{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/privileged-account/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","privileged-account","initial-access","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of new privileged account creation within Azure environments. Attackers often create new admin accounts to establish persistence, escalate privileges, or move laterally within a compromised environment. Monitoring for such activity is crucial, especially given that compromised accounts are a common entry point for various attacks. This activity, if malicious, can lead to significant data breaches, service disruptions, and reputational damage. This detection focuses on identifying \u0026ldquo;Add user\u0026rdquo; and \u0026ldquo;Add member to role\u0026rdquo; events within Azure audit logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure environment, possibly through compromised credentials (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their access to enumerate existing accounts and roles within the Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new user account with elevated privileges, such as Global Administrator or other custom administrative roles.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the newly created user account to one or more privileged roles, granting it administrative access to the Azure environment. This action is logged as \u0026ldquo;Add member to role\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created privileged account to perform reconnaissance, identify sensitive data, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by maintaining access through the newly created account, even if the initial entry point is detected and remediated.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain control over critical resources and services within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the privileged account to exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation of a privileged account can provide an attacker with persistent access and the ability to escalate privileges, leading to widespread damage. The attacker can gain control over critical resources, exfiltrate sensitive data, deploy ransomware, or disrupt business operations. This can lead to significant financial losses, reputational damage, and legal liabilities. While the scope and number of victims are unknown, all organizations using Azure Active Directory are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect privileged account creation events within Azure Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of privileged account creation to determine whether the activity is legitimate.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with privileged roles, to mitigate the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user account privileges to identify and remove unnecessary or excessive permissions.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Audit Logs for suspicious activities, such as unusual sign-in attempts, changes to security settings, and modifications to privileged roles.\u003c/li\u003e\n\u003cli\u003eImplement alerting for changes to privileged roles and groups within Azure AD.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-privileged-account-creation/","summary":"Detects the creation of new privileged accounts in Azure environments, potentially indicating initial access, persistence, privilege escalation, or stealth activities by malicious actors.","title":"Detection of Privileged Account Creation in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-privileged-account-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Privileged-Account","version":"https://jsonfeed.org/version/1.1"}