{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/temporary-access-pass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","temporary-access-pass","privilege-escalation","initial-access","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies when a temporary access pass (TAP) is added to an Azure Active Directory (Azure AD) account. TAPs are intended for temporary use, allowing users to access resources or perform actions without needing a password. While legitimate use cases exist, adversaries can leverage TAPs to gain unauthorized access, escalate privileges, establish persistence, or move laterally within an Azure environment. This activity warrants investigation, especially if the TAP is added to a privileged account. The source material does not indicate a specific campaign or threat actor, but the technique aligns with common cloud-based attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Optional):\u003c/strong\u003e An attacker gains initial access to an Azure AD account through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges to an account with sufficient permissions to manage TAPs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTAP Generation:\u003c/strong\u003e The attacker, using an account with appropriate permissions, generates a temporary access pass (TAP) for a target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTAP Activation:\u003c/strong\u003e The attacker uses the TAP to authenticate to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access:\u003c/strong\u003e Once authenticated, the attacker gains access to resources and applications associated with the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to access other resources or accounts within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence by creating new credentials or modifying existing ones, if permissions allow.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and applications within the Azure environment. Compromised privileged accounts can grant attackers control over critical infrastructure, leading to data breaches, service disruptions, and reputational damage. The impact depends on the permissions associated with the compromised account and the resources accessible through the TAP.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect TAP additions in Azure AD audit logs (see rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where TAPs are added to privileged accounts in Azure AD, as highlighted in the rule description and references.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for suspicious activity surrounding the TAP generation event, including the source IP address and user agent (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor for anomalous sign-in activity using TAPs, specifically focusing on unusual locations or devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-azure-tap-added/","summary":"Detection of a temporary access pass (TAP) being added to an Azure AD account, which could indicate potential privilege escalation, initial access, persistence, or stealth activity.","title":"Azure AD Temporary Access Pass Added to Account","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-tap-added/"}],"language":"en","title":"CraftedSignal Threat Feed — Temporary-Access-Pass","version":"https://jsonfeed.org/version/1.1"}