter\u003c/code\u003e with a list of approved inviters.\u003c/li\u003e\n\u003cli\u003eReview and restrict the number of users authorized to invite guest users to the Azure AD tenant based on business needs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, including guest accounts, to prevent unauthorized access (related to audit logs).\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure AD logs for any suspicious activity related to user management (related to audit logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-azuread-guest-invite/","summary":"Detection of unauthorized guest user invitations within an Azure Active Directory tenant, indicating potential privilege escalation, persistence, or initial access attempts.","title":"Unauthorized Guest User Invitations in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azuread-guest-invite/"}],"language":"en","title":"CraftedSignal Threat Feed — Guest-User","version":"https://jsonfeed.org/version/1.1"}