https://feed.craftedsignal.io/tags/uri/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 17:24:00 +0000https://feed.craftedsignal.io/briefs/2024-01-azure-appid-uri-change/Wed, 03 Jan 2024 17:24:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azure-appid-uri-change/Detection of configuration changes to an application's AppID URI in Azure, potentially indicating malicious activity related to initial access, persistence, credential access, privilege escalation, or stealth.Attackers may modify the AppID URI of an application in Azure to facilitate various malicious activities, including gaining unauthorized access, establishing persistence, accessing credentials, escalating privileges, or maintaining stealth within the environment. The AppID URI serves as a unique identifier for an application within the Azure Active Directory (Azure AD) ecosystem. Changes to this URI could indicate that an attacker is attempting to impersonate a legitimate application or service, potentially bypassing security controls and gaining elevated access. Monitoring for these changes is crucial for defenders to identify and respond to potentially malicious activity.

Attack Chain

1. An attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability (T1078.004).
2. The attacker enumerates available applications and service principals within the Azure environment.
3. The attacker identifies a target application with a high-value AppID URI.
4. The attacker modifies the AppID URI of the target application, potentially to impersonate another service or application (T1552).
5. This change might be done to allow the attacker to request tokens for that application.
6. The attacker leverages the modified AppID URI to request access tokens, potentially gaining unauthorized access to resources (T1078.004).
7. The attacker uses the acquired access tokens to move laterally within the Azure environment and access sensitive data or systems.
8. The attacker maintains persistence by using the modified application for continued unauthorized access.

Impact

Successful modification of an AppID URI can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. An attacker can impersonate legitimate applications, bypassing security controls and potentially affecting numerous resources and users. The scope of the impact depends on the permissions and access levels associated with the compromised application.

Recommendation

• Deploy the Sigma rule “Application AppID Uri Configuration Changes” to your SIEM to detect unauthorized modifications to AppID URIs (rule provided below).
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the AppID URI changes.
• Implement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.
• Regularly review and audit application permissions and configurations to identify and remediate any misconfigurations.
• Monitor Azure audit logs for other suspicious activities related to application and service principal management.

]]>highadvisoryazureappiduriapplicationserviceprincipalcredential-accessprivilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-03-azure-app-uri-modification/Wed, 03 Jan 2024 14:21:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-azure-app-uri-modification/Detection of Azure application URI modifications that can be indicative of malicious activity, such as using dangling URIs, non-HTTPS URIs, wildcard domains, or URIs pointing to uncontrolled domains, potentially leading to initial access, stealth, persistence, credential access, and privilege escalation.Attackers may modify application URIs within Azure Active Directory to redirect users or applications to malicious resources, obtain unauthorized access, or establish persistence. The modification of an application’s URI can be a subtle but effective technique for gaining a foothold in an environment. By manipulating the URI settings, attackers can redirect traffic to attacker-controlled servers, intercept credentials, or perform other malicious actions. This activity is often difficult to detect because it can blend in with legitimate administrative tasks. Investigation is merited if URIs for domain names no longer exist, are not using HTTPS, have wildcards at the end of the domain, are not unique to that app, or point to domains that the organization does not control.

Attack Chain

1. The attacker gains initial access to an Azure account with sufficient privileges to modify application registrations.
2. The attacker navigates to the Azure Active Directory portal.
3. The attacker locates a target application registration.
4. The attacker modifies the application’s URI settings, such as the reply URLs or identifier URIs.
5. The attacker configures the URI to point to a malicious server or a phishing page.
6. Users or applications are redirected to the malicious URI when attempting to authenticate or access the application.
7. The attacker intercepts credentials or performs other malicious actions.
8. The attacker establishes persistence by maintaining control over the application’s URI settings.

Impact

A successful attack could lead to credential theft, data breaches, or unauthorized access to sensitive resources. By compromising application URIs, attackers can redirect users to phishing pages, intercept credentials, or gain a foothold in the environment for further exploitation. This activity can be difficult to detect and can have a significant impact on the organization’s security posture.

Recommendation

• Deploy the Sigma rule Application URI Configuration Changes to your SIEM to detect suspicious modifications to application URIs in Azure Audit Logs.
• Investigate any alerts generated by the Sigma rule Application URI Configuration Changes to determine if the URI modification is legitimate or malicious.
• Monitor Azure Audit Logs for any changes to application URI settings (as indicated by properties.message: Update Application Sucess- Property Name AppAddress) and validate the legitimacy of the changes.

]]>highadvisorycloudazureapplicationurimodificationpersistencecredential-accessprivilege-escalation