{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/role-assignment/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","role-assignment","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often target identity and access management systems like Azure Active Directory (Azure AD) to gain control over an organization\u0026rsquo;s resources. By adding users to highly privileged roles such as Global Administrator or Device Administrator, adversaries can achieve persistence, allowing them to regain access even after initial compromises are remediated. This activity often occurs after an initial foothold has been established, enabling privilege escalation and stealthy movement within the cloud environment. Monitoring role assignments in Azure AD is crucial for detecting and preventing unauthorized access and maintaining the integrity of the organization\u0026rsquo;s cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure AD roles and identifies potential targets like Global Administrator or Device Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAdd-AzureADGroupMember\u003c/code\u003e or similar cmdlets to add a compromised or newly created user account to the target role.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit logs record the \u0026ldquo;Add member to role\u0026rdquo; operation with the specific role GUIDs (e.g., \u0026lsquo;7698a772-787b-4ac8-901f-60d6b08affd2\u0026rsquo; or \u0026lsquo;62e90394-69f5-4237-9190-012177145e10\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe newly added user account inherits the privileges associated with the Global Administrator or Device Administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating new administrative accounts or modifying existing ones to maintain control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to a Global Administrator or Device Administrator role grants the attacker unrestricted access to the Azure AD tenant, potentially impacting all resources connected to it. This can lead to data breaches, service disruptions, financial losses, and reputational damage. The scope of the impact depends on the extent to which the attacker leverages the compromised privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious additions of users to Global or Device Admin roles in Azure AD Audit Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the context of the user account being added and the source of the role assignment operation.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft (T1078.004).\u003c/li\u003e\n\u003cli\u003eRegularly review Azure AD role assignments to identify and remove any unauthorized or unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for other suspicious Azure AD activity, such as unusual sign-in patterns, application registrations, and resource deployments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:27:00Z","date_published":"2024-01-03T18:27:00Z","id":"/briefs/2024-01-03-azuread-role-assignment/","summary":"An attacker may attempt to add a user to a high-privilege Azure AD role, such as Global Administrator or Device Administrator, to establish persistence, gain initial access, escalate privileges, or operate stealthily within the compromised environment.","title":"Azure AD User Added to Global or Device Admin Role","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-role-assignment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","privileged-access","role-assignment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on the addition of users to privileged roles within Azure Active Directory (Azure AD). An attacker who gains initial access to an account may attempt to escalate privileges to gain broader control over the Azure environment. This can be achieved by adding the compromised account or a new attacker-controlled account to a highly privileged role. This activity often occurs after an initial compromise and is a critical step in establishing persistence and expanding access within the target environment. Successful role assignment allows the attacker to perform actions normally restricted to administrators, potentially leading to data exfiltration, service disruption, or further lateral movement. This activity is visible in the Azure Audit Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account through credential phishing or password spraying (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential target roles with high privileges within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to add the compromised account, or a new account under their control, to one of these privileged roles.\u003c/li\u003e\n\u003cli\u003eThe attacker executes an \u0026ldquo;Add eligible member\u0026rdquo; action, either permanent or eligible, within Azure AD, which is logged in the audit logs.\u003c/li\u003e\n\u003cli\u003eAzure AD processes the request and, if successful, grants the new role assignment to the target account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly acquired privileges to access sensitive resources, modify configurations, or deploy malicious applications.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new administrative accounts or modifying existing configurations to maintain access even if the initial compromised account is remediated.\u003c/li\u003e\n\u003cli\u003eThe attacker performs data exfiltration or causes disruption to the Azure environment based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful addition of a user to a privileged role can grant the attacker complete control over the Azure AD environment. This may allow them to access sensitive data, disrupt critical services, and deploy malicious applications. The impact can range from data breaches and financial loss to complete compromise of the organization\u0026rsquo;s cloud infrastructure. The scope depends on the role assigned, but global administrator roles can cause catastrophic damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;User Added To Privilege Role\u0026rdquo; to your SIEM to detect suspicious role assignments in Azure AD Audit Logs.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for any \u0026ldquo;Add eligible member\u0026rdquo; events (permanent or eligible) to identify potentially malicious role assignments.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to mitigate the risk of initial access compromise (T1110).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the scope of access for each user and role (T1068).\u003c/li\u003e\n\u003cli\u003eRegularly audit and review user role assignments to identify and remove unnecessary privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:30:00Z","date_published":"2024-01-02T15:30:00Z","id":"/briefs/2024-01-azure-role-assignment/","summary":"Detection of a user being added to a privileged role in Azure AD, potentially indicating privilege escalation or persistence by an attacker.","title":"Azure AD Privileged Role Assignment","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-role-assignment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","pim","role-assignment","attack.initial-access","attack.stealth","attack.t1078","attack.persistence","attack.privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe unauthorized assignment of privileged roles outside of Azure Privileged Identity Management (PIM) represents a significant security risk. Attackers may attempt to bypass PIM controls to gain persistent access, escalate privileges, or move laterally within the Azure environment. Detecting these anomalous role assignments is crucial for identifying potentially compromised accounts or malicious insiders. This activity is a common tactic used by attackers to establish persistence and maintain control over cloud resources. Monitoring for this behavior can help security teams quickly identify and respond to potential breaches, limiting the impact of successful attacks. This activity can be associated with lateral movement, privilege escalation, and persistence within the cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised user account or service principal within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to identify existing privileged roles and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses PIM to directly assign themselves a privileged role (e.g., Global Administrator, Security Administrator) using Azure CLI, PowerShell, or the Azure portal.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their permissions without triggering PIM alerts or requiring approval.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly assigned privileged role to access sensitive data, modify configurations, or create new resources.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new accounts or modifying existing ones with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other Azure resources or subscriptions using their increased access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising privileged roles within Azure can have severe consequences, potentially impacting all resources within the affected Azure Active Directory tenant. Successful attacks can lead to unauthorized data access, service disruption, financial loss, and reputational damage. The scope of the impact depends on the level of privilege gained by the attacker and the sensitivity of the targeted resources. Without proper detection and response, organizations may remain unaware of the breach, allowing attackers to maintain persistent access and continue their malicious activities undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eRoles Assigned Outside PIM\u003c/code\u003e to your SIEM to detect unauthorized role assignments within your Azure environment.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances flagged by the Sigma rule \u003ccode\u003eRoles Assigned Outside PIM\u003c/code\u003e to determine the legitimacy of the role assignment and the identity of the assigner.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the ability to assign privileged roles outside of PIM, as described in the Microsoft documentation reference.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-azure-pim-role-assigned-outside/","summary":"Detection of privilege role assignments outside of Azure Privileged Identity Management (PIM) can indicate potential attacker activity related to initial access, stealth, persistence, or privilege escalation within the Azure environment.","title":"Azure PIM - Role Assignment Outside of Privileged Identity Management","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-assigned-outside/"}],"language":"en","title":"CraftedSignal Threat Feed — Role-Assignment","version":"https://jsonfeed.org/version/1.1"}