https://feed.craftedsignal.io/tags/role-assignment/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:27:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-azuread-role-assignment/Wed, 03 Jan 2024 18:27:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-azuread-role-assignment/An attacker may attempt to add a user to a high-privilege Azure AD role, such as Global Administrator or Device Administrator, to establish persistence, gain initial access, escalate privileges, or operate stealthily within the compromised environment.Attackers often target identity and access management systems like Azure Active Directory (Azure AD) to gain control over an organization’s resources. By adding users to highly privileged roles such as Global Administrator or Device Administrator, adversaries can achieve persistence, allowing them to regain access even after initial compromises are remediated. This activity often occurs after an initial foothold has been established, enabling privilege escalation and stealthy movement within the cloud environment. Monitoring role assignments in Azure AD is crucial for detecting and preventing unauthorized access and maintaining the integrity of the organization’s cloud infrastructure.

Attack Chain

1. An attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.
2. The attacker authenticates to the Azure portal or uses PowerShell with compromised credentials.
3. The attacker enumerates existing Azure AD roles and identifies potential targets like Global Administrator or Device Administrator.
4. The attacker uses the Add-AzureADGroupMember or similar cmdlets to add a compromised or newly created user account to the target role.
5. The Azure AD audit logs record the “Add member to role” operation with the specific role GUIDs (e.g., ‘7698a772-787b-4ac8-901f-60d6b08affd2’ or ‘62e90394-69f5-4237-9190-012177145e10’).
6. The newly added user account inherits the privileges associated with the Global Administrator or Device Administrator role.
7. The attacker leverages the elevated privileges to access sensitive data, modify configurations, or deploy malicious applications.
8. The attacker establishes persistent access by creating new administrative accounts or modifying existing ones to maintain control.

Impact

Successful addition of a user to a Global Administrator or Device Administrator role grants the attacker unrestricted access to the Azure AD tenant, potentially impacting all resources connected to it. This can lead to data breaches, service disruptions, financial losses, and reputational damage. The scope of the impact depends on the extent to which the attacker leverages the compromised privileges.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect suspicious additions of users to Global or Device Admin roles in Azure AD Audit Logs.
• Investigate any alerts generated by the Sigma rule, focusing on the context of the user account being added and the source of the role assignment operation.
• Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft (T1078.004).
• Regularly review Azure AD role assignments to identify and remove any unauthorized or unnecessary privileges.
• Monitor for other suspicious Azure AD activity, such as unusual sign-in patterns, application registrations, and resource deployments.

]]>highadvisoryazureadrole-assignmentprivilege-escalationpersistencehttps://feed.craftedsignal.io/briefs/2024-01-azure-role-assignment/Tue, 02 Jan 2024 15:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azure-role-assignment/Detection of a user being added to a privileged role in Azure AD, potentially indicating privilege escalation or persistence by an attacker.This alert focuses on the addition of users to privileged roles within Azure Active Directory (Azure AD). An attacker who gains initial access to an account may attempt to escalate privileges to gain broader control over the Azure environment. This can be achieved by adding the compromised account or a new attacker-controlled account to a highly privileged role. This activity often occurs after an initial compromise and is a critical step in establishing persistence and expanding access within the target environment. Successful role assignment allows the attacker to perform actions normally restricted to administrators, potentially leading to data exfiltration, service disruption, or further lateral movement. This activity is visible in the Azure Audit Logs.

Attack Chain

1. An attacker gains initial access to an Azure AD account through credential phishing or password spraying (T1078.004).
2. The attacker identifies potential target roles with high privileges within the Azure AD environment.
3. The attacker attempts to add the compromised account, or a new account under their control, to one of these privileged roles.
4. The attacker executes an “Add eligible member” action, either permanent or eligible, within Azure AD, which is logged in the audit logs.
5. Azure AD processes the request and, if successful, grants the new role assignment to the target account.
6. The attacker uses the newly acquired privileges to access sensitive resources, modify configurations, or deploy malicious applications.
7. The attacker establishes persistence by creating new administrative accounts or modifying existing configurations to maintain access even if the initial compromised account is remediated.
8. The attacker performs data exfiltration or causes disruption to the Azure environment based on their objectives.

Impact

Successful addition of a user to a privileged role can grant the attacker complete control over the Azure AD environment. This may allow them to access sensitive data, disrupt critical services, and deploy malicious applications. The impact can range from data breaches and financial loss to complete compromise of the organization’s cloud infrastructure. The scope depends on the role assigned, but global administrator roles can cause catastrophic damage.

Recommendation

• Deploy the Sigma rule “User Added To Privilege Role” to your SIEM to detect suspicious role assignments in Azure AD Audit Logs.
• Review Azure AD audit logs for any “Add eligible member” events (permanent or eligible) to identify potentially malicious role assignments.
• Implement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to mitigate the risk of initial access compromise (T1110).
• Enforce the principle of least privilege to limit the scope of access for each user and role (T1068).
• Regularly audit and review user role assignments to identify and remove unnecessary privileges.

]]>highadvisoryazureprivileged-accessrole-assignmenthttps://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-assigned-outside/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azure-pim-role-assigned-outside/Detection of privilege role assignments outside of Azure Privileged Identity Management (PIM) can indicate potential attacker activity related to initial access, stealth, persistence, or privilege escalation within the Azure environment.The unauthorized assignment of privileged roles outside of Azure Privileged Identity Management (PIM) represents a significant security risk. Attackers may attempt to bypass PIM controls to gain persistent access, escalate privileges, or move laterally within the Azure environment. Detecting these anomalous role assignments is crucial for identifying potentially compromised accounts or malicious insiders. This activity is a common tactic used by attackers to establish persistence and maintain control over cloud resources. Monitoring for this behavior can help security teams quickly identify and respond to potential breaches, limiting the impact of successful attacks. This activity can be associated with lateral movement, privilege escalation, and persistence within the cloud environment.

Attack Chain

1. An attacker gains initial access to a compromised user account or service principal within the Azure environment.
2. The attacker attempts to identify existing privileged roles and permissions.
3. The attacker bypasses PIM to directly assign themselves a privileged role (e.g., Global Administrator, Security Administrator) using Azure CLI, PowerShell, or the Azure portal.
4. The attacker elevates their permissions without triggering PIM alerts or requiring approval.
5. The attacker uses the newly assigned privileged role to access sensitive data, modify configurations, or create new resources.
6. The attacker establishes persistence by creating new accounts or modifying existing ones with elevated privileges.
7. The attacker moves laterally to other Azure resources or subscriptions using their increased access.
8. The attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of malicious code.

Impact

Compromising privileged roles within Azure can have severe consequences, potentially impacting all resources within the affected Azure Active Directory tenant. Successful attacks can lead to unauthorized data access, service disruption, financial loss, and reputational damage. The scope of the impact depends on the level of privilege gained by the attacker and the sensitivity of the targeted resources. Without proper detection and response, organizations may remain unaware of the breach, allowing attackers to maintain persistent access and continue their malicious activities undetected.

Recommendation

• Deploy the provided Sigma rule Roles Assigned Outside PIM to your SIEM to detect unauthorized role assignments within your Azure environment.
• Investigate all instances flagged by the Sigma rule Roles Assigned Outside PIM to determine the legitimacy of the role assignment and the identity of the assigner.
• Implement controls to restrict the ability to assign privileged roles outside of PIM, as described in the Microsoft documentation reference.
• Review and enforce the principle of least privilege to minimize the potential impact of compromised accounts.

]]>highadvisoryazurepimrole-assignmentattack.initial-accessattack.stealthattack.t1078attack.persistenceattack.privilege-escalation