<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Nobelium - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/nobelium/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/nobelium/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD FullAccessAsApp Permission Assignment</title><link>https://feed.craftedsignal.io/briefs/2024-01-azuread-fullaccess/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azuread-fullaccess/</guid><description>Detection of 'full_access_as_app' permission assignment to an application in Office 365 Exchange Online, potentially leading to unauthorized access and data exfiltration.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of the 'full_access_as_app' permission being assigned to an application within Office 365 Exchange Online. This activity is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. The observed activity leverages the &quot;Update application&quot; operation in Azure Active Directory AuditLogs. The threat is significant because successful exploitation grants the attacker the ability to impersonate any user within the targeted organization, leading to potential data breaches, financial fraud, or further compromise of the environment. References to Microsoft's response to the Midnight Blizzard campaign indicate that this type of permission abuse has been seen in nation-state attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises an Azure AD account with sufficient privileges.</li>
<li>The attacker uses the compromised account to access the Azure portal or uses PowerShell/Graph API.</li>
<li>The attacker registers a malicious application within the Azure AD tenant, or modifies an existing one.</li>
<li>The attacker assigns the 'full_access_as_app' permission (dc890d15-9560-4a4c-9b7f-a736ec74ec40) to the application. This is achieved through the &quot;Update application&quot; operation.</li>
<li>The application gains full access to all mailboxes in the Exchange Online environment (ResourceAppId: 00000002-0000-0ff1-ce00-000000000000).</li>
<li>The attacker leverages the granted permissions to access sensitive emails, contacts, and calendar data from targeted mailboxes.</li>
<li>The attacker may send emails on behalf of other users, potentially leading to phishing attacks or business email compromise (BEC).</li>
<li>The attacker exfiltrates sensitive data or maintains persistence within the environment by creating new rogue applications.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful assignment of the 'full_access_as_app' permission allows an attacker to access and control all mailboxes within the targeted Office 365 Exchange Online environment. This can lead to significant data breaches, financial losses through BEC attacks, and reputational damage. Organizations in any sector are vulnerable, but those handling sensitive data or operating in regulated industries face the highest risk. Nation-state actors like NOBELIUM have been known to exploit this type of permission abuse to gain long-term access to victim networks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure AD FullAccessAsApp Permission Assigned&quot; to your SIEM and tune for your environment to detect unauthorized assignments of the 'full_access_as_app' permission.</li>
<li>Review Azure AD audit logs for &quot;Update application&quot; events where the 'full_access_as_app' permission (dc890d15-9560-4a4c-9b7f-a736ec74ec40) is being assigned.</li>
<li>Implement the recommendations from Microsoft's blog post &quot;Midnight Blizzard Guidance for Responders on Nation State Attack&quot; to harden your Azure AD environment and prevent similar attacks.</li>
<li>Monitor for applications with excessive permissions, especially those with the 'full_access_as_app' permission, and investigate any anomalies.</li>
<li>Regularly audit application permissions in Azure AD to identify and remediate any overly permissive configurations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>azure</category><category>azuread</category><category>office365</category><category>persistence</category><category>nobelium</category></item></channel></rss>