Guest-User — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/guest-user/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 12:00:00 +0000Unauthorized Guest User Invitations in Azure ADhttps://feed.craftedsignal.io/briefs/2024-01-02-azuread-guest-invite/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-azuread-guest-invite/Detection of unauthorized guest user invitations within an Azure Active Directory tenant, indicating potential privilege escalation, persistence, or initial access attempts.This alert focuses on detecting the invitation of guest users to an Azure Active Directory (AD) tenant by accounts that are not pre-approved to perform this action. Unauthorized guest user invitations can be an indicator of various malicious activities. An attacker could be attempting to escalate privileges by adding an account they control, establish persistence by creating a backdoor account, or gain initial access to the environment. This activity might be part of a broader attack aimed at gaining unauthorized access to sensitive resources or data within the organization’s Azure environment. It is important to ensure that only authorized personnel can invite external users to maintain security and prevent potential abuse.

Attack Chain

  1. An attacker compromises a low-privilege user account within the Azure AD tenant or uses existing compromised credentials.
  2. The attacker attempts to invite an external guest user to the tenant using the compromised account.
  3. The Azure AD audit logs record the “Invite external user” operation under the UserManagement category.
  4. The audit log event is generated, capturing details such as the user who initiated the invitation (InitiatedBy) and the target guest user’s information.
  5. The detection logic evaluates if the InitiatedBy user is within the list of approved guest inviters.
  6. If the inviting user is not on the approved list, the detection rule triggers, indicating a potentially unauthorized guest invitation.
  7. The attacker may then attempt to leverage the newly invited guest account for lateral movement or data exfiltration.
  8. The attacker uses the guest account to access resources and data within the Azure AD environment, potentially leading to data breaches or other security incidents.

Impact

The successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and resources within the Azure AD tenant. While the precise number of potential victims is unknown, the impact could range from a limited breach affecting a small set of resources to a widespread compromise impacting the entire organization. The addition of unauthorized guest accounts can facilitate lateral movement, data exfiltration, and other malicious activities, leading to significant financial and reputational damage.

Recommendation

  • Implement the provided Sigma rule to detect unauthorized guest user invitations in Azure AD audit logs and tune the filter with a list of approved inviters.
  • Review and restrict the number of users authorized to invite guest users to the Azure AD tenant based on business needs.
  • Implement multi-factor authentication (MFA) for all user accounts, including guest accounts, to prevent unauthorized access (related to audit logs).
  • Regularly audit Azure AD logs for any suspicious activity related to user management (related to audit logs).
]]>mediumadvisoryazureadguest-userprivilege-escalationpersistenceinitial-access