Pim — CraftedSignal Threat Feed

Azure Privileged Identity Management (PIM) Invalid License Detection

hello@craftedsignal.io — Mon, 22 Jan 2024 12:00:00 +0000

This alert identifies scenarios where an organization lacks the necessary Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses required for proper Privileged Identity Management (PIM) functionality. Attackers may attempt to exploit misconfigured or unlicensed PIM deployments to gain unauthorized privileged access to critical Azure resources. This detection is crucial as it indicates a compliance issue that can be leveraged to escalate privileges, bypass security controls, and potentially lead to data breaches or system compromise. The absence of appropriate licensing hinders the effectiveness of PIM controls, creating opportunities for malicious actors to operate undetected. Defenders need to ensure appropriate licenses are in place.

Attack Chain

The attacker identifies an Azure environment lacking a valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance license for Privileged Identity Management (PIM).
The attacker attempts to activate a privileged role within the Azure environment through PIM.
Due to the invalid license, the PIM activation process may not enforce proper multi-factor authentication (MFA) or approval workflows.
The attacker gains unauthorized access to the privileged role without proper authorization or auditing.
The attacker leverages the compromised privileged role to access sensitive Azure resources, such as virtual machines, databases, or storage accounts.
The attacker performs malicious actions, such as data exfiltration, modification of system configurations, or deployment of malware.
The attacker attempts to establish persistence within the Azure environment by creating rogue user accounts or modifying existing access controls.

Impact

The impact of an invalid PIM license can be severe. Organizations may experience unauthorized access to critical Azure resources, leading to data breaches, system compromise, and compliance violations. The absence of proper PIM controls can enable attackers to escalate privileges, bypass security measures, and operate undetected within the Azure environment. Identifying invalid PIM licenses is crucial for maintaining the security and integrity of Azure deployments.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect invalidLicenseAlertIncident events in Azure PIM logs (logsource: azure, service: pim).
Investigate any detected instances of invalidLicenseAlertIncident to determine the scope of the issue and potential unauthorized access.
Verify that all Azure subscriptions utilizing PIM have valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses.
Implement automated monitoring to proactively identify and alert on invalid PIM licenses.

Azure PIM Account Stale Sign-in Alert

hello@craftedsignal.io — Wed, 03 Jan 2024 18:42:00 +0000

The “staleSignInAlertIncident” event in Azure Privileged Identity Management (PIM) signifies that an account assigned a privileged role has not signed in for a prolonged period. This alert is crucial for defenders because inactive privileged accounts can become attractive targets for attackers. If an account is compromised and not actively used, the breach can go unnoticed for an extended time, increasing the attacker’s dwell time and potential for lateral movement or data exfiltration. Monitoring for this event allows organizations to identify potentially compromised accounts and enforce stricter security measures like password resets, MFA enforcement, or temporary role revocation. The alert helps maintain a secure privileged access environment.

Attack Chain

An attacker identifies an organization using Azure PIM.
The attacker compromises a user account that is assigned a privileged role, but is currently inactive, using techniques such as password spraying or phishing.
Due to the account’s inactivity, the compromise remains unnoticed by the legitimate owner or security monitoring tools.
The attacker activates the privileged role assignment in Azure PIM, granting them elevated permissions within the Azure environment.
The attacker leverages the elevated privileges to perform reconnaissance, identify valuable assets, and potentially create new administrative accounts.
The attacker moves laterally within the Azure environment, accessing sensitive data and resources that are normally restricted.
The attacker exfiltrates sensitive data or deploys malicious code to disrupt services.
The attacker maintains persistence by creating backdoors or modifying access controls to ensure continued access even after the initial compromise is detected.

Impact

Compromised stale accounts in Azure PIM can lead to significant data breaches, service disruptions, and reputational damage. Attackers can leverage the elevated privileges associated with these accounts to gain unauthorized access to critical resources, exfiltrate sensitive data, or deploy ransomware. The impact can range from data loss to complete system compromise, depending on the scope of the privileged roles assigned to the stale account. The financial implications can be substantial, including regulatory fines, incident response costs, and lost revenue.

Recommendation

Deploy the Sigma rule to detect staleSignInAlertIncident events in your Azure PIM logs, enabling rapid identification of potentially compromised stale accounts.
Investigate any triggered alerts to determine the legitimacy of the account’s inactivity and potential compromise scenarios.
Implement automated workflows to disable or remove privileged role assignments for accounts that trigger the staleSignInAlertIncident event.
Review and enforce strong password policies and multi-factor authentication (MFA) for all accounts with privileged roles in Azure PIM.
Implement regular access reviews to identify and remove unnecessary privileged role assignments, minimizing the attack surface.
Consult Microsoft’s documentation on configuring security alerts for potential stale accounts in privileged roles to understand the context and recommended actions.

Azure PIM Elevation Approved or Denied

hello@craftedsignal.io — Wed, 03 Jan 2024 18:27:00 +0000

The compromise of privileged accounts within cloud environments is a significant risk. Azure Privileged Identity Management (PIM) is designed to mitigate this risk by enforcing time-bound and approval-based role activation. This brief focuses on the detection of PIM elevation requests that are either approved or denied. While legitimate administrator actions will trigger these events, unexpected or unauthorized approvals/denials, especially those occurring outside of normal business hours or originating from unusual locations, warrant immediate investigation. This activity can indicate attempts at unauthorized privilege escalation, lateral movement, or data exfiltration within the Azure environment. Monitoring these events provides an opportunity to identify and respond to potential breaches before significant damage can occur.

Attack Chain

An attacker gains initial access to a low-privileged Azure account, possibly through credential phishing or password reuse.
The attacker attempts to activate a privileged role (e.g., Global Administrator, Security Administrator) through Azure PIM.
The PIM request triggers an approval workflow, requiring authorization from designated approvers.
An attacker compromises an approver account, enabling them to approve their own malicious PIM request or deny a legitimate one.
Alternatively, an unwitting approver approves a malicious request, potentially due to social engineering.
Upon approval, the attacker’s account is temporarily elevated to the requested privileged role.
The attacker leverages the elevated privileges to perform malicious actions, such as creating new accounts, modifying security policies, or accessing sensitive data.
The attacker attempts to maintain persistence by creating backdoor accounts or modifying access controls, potentially circumventing PIM restrictions.

Impact

Successful exploitation can lead to full control over the Azure environment, potentially impacting hundreds or thousands of users and services. A compromised Global Administrator role grants the attacker the ability to access and modify all resources within the Azure tenant, leading to data breaches, service disruptions, and financial losses. The targeted sectors include any organization leveraging Azure PIM for privileged access management.

Recommendation

Deploy the Sigma rule Azure PIM Elevation Approved or Denied to your SIEM to detect unusual PIM activity.
Investigate any PIM approval or denial events occurring outside of normal business hours or originating from unexpected locations, focusing on the properties.message field in the logs.
Implement multi-factor authentication (MFA) for all Azure accounts, especially those with approval permissions for PIM requests.
Regularly review and audit PIM role assignments and approval workflows to ensure they align with the principle of least privilege.
Enable alerting on changes to PIM policies and configurations to detect any unauthorized modifications.
Monitor Azure Audit Logs for suspicious activity following PIM role activation, looking for actions associated with common attack techniques (e.g., account creation, policy modification).

Azure PIM Role Activation Without MFA

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The absence of multi-factor authentication (MFA) during the activation of privileged roles in Azure Privileged Identity Management (PIM) poses a significant security risk. When roles can be activated without MFA, attackers who have already compromised a user account can escalate their privileges without needing to bypass an MFA challenge. This scenario circumvents a critical security control, making the environment vulnerable to lateral movement, data exfiltration, and other malicious activities. This brief is based on Sigma rule 94a66f46-5b64-46ce-80b2-75dcbe627cc0, published on 2023-09-14. Defenders need to monitor PIM configurations to ensure that MFA is enforced for all privileged role activations, mitigating the risk of unauthorized access and privilege escalation.

Attack Chain

An attacker gains initial access to a user account, potentially through phishing or credential stuffing.
The attacker identifies a privileged role within Azure PIM that the compromised user is eligible to activate.
The attacker attempts to activate the privileged role using the compromised user’s credentials.
Due to misconfiguration, MFA is not required for the role activation process.
The attacker successfully activates the privileged role without providing a second factor of authentication.
The attacker leverages the newly acquired privileges to access sensitive resources and data within the Azure environment.
The attacker performs malicious actions such as creating new accounts, modifying configurations, or exfiltrating data.
The attacker establishes persistence by creating backdoors or modifying access control policies.

Impact

The absence of MFA during PIM role activation can lead to significant damage, potentially affecting all resources within the Azure environment accessible to the compromised privileged role. Successful exploitation allows attackers to bypass a critical security control, leading to privilege escalation, data breaches, and system compromise. The impact spans data confidentiality, integrity, and availability, and could result in regulatory fines, reputational damage, and financial losses.

Recommendation

Deploy the Sigma rule “Roles Activation Doesn’t Require MFA” to your SIEM and tune for your environment to detect instances where privileged roles are activated without MFA based on riskEventType: 'noMfaOnRoleActivationAlertIncident' in Azure PIM logs.
Review and enforce MFA policies for all privileged role activations within Azure PIM, as recommended in the Microsoft documentation (https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation).

Excessive Global Administrator Accounts in Azure PIM

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

The presence of an excessive number of Global Administrator accounts in an Azure tenant poses a significant security risk. While the source does not attribute this activity to a specific threat actor, the risk event indicates a potential compromise of existing accounts, internal privilege abuse, or misconfiguration within the Azure environment. The alert triggers when the number of Global Administrator assignments exceeds a predefined threshold within Privileged Identity Management (PIM). Attackers may abuse highly privileged accounts to gain broad control over the Azure environment, deploy malicious workloads, exfiltrate data, or establish persistence.

Attack Chain

Initial Compromise: An attacker compromises a low-privilege user account through phishing or credential stuffing.
Privilege Escalation: The attacker attempts to elevate privileges by exploiting misconfigured permissions or vulnerabilities within the Azure environment.
Global Admin Role Assignment: The attacker assigns the Global Administrator role to multiple accounts, including the compromised account, either directly or through PIM bypass.
Lateral Movement: With Global Administrator privileges, the attacker moves laterally within the Azure environment, accessing sensitive resources and data.
Data Exfiltration: The attacker exfiltrates sensitive data from cloud storage, databases, or virtual machines.
Persistence: The attacker establishes persistent access by creating backdoors, modifying access controls, or deploying rogue applications.
Covering Tracks: The attacker attempts to remove audit logs or disable security features to hide their activity.

Impact

The compromise of Global Administrator accounts can lead to significant damage, including data breaches, financial loss, and reputational damage. Excessive admin accounts significantly widen the attack surface and increase the likelihood of successful attacks. The impact includes unauthorized access to sensitive data, disruption of business operations, and potential regulatory fines.

Recommendation

Deploy the Sigma rule “Too Many Global Admins” to your SIEM and tune the threshold for your environment to detect excessive Global Administrator assignments in Azure PIM.
Review and reduce the number of Global Administrator accounts to the minimum necessary.
Implement multi-factor authentication (MFA) for all privileged accounts.
Monitor Azure audit logs for suspicious activity related to role assignments and privilege elevation.
Regularly review and update PIM policies to ensure appropriate access controls.

Detection of Privileged Identity Management (PIM) Settings Modifications

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

Privileged Identity Management (PIM) is a critical component of Azure Active Directory, enabling organizations to manage, control, and monitor access to important resources. Attackers often target PIM configurations to escalate privileges, establish persistence, or move laterally within a compromised environment. This activity focuses on detecting changes to PIM role settings, which could indicate malicious activity aimed at weakening security controls. Defenders must monitor these changes to prevent unauthorized access and maintain the integrity of their Azure environment. This includes understanding who is making these changes, the scope of the modifications, and whether the changes align with established security policies.

Attack Chain

Initial Compromise: The attacker gains initial access to an account with sufficient privileges to view PIM settings.
Discovery: The attacker enumerates existing PIM role settings within the Azure Active Directory environment.
Modification: The attacker modifies existing PIM role settings, such as extending the maximum activation time or removing approval requirements, using the Azure portal, PowerShell, or the Azure CLI.
Privilege Escalation: By modifying PIM settings, the attacker escalates their privileges, granting themselves elevated access to sensitive resources or administrative functions.
Persistence: The attacker establishes persistence by creating new or modifying existing role assignments to maintain access even if their initial account is compromised.
Lateral Movement: With escalated privileges, the attacker moves laterally to access other resources or accounts within the Azure environment.
Data Exfiltration/Impact: The attacker leverages their escalated privileges to exfiltrate sensitive data, disrupt services, or cause other damage.

Impact

Successful modification of PIM settings can have severe consequences, including unauthorized access to sensitive data, disruption of critical services, and privilege escalation leading to complete compromise of the Azure environment. A single compromised PIM setting can affect multiple users and resources, amplifying the impact of the attack. Early detection of PIM setting modifications can prevent attackers from gaining a foothold and causing significant damage.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect changes to PIM settings based on the properties.message field within Azure audit logs.
Regularly review Azure audit logs for events related to PIM configuration changes, paying close attention to the user accounts making the changes and the scope of the modifications.
Implement multi-factor authentication (MFA) for all accounts with privileges to manage PIM settings.
Enforce the principle of least privilege by granting users only the minimum permissions required to perform their job functions.
Establish a baseline of normal PIM settings and alert on any deviations from this baseline.
Investigate any alerts triggered by the Sigma rule by correlating them with other security events and user activity.
Implement automated responses to detected PIM setting modifications, such as disabling the affected user account or reverting the changes.

Unused Privileged Identity Management (PIM) Roles in Azure

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This alert identifies a condition where users have been assigned privileged roles within Azure’s Privileged Identity Management (PIM) but are not actively utilizing those roles. This situation can arise from various factors, including misconfiguration of PIM settings, over-allocation of privileged roles due to process gaps or lack of oversight, or the presence of dormant accounts with elevated privileges. Such unused roles represent a potential security risk, as they can be exploited by malicious actors or misused inadvertently, especially if MFA or conditional access policies are not enforced. Regularly auditing and addressing unused PIM roles is crucial for maintaining a strong security posture and optimizing license utilization.

Attack Chain

An administrator assigns a privileged role to a user within Azure PIM.
The user is granted the role but does not activate or use it to perform any privileged actions.
Azure PIM monitors role usage and detects the lack of activity for the assigned role.
The “redundantAssignmentAlertIncident” event is triggered within the Azure PIM logs.
An attacker gains access to the user’s account through credential compromise or other means.
The attacker activates the unused privileged role.
The attacker leverages the now-active privileged role to perform unauthorized actions, such as modifying system configurations, accessing sensitive data, or escalating privileges further.
The attacker achieves their objective, such as data exfiltration or system compromise, without being detected due to the pre-existing role assignment.

Impact

The presence of unused privileged roles can lead to significant security breaches and compliance violations. An attacker exploiting an unused role can gain immediate access to sensitive resources and perform unauthorized actions, potentially leading to data breaches, system outages, or financial losses. The number of affected users and resources depends on the scope of the unused role and the attacker’s objectives. Failure to identify and address these unused roles can also result in unnecessary license costs and increased attack surface.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect redundantAssignmentAlertIncident events indicating unused PIM roles in Azure (see “Roles Are Not Being Used” rule).
Investigate all detected instances of unused PIM roles to determine the reason for inactivity and potential risks.
Revoke the assigned role if the user no longer requires it, or provide training and guidance to ensure proper role utilization.
Review and refine PIM role assignment policies to minimize the allocation of unnecessary privileges.
Implement regular audits of PIM role assignments to identify and address unused roles promptly.
Configure security alerts within Azure PIM to receive notifications about unused roles and other potential security incidents.

Privileged Identity Management (PIM) Alerting Disabled

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may disable PIM alerts within Azure environments to weaken security monitoring and maintain a low profile while escalating privileges. This involves modifying alert settings within the Azure Privileged Identity Management service to prevent notifications of suspicious or unauthorized activity. This technique enables attackers to operate with reduced scrutiny, making it easier to establish persistence and move laterally within the compromised environment. Successful disabling of PIM alerts allows malicious actors to abuse privileged roles without triggering immediate alarms. This allows for potentially long-term access and control over critical resources.

Attack Chain

Initial Access: The attacker gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.
Privilege Escalation: The attacker attempts to escalate privileges within the Azure Active Directory, potentially by exploiting misconfigured roles or vulnerabilities.
PIM Access: The attacker accesses the Azure Privileged Identity Management (PIM) service.
Alert Configuration Discovery: The attacker enumerates existing PIM alert configurations to identify the alerts to be disabled.
Alert Modification: The attacker modifies the alert settings, setting them to disabled. This is often done through the Azure portal or via API calls.
Persistence: With alerts disabled, the attacker can maintain persistence by assigning themselves privileged roles without generating notifications.
Lateral Movement: The attacker leverages the newly acquired privileged roles to move laterally within the Azure environment, accessing sensitive resources and data.

Impact

Disabling PIM alerts significantly reduces an organization’s visibility into privileged access activities. This can lead to delayed detection of malicious activities, enabling attackers to maintain a persistent presence, escalate privileges, and exfiltrate sensitive data without triggering alarms. The impact includes potential data breaches, financial losses, and reputational damage. The lack of alerts hinders incident response efforts and prolongs the duration of the attack, compounding the damage.

Recommendation

Deploy the provided Sigma rule to detect instances where PIM alerts are disabled by monitoring auditlogs for properties.message: Disable PIM Alert.
Regularly review PIM alert configurations to ensure critical alerts are enabled and properly configured.
Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate initial access (T1078).
Enforce the principle of least privilege to limit the scope of potential damage from compromised accounts.
Monitor Azure audit logs for unusual activity related to PIM configuration changes.

Frequent Azure PIM Role Activation Detected

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses suspicious activity within Azure Privileged Identity Management (PIM), specifically the repeated activation of privileged roles by the same user. The alert, triggered by ‘sequentialActivationRenewalsAlertIncident’ events, suggests that an attacker may be attempting to escalate privileges or maintain persistent access to sensitive resources. This activity can be indicative of compromised credentials or malicious insider activity. The detection is based on Azure PIM logs and aims to identify deviations from normal user behavior related to role activation. Defenders should investigate these alerts promptly to determine the legitimacy of the role activations and mitigate potential risks.

Attack Chain

Initial Access: An attacker gains initial access to an Azure account, possibly through compromised credentials (T1078).
Privilege Discovery: The attacker identifies available privileged roles within Azure PIM.
Role Activation Request: The attacker initiates a request to activate a privileged role.
Role Activation: The attacker successfully activates the privileged role.
Resource Access: With the activated role, the attacker accesses sensitive resources or performs privileged actions.
Repeated Activation: The attacker deactivates and reactivates the same role shortly after, potentially to bypass monitoring or maintain persistent access.
Lateral Movement (Optional): The attacker uses the elevated privileges to move laterally within the Azure environment.
Data Exfiltration or System Damage (Impact): The attacker achieves their ultimate objective, such as exfiltrating sensitive data or causing damage to systems.

Impact

Successful exploitation could lead to unauthorized access to critical resources, data breaches, and significant damage to the organization’s Azure environment. The repeated activation of privileged roles can be used to bypass security controls and maintain persistent access, making it difficult to detect malicious activity. A single compromised account with PIM access can lead to widespread impact across the entire Azure infrastructure.

Recommendation

Deploy the Sigma rule “Roles Activated Too Frequently” to your SIEM and tune it based on your environment to reduce false positives (logsource: azure, service: pim).
Investigate any alerts generated by the Sigma rule “Roles Activated Too Frequently”, focusing on the context of the role activated and the user involved.
Review the active time period for roles in PIM to ensure they are not set too short, which can lead to frequent legitimate activations and false positives, as noted in the falsepositives section.
Implement multi-factor authentication (MFA) for all users, especially those with privileged roles, to mitigate the risk of credential compromise (T1078).
Monitor Azure Active Directory sign-in logs for suspicious activity, such as logins from unusual locations or devices.
Implement least privilege principles and regularly review role assignments to minimize the attack surface.

Azure PIM - Role Assignment Outside of Privileged Identity Management

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The unauthorized assignment of privileged roles outside of Azure Privileged Identity Management (PIM) represents a significant security risk. Attackers may attempt to bypass PIM controls to gain persistent access, escalate privileges, or move laterally within the Azure environment. Detecting these anomalous role assignments is crucial for identifying potentially compromised accounts or malicious insiders. This activity is a common tactic used by attackers to establish persistence and maintain control over cloud resources. Monitoring for this behavior can help security teams quickly identify and respond to potential breaches, limiting the impact of successful attacks. This activity can be associated with lateral movement, privilege escalation, and persistence within the cloud environment.

Attack Chain

An attacker gains initial access to a compromised user account or service principal within the Azure environment.
The attacker attempts to identify existing privileged roles and permissions.
The attacker bypasses PIM to directly assign themselves a privileged role (e.g., Global Administrator, Security Administrator) using Azure CLI, PowerShell, or the Azure portal.
The attacker elevates their permissions without triggering PIM alerts or requiring approval.
The attacker uses the newly assigned privileged role to access sensitive data, modify configurations, or create new resources.
The attacker establishes persistence by creating new accounts or modifying existing ones with elevated privileges.
The attacker moves laterally to other Azure resources or subscriptions using their increased access.
The attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of malicious code.

Impact

Compromising privileged roles within Azure can have severe consequences, potentially impacting all resources within the affected Azure Active Directory tenant. Successful attacks can lead to unauthorized data access, service disruption, financial loss, and reputational damage. The scope of the impact depends on the level of privilege gained by the attacker and the sensitivity of the targeted resources. Without proper detection and response, organizations may remain unaware of the breach, allowing attackers to maintain persistent access and continue their malicious activities undetected.

Recommendation

Deploy the provided Sigma rule Roles Assigned Outside PIM to your SIEM to detect unauthorized role assignments within your Azure environment.
Investigate all instances flagged by the Sigma rule Roles Assigned Outside PIM to determine the legitimacy of the role assignment and the identity of the assigner.
Implement controls to restrict the ability to assign privileged roles outside of PIM, as described in the Microsoft documentation reference.
Review and enforce the principle of least privilege to minimize the potential impact of compromised accounts.