{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/user_impersonation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID"],"_cs_severities":["medium"],"_cs_tags":["azure","oauth","user_impersonation","initial_access","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies rare occurrences of OAuth workflows in Entra ID where a user principal utilizes single-factor authentication with the 'user_impersonation' OAuth scope. Attackers can exploit this scope to access user accounts without proper authorization, particularly when the sign-in session is unbound, meaning it lacks association with a specific device. The rule focuses on sign-in events where the sign-in session status is unbound, the user type is 'Member', and the sign-in outcome is a success. The rule flags when this pattern is detected for a user principal that has not been seen in the last 10 days, indicating potential abuse or unusual activity. This activity is tracked via Azure Sign-in logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user account or obtains credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker registers or compromises an application within Entra ID, or uses a FOCI application.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an OAuth workflow requesting the \u003ccode\u003euser_impersonation\u003c/code\u003e scope.\u003c/li\u003e\n\u003cli\u003eThe user authenticates using single-factor authentication.\u003c/li\u003e\n\u003cli\u003eThe Entra ID issues an access token with the requested scope for a session marked as 'unbound'.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the access token to impersonate the user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources and data normally accessible by the user.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions such as reading email, accessing files, or modifying configurations within the Entra ID environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive user data, privilege escalation, and lateral movement within the Entra ID environment. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the permissions granted to the compromised user account and the resources accessible with the 'user_impersonation' scope. Organizations may experience significant disruptions to their cloud services and productivity if user accounts are compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID OAuth User Impersonation Scope for Unusual User and Client\u0026quot; to your SIEM and tune for your environment to detect potential account compromise (rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on unusual user principals and application combinations.\u003c/li\u003e\n\u003cli\u003eReview Azure Sign-in logs for authentication events matching the criteria described in the overview.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of single-factor authentication abuse.\u003c/li\u003e\n\u003cli\u003eMonitor the app_id values in the query section and add your own exclusions as false positives are discovered (rules section).\u003c/li\u003e\n\u003cli\u003eImplement conditional access policies to restrict access based on device compliance, location, and other factors.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks associated with OAuth user impersonation and the importance of strong authentication practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-oauth-user-impersonation/","summary":"Adversaries may abuse the user_impersonation OAuth scope in Entra ID to gain unauthorized access to user accounts, especially when combined with single-factor authentication and unbound sign-in sessions, potentially indicating account compromise for users not seen in the last 10 days.","title":"Entra ID OAuth User Impersonation Scope for Unusual User and Client","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-oauth-user-impersonation/"}],"language":"en","title":"CraftedSignal Threat Feed - User_impersonation","version":"https://jsonfeed.org/version/1.1"}