<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Immutabilid - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/immutabilid/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/immutabilid/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD User ImmutableId Attribute Modification for Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-01-azuread-immutableid-modification/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azuread-immutableid-modification/</guid><description>Attackers modify the ImmutableID attribute of an Azure AD user to establish a federation backdoor, bypassing MFA and enabling persistent access.</description><content:encoded><![CDATA[<p>Attackers are targeting Azure Active Directory (Azure AD) environments to establish persistent backdoors. This involves manipulating the <code>SourceAnchor</code> attribute, also known as <code>ImmutableId</code>, of a user object within Azure AD. This manipulation allows an attacker to forge authentication and bypass Multi-Factor Authentication (MFA) for the targeted user. Successful exploitation allows the attacker to impersonate any user. Defenders should monitor changes to the <code>SourceAnchor</code> attribute for unusual activity. This activity is a common step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an account with sufficient privileges to modify Azure AD user attributes.</li>
<li>The attacker identifies a target user account within the Azure AD tenant.</li>
<li>The attacker modifies the <code>SourceAnchor</code> (ImmutableId) attribute of the target user's account using Azure AD PowerShell or the Azure portal.</li>
<li>The attacker configures a malicious Security Assertion Markup Language (SAML) identity provider.</li>
<li>The attacker crafts a SAML assertion with the target user's <code>ImmutableId</code> and signs it with the malicious identity provider.</li>
<li>The attacker uses the crafted SAML assertion to authenticate to Azure AD as the target user, bypassing password and MFA requirements.</li>
<li>The attacker gains unauthorized access to resources and data within the Azure AD environment.</li>
<li>The attacker maintains persistent access to the compromised user account, even if the user's password is changed or MFA is enabled.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of the ImmutableId attribute allows attackers to bypass password and MFA protections, leading to full account compromise. An attacker with the ability to impersonate a privileged user can escalate privileges, access sensitive data, and disrupt critical business operations. This can lead to data breaches, financial loss, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure AD User ImmutableId Attribute Updated</code> to your SIEM and tune for your environment.</li>
<li>Enable Azure AD audit logging and monitor for &quot;Update user&quot; operations targeting the <code>SourceAnchor</code> attribute.</li>
<li>Investigate any modifications to the <code>SourceAnchor</code> attribute, especially those performed by unfamiliar or unauthorized accounts.</li>
<li>Review and harden Azure AD federation settings to prevent the use of malicious SAML identity providers.</li>
<li>Monitor and investigate user accounts identified in the <code>RBA message</code> in the alert description.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>azuread</category><category>persistence</category><category>federation</category><category>immutabilid</category></item></channel></rss>