<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Privilegeescalation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/privilegeescalation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/privilegeescalation/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD Privileged Graph API Permission Assignment</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-ad-graph-permissions/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-ad-graph-permissions/</guid><description>Detection of high-risk Graph API permission assignments (Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory) in Azure AD, potentially leading to unauthorized modifications and security breaches.</description><content:encoded><![CDATA[<p>This threat brief focuses on the assignment of privileged Graph API permissions within Azure Active Directory (Azure AD). Attackers, including groups like NOBELIUM, may attempt to assign themselves or compromised applications excessive permissions to maintain persistence, escalate privileges, or achieve other malicious objectives within the cloud environment. The permissions of concern are Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory, as these grant broad control over applications, role assignments, and directory settings. The detection leverages Azure AD audit logs specifically monitoring 'Update application' operations. Successful exploitation can lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. This activity became particularly relevant after the Midnight Blizzard attack, highlighting the need for robust monitoring of Azure AD permission changes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.</li>
<li>The attacker authenticates to the Azure portal or uses the Azure CLI with the compromised account.</li>
<li>The attacker identifies an existing application registration within Azure AD that they can modify.</li>
<li>Using the compromised account, the attacker attempts to update the application registration.</li>
<li>The attacker assigns one or more of the following high-risk Graph API permissions to the application: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, or RoleManagement.ReadWrite.Directory. This involves modifying the <code>requiredAppPermissions</code> property of the application object.</li>
<li>The Azure AD audit log records an &quot;Update application&quot; event with the modified <code>requiredAppPermissions</code>.</li>
<li>The attacker uses the application's newly acquired permissions to perform malicious actions, such as reading or modifying application configurations, role assignments, or directory settings.</li>
<li>The attacker maintains persistence by leveraging the application's elevated privileges for ongoing unauthorized access and control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful assignment of these permissions can lead to a complete compromise of the Azure AD environment. An attacker can modify application configurations, create or delete users, assign roles, and potentially gain access to other connected resources and services. The impact can range from data breaches and service disruption to complete control over the organization's cloud identity infrastructure. This is a critical issue, especially in light of recent nation-state attacks targeting Azure AD, as highlighted by Microsoft's guidance on the Midnight Blizzard attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Azure AD Privileged Graph API Permission Assigned</code> to your SIEM, ensuring it is tuned to your environment, and enable the data source: <code>azure_monitor_aad</code> with category <code>AuditLogs</code>.</li>
<li>Investigate any alerts triggered by the Sigma rule <code>Azure AD Privileged Graph API Permission Assigned</code> immediately to determine if the permission assignment was authorized.</li>
<li>Review application registrations in Azure AD and identify any applications with excessive or unnecessary permissions.</li>
<li>Monitor Azure AD audit logs for any modifications to application registrations, focusing on changes to the <code>requiredAppPermissions</code> property.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>azuread</category><category>cloud</category><category>graphapi</category><category>privilegeescalation</category><category>persistence</category></item><item><title>Kubernetes Pod with Host Network Attachment Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-kubernetes-host-network/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-kubernetes-host-network/</guid><description>Detection of Kubernetes pods configured to use the host network namespace via audit logs, potentially allowing attackers to monitor all node network traffic for sensitive data and privilege escalation.</description><content:encoded><![CDATA[<p>This alert identifies the creation or update of a Kubernetes pod configured to use the host network namespace. Kubernetes audit logs are analyzed to detect pods with the <code>hostNetwork: true</code> setting. This configuration allows a pod to share the network stack of the host node, effectively granting it access to all network interfaces and traffic. This presents a significant security risk, especially if the pod is compromised. An attacker can then monitor all network traffic on the node, potentially capturing sensitive information such as credentials or API keys, and potentially escalating privileges to gain control over the node and the entire cluster. This detection is critical for SOC teams to identify and investigate potentially malicious activity within their Kubernetes environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials, a vulnerable application, or a misconfigured service.</li>
<li>The attacker crafts a malicious pod specification that includes the <code>hostNetwork: true</code> setting. This setting is included within the <code>requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration</code> field.</li>
<li>The attacker attempts to create or update a pod using the crafted specification, submitting the request to the Kubernetes API server.</li>
<li>The Kubernetes API server logs the pod creation or update request in the audit logs, including details about the pod's configuration and the user who initiated the request.</li>
<li>The detection logic identifies the <code>hostNetwork: true</code> setting in the audit logs, triggering the alert.</li>
<li>An attacker leverages access to the host network to sniff network traffic, intercepting sensitive data.</li>
<li>The attacker uses captured credentials or other sensitive information to escalate privileges within the cluster.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging a pod with host network attachment can have severe consequences. An attacker could gain complete control over the compromised node, potentially leading to data breaches, service disruptions, and unauthorized access to sensitive resources. Furthermore, the attacker could use the compromised node as a launchpad for further attacks within the cluster, compromising other pods and services. This can lead to a full cluster compromise with significant damage and data loss.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Kubernetes audit logging and configure the audit policy to capture pod creation and update events. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs as described in the documentation <a href="https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md">https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md</a>.</li>
<li>Deploy the Sigma rule <code>Kubernetes Pod with Host Network Attachment</code> to your SIEM to detect the creation or update of pods with the <code>hostNetwork: true</code> setting.</li>
<li>Investigate any alerts generated by this rule to determine the legitimacy of the pod creation/update and the user who initiated the request.</li>
<li>Monitor the users and source IPs identified in the detection (<code>user</code>, <code>src_ip</code>) for other suspicious activities within the cluster.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kubernetes</category><category>hostnetwork</category><category>privilegeescalation</category></item></channel></rss>