{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pim/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privileged-identity-management","invalid-license"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies scenarios where an organization lacks the necessary Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses required for proper Privileged Identity Management (PIM) functionality. Attackers may attempt to exploit misconfigured or unlicensed PIM deployments to gain unauthorized privileged access to critical Azure resources. This detection is crucial as it indicates a compliance issue that can be leveraged to escalate privileges, bypass security controls, and potentially lead to data breaches or system compromise. The absence of appropriate licensing hinders the effectiveness of PIM controls, creating opportunities for malicious actors to operate undetected. Defenders need to ensure appropriate licenses are in place.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Azure environment lacking a valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance license for Privileged Identity Management (PIM).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate a privileged role within the Azure environment through PIM.\u003c/li\u003e\n\u003cli\u003eDue to the invalid license, the PIM activation process may not enforce proper multi-factor authentication (MFA) or approval workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the privileged role without proper authorization or auditing.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised privileged role to access sensitive Azure resources, such as virtual machines, databases, or storage accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration, modification of system configurations, or deployment of malware.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence within the Azure environment by creating rogue user accounts or modifying existing access controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of an invalid PIM license can be severe. Organizations may experience unauthorized access to critical Azure resources, leading to data breaches, system compromise, and compliance violations. The absence of proper PIM controls can enable attackers to escalate privileges, bypass security measures, and operate undetected within the Azure environment. Identifying invalid PIM licenses is crucial for maintaining the security and integrity of Azure deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003einvalidLicenseAlertIncident\u003c/code\u003e events in Azure PIM logs (logsource: azure, service: pim).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003einvalidLicenseAlertIncident\u003c/code\u003e to determine the scope of the issue and potential unauthorized access.\u003c/li\u003e\n\u003cli\u003eVerify that all Azure subscriptions utilizing PIM have valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses.\u003c/li\u003e\n\u003cli\u003eImplement automated monitoring to proactively identify and alert on invalid PIM licenses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-invalid-pim-license/","summary":"Detection of unauthorized access or privilege escalation attempts within Azure environments due to invalid or missing Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for Privileged Identity Management (PIM).","title":"Azure Privileged Identity Management (PIM) Invalid License Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-invalid-pim-license/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Privileged Identity Management"],"_cs_severities":["high"],"_cs_tags":["azure","pim","stale_account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u0026ldquo;staleSignInAlertIncident\u0026rdquo; event in Azure Privileged Identity Management (PIM) signifies that an account assigned a privileged role has not signed in for a prolonged period. This alert is crucial for defenders because inactive privileged accounts can become attractive targets for attackers. If an account is compromised and not actively used, the breach can go unnoticed for an extended time, increasing the attacker\u0026rsquo;s dwell time and potential for lateral movement or data exfiltration. Monitoring for this event allows organizations to identify potentially compromised accounts and enforce stricter security measures like password resets, MFA enforcement, or temporary role revocation. The alert helps maintain a secure privileged access environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an organization using Azure PIM.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises a user account that is assigned a privileged role, but is currently inactive, using techniques such as password spraying or phishing.\u003c/li\u003e\n\u003cli\u003eDue to the account\u0026rsquo;s inactivity, the compromise remains unnoticed by the legitimate owner or security monitoring tools.\u003c/li\u003e\n\u003cli\u003eThe attacker activates the privileged role assignment in Azure PIM, granting them elevated permissions within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform reconnaissance, identify valuable assets, and potentially create new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the Azure environment, accessing sensitive data and resources that are normally restricted.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious code to disrupt services.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by creating backdoors or modifying access controls to ensure continued access even after the initial compromise is detected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised stale accounts in Azure PIM can lead to significant data breaches, service disruptions, and reputational damage. Attackers can leverage the elevated privileges associated with these accounts to gain unauthorized access to critical resources, exfiltrate sensitive data, or deploy ransomware. The impact can range from data loss to complete system compromise, depending on the scope of the privileged roles assigned to the stale account. The financial implications can be substantial, including regulatory fines, incident response costs, and lost revenue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect \u003ccode\u003estaleSignInAlertIncident\u003c/code\u003e events in your Azure PIM logs, enabling rapid identification of potentially compromised stale accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts to determine the legitimacy of the account\u0026rsquo;s inactivity and potential compromise scenarios.\u003c/li\u003e\n\u003cli\u003eImplement automated workflows to disable or remove privileged role assignments for accounts that trigger the \u003ccode\u003estaleSignInAlertIncident\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies and multi-factor authentication (MFA) for all accounts with privileged roles in Azure PIM.\u003c/li\u003e\n\u003cli\u003eImplement regular access reviews to identify and remove unnecessary privileged role assignments, minimizing the attack surface.\u003c/li\u003e\n\u003cli\u003eConsult Microsoft\u0026rsquo;s documentation on configuring security alerts for potential stale accounts in privileged roles to understand the context and recommended actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:42:00Z","date_published":"2024-01-03T18:42:00Z","id":"/briefs/2024-01-azure-pim-stale-account/","summary":"Detection of stale accounts in Azure Privileged Identity Management (PIM) through the 'staleSignInAlertIncident' event, indicating potential compromised or unused privileged accounts.","title":"Azure PIM Account Stale Sign-in Alert","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-stale-account/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe compromise of privileged accounts within cloud environments is a significant risk. Azure Privileged Identity Management (PIM) is designed to mitigate this risk by enforcing time-bound and approval-based role activation. This brief focuses on the detection of PIM elevation requests that are either approved or denied. While legitimate administrator actions will trigger these events, unexpected or unauthorized approvals/denials, especially those occurring outside of normal business hours or originating from unusual locations, warrant immediate investigation. This activity can indicate attempts at unauthorized privilege escalation, lateral movement, or data exfiltration within the Azure environment. Monitoring these events provides an opportunity to identify and respond to potential breaches before significant damage can occur.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a low-privileged Azure account, possibly through credential phishing or password reuse.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate a privileged role (e.g., Global Administrator, Security Administrator) through Azure PIM.\u003c/li\u003e\n\u003cli\u003eThe PIM request triggers an approval workflow, requiring authorization from designated approvers.\u003c/li\u003e\n\u003cli\u003eAn attacker compromises an approver account, enabling them to approve their own malicious PIM request or deny a legitimate one.\u003c/li\u003e\n\u003cli\u003eAlternatively, an unwitting approver approves a malicious request, potentially due to social engineering.\u003c/li\u003e\n\u003cli\u003eUpon approval, the attacker\u0026rsquo;s account is temporarily elevated to the requested privileged role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform malicious actions, such as creating new accounts, modifying security policies, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating backdoor accounts or modifying access controls, potentially circumventing PIM restrictions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full control over the Azure environment, potentially impacting hundreds or thousands of users and services. A compromised Global Administrator role grants the attacker the ability to access and modify all resources within the Azure tenant, leading to data breaches, service disruptions, and financial losses. The targeted sectors include any organization leveraging Azure PIM for privileged access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure PIM Elevation Approved or Denied\u003c/code\u003e to your SIEM to detect unusual PIM activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any PIM approval or denial events occurring outside of normal business hours or originating from unexpected locations, focusing on the \u003ccode\u003eproperties.message\u003c/code\u003e field in the logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with approval permissions for PIM requests.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit PIM role assignments and approval workflows to ensure they align with the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eEnable alerting on changes to PIM policies and configurations to detect any unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit Logs for suspicious activity following PIM role activation, looking for actions associated with common attack techniques (e.g., account creation, policy modification).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:27:00Z","date_published":"2024-01-03T18:27:00Z","id":"/briefs/2024-01-azure-pim-elevation/","summary":"Detection of Azure Privileged Identity Management (PIM) elevation approvals or denials, which, if unexpected, may indicate unauthorized privilege escalation or malicious activity within an Azure environment.","title":"Azure PIM Elevation Approved or Denied","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-elevation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","mfa","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe absence of multi-factor authentication (MFA) during the activation of privileged roles in Azure Privileged Identity Management (PIM) poses a significant security risk. When roles can be activated without MFA, attackers who have already compromised a user account can escalate their privileges without needing to bypass an MFA challenge. This scenario circumvents a critical security control, making the environment vulnerable to lateral movement, data exfiltration, and other malicious activities. This brief is based on Sigma rule 94a66f46-5b64-46ce-80b2-75dcbe627cc0, published on 2023-09-14. Defenders need to monitor PIM configurations to ensure that MFA is enforced for all privileged role activations, mitigating the risk of unauthorized access and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account, potentially through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privileged role within Azure PIM that the compromised user is eligible to activate.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate the privileged role using the compromised user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eDue to misconfiguration, MFA is not required for the role activation process.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully activates the privileged role without providing a second factor of authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly acquired privileges to access sensitive resources and data within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as creating new accounts, modifying configurations, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating backdoors or modifying access control policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe absence of MFA during PIM role activation can lead to significant damage, potentially affecting all resources within the Azure environment accessible to the compromised privileged role. Successful exploitation allows attackers to bypass a critical security control, leading to privilege escalation, data breaches, and system compromise. The impact spans data confidentiality, integrity, and availability, and could result in regulatory fines, reputational damage, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Roles Activation Doesn\u0026rsquo;t Require MFA\u0026rdquo; to your SIEM and tune for your environment to detect instances where privileged roles are activated without MFA based on \u003ccode\u003eriskEventType: 'noMfaOnRoleActivationAlertIncident'\u003c/code\u003e in Azure PIM logs.\u003c/li\u003e\n\u003cli\u003eReview and enforce MFA policies for all privileged role activations within Azure PIM, as recommended in the Microsoft documentation (\u003ca href=\"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\"\u003ehttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-azure-pim-no-mfa/","summary":"Detection of Azure Privileged Identity Management (PIM) roles being activated without requiring multi-factor authentication, potentially leading to unauthorized privilege escalation and persistence.","title":"Azure PIM Role Activation Without MFA","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-no-mfa/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","global_admin","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe presence of an excessive number of Global Administrator accounts in an Azure tenant poses a significant security risk. While the source does not attribute this activity to a specific threat actor, the risk event indicates a potential compromise of existing accounts, internal privilege abuse, or misconfiguration within the Azure environment. The alert triggers when the number of Global Administrator assignments exceeds a predefined threshold within Privileged Identity Management (PIM). Attackers may abuse highly privileged accounts to gain broad control over the Azure environment, deploy malicious workloads, exfiltrate data, or establish persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker compromises a low-privilege user account through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate privileges by exploiting misconfigured permissions or vulnerabilities within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGlobal Admin Role Assignment:\u003c/strong\u003e The attacker assigns the Global Administrator role to multiple accounts, including the compromised account, either directly or through PIM bypass.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With Global Administrator privileges, the attacker moves laterally within the Azure environment, accessing sensitive resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data from cloud storage, databases, or virtual machines.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistent access by creating backdoors, modifying access controls, or deploying rogue applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker attempts to remove audit logs or disable security features to hide their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of Global Administrator accounts can lead to significant damage, including data breaches, financial loss, and reputational damage. Excessive admin accounts significantly widen the attack surface and increase the likelihood of successful attacks. The impact includes unauthorized access to sensitive data, disruption of business operations, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Too Many Global Admins\u0026rdquo; to your SIEM and tune the threshold for your environment to detect excessive Global Administrator assignments in Azure PIM.\u003c/li\u003e\n\u003cli\u003eReview and reduce the number of Global Administrator accounts to the minimum necessary.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all privileged accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for suspicious activity related to role assignments and privilege elevation.\u003c/li\u003e\n\u003cli\u003eRegularly review and update PIM policies to ensure appropriate access controls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-too-many-global-admins/","summary":"Detection of an excessive number of Global Administrator accounts assigned within an Azure tenant, indicating potential privilege escalation or compromised accounts.","title":"Excessive Global Administrator Accounts in Azure PIM","url":"https://feed.craftedsignal.io/briefs/2024-01-too-many-global-admins/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePrivileged Identity Management (PIM) is a critical component of Azure Active Directory, enabling organizations to manage, control, and monitor access to important resources. Attackers often target PIM configurations to escalate privileges, establish persistence, or move laterally within a compromised environment. This activity focuses on detecting changes to PIM role settings, which could indicate malicious activity aimed at weakening security controls. Defenders must monitor these changes to prevent unauthorized access and maintain the integrity of their Azure environment. This includes understanding who is making these changes, the scope of the modifications, and whether the changes align with established security policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access to an account with sufficient privileges to view PIM settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing PIM role settings within the Azure Active Directory environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModification:\u003c/strong\u003e The attacker modifies existing PIM role settings, such as extending the maximum activation time or removing approval requirements, using the Azure portal, PowerShell, or the Azure CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By modifying PIM settings, the attacker escalates their privileges, granting themselves elevated access to sensitive resources or administrative functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new or modifying existing role assignments to maintain access even if their initial account is compromised.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With escalated privileges, the attacker moves laterally to access other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker leverages their escalated privileges to exfiltrate sensitive data, disrupt services, or cause other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of PIM settings can have severe consequences, including unauthorized access to sensitive data, disruption of critical services, and privilege escalation leading to complete compromise of the Azure environment. A single compromised PIM setting can affect multiple users and resources, amplifying the impact of the attack. Early detection of PIM setting modifications can prevent attackers from gaining a foothold and causing significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect changes to PIM settings based on the \u003ccode\u003eproperties.message\u003c/code\u003e field within Azure audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly review Azure audit logs for events related to PIM configuration changes, paying close attention to the user accounts making the changes and the scope of the modifications.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts with privileges to manage PIM settings.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting users only the minimum permissions required to perform their job functions.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of normal PIM settings and alert on any deviations from this baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule by correlating them with other security events and user activity.\u003c/li\u003e\n\u003cli\u003eImplement automated responses to detected PIM setting modifications, such as disabling the affected user account or reverting the changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-azure-pim-settings-change/","summary":"Detects unauthorized or malicious modifications to Privileged Identity Management (PIM) settings within Azure environments, potentially leading to privilege escalation, persistence, and stealthy access by attackers.","title":"Detection of Privileged Identity Management (PIM) Settings Modifications","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-pim-settings-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","pim","privileged-identity-management","role-based-access-control","initial-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a condition where users have been assigned privileged roles within Azure\u0026rsquo;s Privileged Identity Management (PIM) but are not actively utilizing those roles. This situation can arise from various factors, including misconfiguration of PIM settings, over-allocation of privileged roles due to process gaps or lack of oversight, or the presence of dormant accounts with elevated privileges. Such unused roles represent a potential security risk, as they can be exploited by malicious actors or misused inadvertently, especially if MFA or conditional access policies are not enforced. Regularly auditing and addressing unused PIM roles is crucial for maintaining a strong security posture and optimizing license utilization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator assigns a privileged role to a user within Azure PIM.\u003c/li\u003e\n\u003cli\u003eThe user is granted the role but does not activate or use it to perform any privileged actions.\u003c/li\u003e\n\u003cli\u003eAzure PIM monitors role usage and detects the lack of activity for the assigned role.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;redundantAssignmentAlertIncident\u0026rdquo; event is triggered within the Azure PIM logs.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the user\u0026rsquo;s account through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker activates the unused privileged role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-active privileged role to perform unauthorized actions, such as modifying system configurations, accessing sensitive data, or escalating privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise, without being detected due to the pre-existing role assignment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe presence of unused privileged roles can lead to significant security breaches and compliance violations. An attacker exploiting an unused role can gain immediate access to sensitive resources and perform unauthorized actions, potentially leading to data breaches, system outages, or financial losses. The number of affected users and resources depends on the scope of the unused role and the attacker\u0026rsquo;s objectives. Failure to identify and address these unused roles can also result in unnecessary license costs and increased attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eredundantAssignmentAlertIncident\u003c/code\u003e events indicating unused PIM roles in Azure (see \u0026ldquo;Roles Are Not Being Used\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eInvestigate all detected instances of unused PIM roles to determine the reason for inactivity and potential risks.\u003c/li\u003e\n\u003cli\u003eRevoke the assigned role if the user no longer requires it, or provide training and guidance to ensure proper role utilization.\u003c/li\u003e\n\u003cli\u003eReview and refine PIM role assignment policies to minimize the allocation of unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eImplement regular audits of PIM role assignments to identify and address unused roles promptly.\u003c/li\u003e\n\u003cli\u003eConfigure security alerts within Azure PIM to receive notifications about unused roles and other potential security incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-not-used/","summary":"Detection of assigned but unused privileged roles in Azure's Privileged Identity Management (PIM) service, indicating potential misconfiguration, license overuse, or dormant privileged access that could be exploited.","title":"Unused Privileged Identity Management (PIM) Roles in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-not-used/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","alerts","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable PIM alerts within Azure environments to weaken security monitoring and maintain a low profile while escalating privileges. This involves modifying alert settings within the Azure Privileged Identity Management service to prevent notifications of suspicious or unauthorized activity. This technique enables attackers to operate with reduced scrutiny, making it easier to establish persistence and move laterally within the compromised environment. Successful disabling of PIM alerts allows malicious actors to abuse privileged roles without triggering immediate alarms. This allows for potentially long-term access and control over critical resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the Azure Active Directory, potentially by exploiting misconfigured roles or vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePIM Access: The attacker accesses the Azure Privileged Identity Management (PIM) service.\u003c/li\u003e\n\u003cli\u003eAlert Configuration Discovery: The attacker enumerates existing PIM alert configurations to identify the alerts to be disabled.\u003c/li\u003e\n\u003cli\u003eAlert Modification: The attacker modifies the alert settings, setting them to disabled. This is often done through the Azure portal or via API calls.\u003c/li\u003e\n\u003cli\u003ePersistence: With alerts disabled, the attacker can maintain persistence by assigning themselves privileged roles without generating notifications.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the newly acquired privileged roles to move laterally within the Azure environment, accessing sensitive resources and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling PIM alerts significantly reduces an organization\u0026rsquo;s visibility into privileged access activities. This can lead to delayed detection of malicious activities, enabling attackers to maintain a persistent presence, escalate privileges, and exfiltrate sensitive data without triggering alarms. The impact includes potential data breaches, financial losses, and reputational damage. The lack of alerts hinders incident response efforts and prolongs the duration of the attack, compounding the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where PIM alerts are disabled by monitoring \u003ccode\u003eauditlogs\u003c/code\u003e for \u003ccode\u003eproperties.message: Disable PIM Alert\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly review PIM alert configurations to ensure critical alerts are enabled and properly configured.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate initial access (T1078).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the scope of potential damage from compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Azure audit logs for unusual activity related to PIM configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-pim-alerts-disabled/","summary":"An adversary disables Privileged Identity Management (PIM) alerts in Azure to evade detection and maintain persistent access with escalated privileges.","title":"Privileged Identity Management (PIM) Alerting Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-pim-alerts-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","role-activation","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses suspicious activity within Azure Privileged Identity Management (PIM), specifically the repeated activation of privileged roles by the same user. The alert, triggered by \u0026lsquo;sequentialActivationRenewalsAlertIncident\u0026rsquo; events, suggests that an attacker may be attempting to escalate privileges or maintain persistent access to sensitive resources. This activity can be indicative of compromised credentials or malicious insider activity. The detection is based on Azure PIM logs and aims to identify deviations from normal user behavior related to role activation. Defenders should investigate these alerts promptly to determine the legitimacy of the role activations and mitigate potential risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to an Azure account, possibly through compromised credentials (T1078).\u003c/li\u003e\n\u003cli\u003ePrivilege Discovery: The attacker identifies available privileged roles within Azure PIM.\u003c/li\u003e\n\u003cli\u003eRole Activation Request: The attacker initiates a request to activate a privileged role.\u003c/li\u003e\n\u003cli\u003eRole Activation: The attacker successfully activates the privileged role.\u003c/li\u003e\n\u003cli\u003eResource Access: With the activated role, the attacker accesses sensitive resources or performs privileged actions.\u003c/li\u003e\n\u003cli\u003eRepeated Activation: The attacker deactivates and reactivates the same role shortly after, potentially to bypass monitoring or maintain persistent access.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker uses the elevated privileges to move laterally within the Azure environment.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or System Damage (Impact): The attacker achieves their ultimate objective, such as exfiltrating sensitive data or causing damage to systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to critical resources, data breaches, and significant damage to the organization\u0026rsquo;s Azure environment. The repeated activation of privileged roles can be used to bypass security controls and maintain persistent access, making it difficult to detect malicious activity. A single compromised account with PIM access can lead to widespread impact across the entire Azure infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Roles Activated Too Frequently\u0026rdquo; to your SIEM and tune it based on your environment to reduce false positives (logsource: azure, service: pim).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Roles Activated Too Frequently\u0026rdquo;, focusing on the context of the role activated and the user involved.\u003c/li\u003e\n\u003cli\u003eReview the active time period for roles in PIM to ensure they are not set too short, which can lead to frequent legitimate activations and false positives, as noted in the \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users, especially those with privileged roles, to mitigate the risk of credential compromise (T1078).\u003c/li\u003e\n\u003cli\u003eMonitor Azure Active Directory sign-in logs for suspicious activity, such as logins from unusual locations or devices.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles and regularly review role assignments to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-activation/","summary":"Detection of frequent role activation in Azure Privileged Identity Management (PIM) by the same user may indicate potential privilege escalation or account compromise.","title":"Frequent Azure PIM Role Activation Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-activation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","pim","role-assignment","attack.initial-access","attack.stealth","attack.t1078","attack.persistence","attack.privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe unauthorized assignment of privileged roles outside of Azure Privileged Identity Management (PIM) represents a significant security risk. Attackers may attempt to bypass PIM controls to gain persistent access, escalate privileges, or move laterally within the Azure environment. Detecting these anomalous role assignments is crucial for identifying potentially compromised accounts or malicious insiders. This activity is a common tactic used by attackers to establish persistence and maintain control over cloud resources. Monitoring for this behavior can help security teams quickly identify and respond to potential breaches, limiting the impact of successful attacks. This activity can be associated with lateral movement, privilege escalation, and persistence within the cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised user account or service principal within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to identify existing privileged roles and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses PIM to directly assign themselves a privileged role (e.g., Global Administrator, Security Administrator) using Azure CLI, PowerShell, or the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their permissions without triggering PIM alerts or requiring approval.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly assigned privileged role to access sensitive data, modify configurations, or create new resources.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new accounts or modifying existing ones with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other Azure resources or subscriptions using their increased access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising privileged roles within Azure can have severe consequences, potentially impacting all resources within the affected Azure Active Directory tenant. Successful attacks can lead to unauthorized data access, service disruption, financial loss, and reputational damage. The scope of the impact depends on the level of privilege gained by the attacker and the sensitivity of the targeted resources. Without proper detection and response, organizations may remain unaware of the breach, allowing attackers to maintain persistent access and continue their malicious activities undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eRoles Assigned Outside PIM\u003c/code\u003e to your SIEM to detect unauthorized role assignments within your Azure environment.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances flagged by the Sigma rule \u003ccode\u003eRoles Assigned Outside PIM\u003c/code\u003e to determine the legitimacy of the role assignment and the identity of the assigner.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the ability to assign privileged roles outside of PIM, as described in the Microsoft documentation reference.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-assigned-outside/","summary":"Detection of privilege role assignments outside of Azure Privileged Identity Management (PIM) can indicate potential attacker activity related to initial access, stealth, persistence, or privilege escalation within the Azure environment.","title":"Azure PIM - Role Assignment Outside of Privileged Identity Management","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-assigned-outside/"}],"language":"en","title":"CraftedSignal Threat Feed — Pim","version":"https://jsonfeed.org/version/1.1"}