{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/privileged-identity-management/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","pim","privileged-identity-management","invalid-license"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies scenarios where an organization lacks the necessary Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses required for proper Privileged Identity Management (PIM) functionality. Attackers may attempt to exploit misconfigured or unlicensed PIM deployments to gain unauthorized privileged access to critical Azure resources. This detection is crucial as it indicates a compliance issue that can be leveraged to escalate privileges, bypass security controls, and potentially lead to data breaches or system compromise. The absence of appropriate licensing hinders the effectiveness of PIM controls, creating opportunities for malicious actors to operate undetected. Defenders need to ensure appropriate licenses are in place.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Azure environment lacking a valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance license for Privileged Identity Management (PIM).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate a privileged role within the Azure environment through PIM.\u003c/li\u003e\n\u003cli\u003eDue to the invalid license, the PIM activation process may not enforce proper multi-factor authentication (MFA) or approval workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the privileged role without proper authorization or auditing.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised privileged role to access sensitive Azure resources, such as virtual machines, databases, or storage accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration, modification of system configurations, or deployment of malware.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence within the Azure environment by creating rogue user accounts or modifying existing access controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of an invalid PIM license can be severe. Organizations may experience unauthorized access to critical Azure resources, leading to data breaches, system compromise, and compliance violations. The absence of proper PIM controls can enable attackers to escalate privileges, bypass security measures, and operate undetected within the Azure environment. Identifying invalid PIM licenses is crucial for maintaining the security and integrity of Azure deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003einvalidLicenseAlertIncident\u003c/code\u003e events in Azure PIM logs (logsource: azure, service: pim).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003einvalidLicenseAlertIncident\u003c/code\u003e to determine the scope of the issue and potential unauthorized access.\u003c/li\u003e\n\u003cli\u003eVerify that all Azure subscriptions utilizing PIM have valid Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses.\u003c/li\u003e\n\u003cli\u003eImplement automated monitoring to proactively identify and alert on invalid PIM licenses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-invalid-pim-license/","summary":"Detection of unauthorized access or privilege escalation attempts within Azure environments due to invalid or missing Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for Privileged Identity Management (PIM).","title":"Azure Privileged Identity Management (PIM) Invalid License Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-invalid-pim-license/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","pim","privileged-identity-management","role-based-access-control","initial-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a condition where users have been assigned privileged roles within Azure\u0026rsquo;s Privileged Identity Management (PIM) but are not actively utilizing those roles. This situation can arise from various factors, including misconfiguration of PIM settings, over-allocation of privileged roles due to process gaps or lack of oversight, or the presence of dormant accounts with elevated privileges. Such unused roles represent a potential security risk, as they can be exploited by malicious actors or misused inadvertently, especially if MFA or conditional access policies are not enforced. Regularly auditing and addressing unused PIM roles is crucial for maintaining a strong security posture and optimizing license utilization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator assigns a privileged role to a user within Azure PIM.\u003c/li\u003e\n\u003cli\u003eThe user is granted the role but does not activate or use it to perform any privileged actions.\u003c/li\u003e\n\u003cli\u003eAzure PIM monitors role usage and detects the lack of activity for the assigned role.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;redundantAssignmentAlertIncident\u0026rdquo; event is triggered within the Azure PIM logs.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the user\u0026rsquo;s account through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker activates the unused privileged role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-active privileged role to perform unauthorized actions, such as modifying system configurations, accessing sensitive data, or escalating privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise, without being detected due to the pre-existing role assignment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe presence of unused privileged roles can lead to significant security breaches and compliance violations. An attacker exploiting an unused role can gain immediate access to sensitive resources and perform unauthorized actions, potentially leading to data breaches, system outages, or financial losses. The number of affected users and resources depends on the scope of the unused role and the attacker\u0026rsquo;s objectives. Failure to identify and address these unused roles can also result in unnecessary license costs and increased attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eredundantAssignmentAlertIncident\u003c/code\u003e events indicating unused PIM roles in Azure (see \u0026ldquo;Roles Are Not Being Used\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eInvestigate all detected instances of unused PIM roles to determine the reason for inactivity and potential risks.\u003c/li\u003e\n\u003cli\u003eRevoke the assigned role if the user no longer requires it, or provide training and guidance to ensure proper role utilization.\u003c/li\u003e\n\u003cli\u003eReview and refine PIM role assignment policies to minimize the allocation of unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eImplement regular audits of PIM role assignments to identify and address unused roles promptly.\u003c/li\u003e\n\u003cli\u003eConfigure security alerts within Azure PIM to receive notifications about unused roles and other potential security incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-not-used/","summary":"Detection of assigned but unused privileged roles in Azure's Privileged Identity Management (PIM) service, indicating potential misconfiguration, license overuse, or dormant privileged access that could be exploited.","title":"Unused Privileged Identity Management (PIM) Roles in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-not-used/"}],"language":"en","title":"CraftedSignal Threat Feed — Privileged-Identity-Management","version":"https://jsonfeed.org/version/1.1"}