{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/immutabilid/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory"],"_cs_severities":["critical"],"_cs_tags":["azuread","persistence","federation","immutabilid"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are targeting Azure Active Directory (Azure AD) environments to establish persistent backdoors. This involves manipulating the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute, also known as \u003ccode\u003eImmutableId\u003c/code\u003e, of a user object within Azure AD. This manipulation allows an attacker to forge authentication and bypass Multi-Factor Authentication (MFA) for the targeted user. Successful exploitation allows the attacker to impersonate any user. Defenders should monitor changes to the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute for unusual activity. This activity is a common step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to modify Azure AD user attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account within the Azure AD tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eSourceAnchor\u003c/code\u003e (ImmutableId) attribute of the target user's account using Azure AD PowerShell or the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a malicious Security Assertion Markup Language (SAML) identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SAML assertion with the target user's \u003ccode\u003eImmutableId\u003c/code\u003e and signs it with the malicious identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted SAML assertion to authenticate to Azure AD as the target user, bypassing password and MFA requirements.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources and data within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised user account, even if the user's password is changed or MFA is enabled.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the ImmutableId attribute allows attackers to bypass password and MFA protections, leading to full account compromise. An attacker with the ability to impersonate a privileged user can escalate privileges, access sensitive data, and disrupt critical business operations. This can lead to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure AD User ImmutableId Attribute Updated\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Azure AD audit logging and monitor for \u0026quot;Update user\u0026quot; operations targeting the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eInvestigate any modifications to the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute, especially those performed by unfamiliar or unauthorized accounts.\u003c/li\u003e\n\u003cli\u003eReview and harden Azure AD federation settings to prevent the use of malicious SAML identity providers.\u003c/li\u003e\n\u003cli\u003eMonitor and investigate user accounts identified in the \u003ccode\u003eRBA message\u003c/code\u003e in the alert description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azuread-immutableid-modification/","summary":"Attackers modify the ImmutableID attribute of an Azure AD user to establish a federation backdoor, bypassing MFA and enabling persistent access.","title":"Azure AD User ImmutableId Attribute Modification for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-immutableid-modification/"}],"language":"en","title":"CraftedSignal Threat Feed - Immutabilid","version":"https://jsonfeed.org/version/1.1"}