{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/policy-change/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","device-registration","policy-change"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe device registration policy in Azure Active Directory controls which devices can be registered or joined to the Azure AD tenant. Modification of this policy can weaken security controls, allowing unauthorized devices to access corporate resources. This activity is often associated with threat actors attempting to escalate privileges or impair existing defenses. This brief focuses on detecting changes to the Azure AD device registration policies using Azure Audit Logs, providing detection engineers with the ability to monitor and alert on potentially malicious modifications to this critical security control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an account with sufficient privileges to modify Azure AD policies, such as a Global Administrator or Privileged Role Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure PowerShell/CLI to interact with Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the device registration policy, potentially allowing non-compliant devices to register or join the domain. This may involve changing settings related to multi-factor authentication, device compliance, or allowed operating systems.\u003c/li\u003e\n\u003cli\u003eThe Azure AD Audit Logs record an event with ActivityDisplayName equal to \u0026lsquo;Set device registration policies\u0026rsquo; under the \u0026lsquo;Policy\u0026rsquo; Category.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a rogue device that does not meet the organization\u0026rsquo;s security standards.\u003c/li\u003e\n\u003cli\u003eThe rogue device gains access to sensitive corporate resources, bypassing intended security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the rogue device to perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the device registration policy can lead to unauthorized devices accessing sensitive corporate resources, bypassing multi-factor authentication or device compliance requirements. This can result in data breaches, privilege escalation, and further compromise of the Azure AD environment. The impact can be severe if the attacker leverages the policy change to register multiple rogue devices, creating a persistent backdoor into the organization\u0026rsquo;s resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Changes to Device Registration Policy\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized modifications to device registration policies (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for any unexpected \u0026ldquo;Set device registration policies\u0026rdquo; events (logsource).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all administrative accounts to prevent unauthorized policy changes (TTP).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-device-registration-policy-change/","summary":"Monitoring changes to the device registration policy can detect potential privilege escalation or defense impairment attempts by malicious actors aiming to weaken security controls related to device management in Azure Active Directory.","title":"Azure AD Device Registration Policy Changes Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-device-registration-policy-change/"}],"language":"en","title":"CraftedSignal Threat Feed — Policy-Change","version":"https://jsonfeed.org/version/1.1"}