
seen from Italy

seen from Netherlands

seen from Austria
seen from United States
seen from Italy
seen from Japan

seen from Maldives
seen from China

seen from Switzerland
seen from United States
seen from China
seen from United States
seen from Türkiye
seen from United States
seen from China
seen from China

seen from United States
seen from United States
seen from Poland

seen from Türkiye

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch ⢠No registration required ⢠HD streaming
Entra ID Lateral Movement And Expanding Permission Usage
Abusing Intimate Permissions for Lateral Movement and Privilege Escalation inĀ Entra IDĀ Native Environments: (In)tune to Takeovers
Recently, a client received assistance fromĀ the MandiantĀ Red Team in visualizing the potential consequences of an advanced threat actor breach. In order to compromise the tenantās installed Entra ID service principals, Mandiant migrated laterally from the customerās on-premises environment to their MicrosoftĀ Entra IDĀ tenant during the evaluation.
Using a popular security architecture that involves Intune-managed Privileged Access Workstations (PAWs), we will discuss in this blog post a new method by which adversaries can move laterally and elevate privileges within Microsoft Entra ID by abusing Intune permissions (DeviceManagementConfiguration.ReadWrite.All) granted to Entra ID service principals. We also offer suggestions and corrective actions to stop and identify this kind of attack.
A pretext
The client had a well-developed security architecture that adhered to the Enterprise Access model suggested by Microsoft, which included:
An Active Directory-based on-premises setting that adheres to the Tiered Model.
A Microsoft Entra Connect Sync-synchronized Entra ID environment that synchronizes on-premises identities and groups with Entra ID. PAWs, which were completely cloud-native and controlled by Intune Mobile Device Management (MDM), were used to administrate this environment. They were not connected to the on-premises Active Directory system. To access these systems, IT managers used a specific, cloud-native (non-synced) administrative account. These cloud-native administrative accounts were the only ones allocated Entra ID roles (Global Administrator, Privileged Role Administrator, etc.).
A robust security barrier was created by separating administrative accounts, devices, and privileges between the Entra ID environment and the on-premises environment:
Because Entra ID privileged roles are associated with unique, cloud-native identities, a compromise of the on-premises Active Directory cannot be utilized to compromise the Entra ID environment. This is an excellent practice for Microsoft.
An āair gapā between the administration planes of the two environments is successfully created by using distinct physical workstations for administrative access to cloud and on-premises resources. Attackers find it very challenging to get through air gaps.
Strong Conditional Access regulations imposed by Privileged Identity Management assigned roles to the administrative accounts inĀ Entra ID, necessitating multi-factor authentication and a managed, compliant device. Additionally, Microsoft recommends these best practices.
Attack Path
One of the objectives of the evaluation was to assign the Mandiant Red Team the task of obtaining Global Administrator access to the Entra ID tenant.Ā MandiantĀ was able to add credentials toĀ Entra IDĀ service principals (microsoft.directory/servicePrincipals/credentials/update) by using a variety of methods that are outside the purview of this blog post. This gave the Red Team the ability to compromise any preloaded service principal.
There are a number well-known methods for abusing service principal rights to get higher permissions, most notably through the usage of RoleManagement.See AppRoleAssignment and ReadWrite.Directory.Application and ReadWrite.All.ReadWrite.All rights for Microsoft Graph.
However, the MandiantĀ Red TeamĀ had to reconsider their approach because none of these rights were being used in the customerās environment.
Mandiant found a service principle that was given the DeviceManagementConfiguration after using the superb ROADTools framework to learn more about the customerās Entra ID system.Go ahead and write.Permission is granted.Image credit to Google Cloud
The service principal is able to āread and write Microsoft Intune device configuration and policiesā with this authorization.
Clients runningĀ Windows 10Ā and later can execute the unique PowerShell scripts used by Intune for device management. Administrators have an alternative to configuring devices with settings not accessible through the configuration policies or the apps section of Intune by using the ability to run scripts on local devices. When the device boots up, management scripts with administrator rights (NT AUTHORITY\SYSTEM) are run.
The configuration of Device Management.Go ahead and write.To list, read, create, and update management scripts via the Microsoft Graph API, all permissions are required.
The MicrosoftĀ Graph API makes it simple to write or edit the management script. An example HTTP request to alter an existing script is displayed in the accompanying figure.PATCH https://graph.microsoft.com/beta/deviceManagement/ deviceManagementScripts/<script id> { "@odata.type": "#microsoft.graph.deviceManagementScript", "displayName": "<display name>", "description": "<description>", "scriptContent": "<PowerShell script in base64 encoding>", "runAsAccount": "system", "enforceSignatureCheck": false, "fileName": "<filename>", "roleScopeTagIds": [ "<existing role scope tags>" ], "runAs32Bit": false }
The caller can provide a display name, file name, and description in addition to the Base64-encoded value of the PowerShell script content using the Graph API. Depending on which principle the script should be run as, the runAsAccount parameter can be set to either user or system. RoleScopeTagIds references Intuneās Scope Tags, which associate people and devices. The DeviceManagementConfiguration can likewise be used to construct and manage them.Go ahead and write. Permission is granted.
The configuration of Device Management.Go ahead and write.By changing an existing device management script to run a PowerShell script under Mandiantās control, Mandiant was able to go laterally to the PAWs used forĀ Entra IDĀ administration with full authorization. The malicious script is run by the Intune management script when the device reboots as part of the userās regular workday.
By implanting a command-and-control device, Mandiant could give the PAWs any instructions. The Red Team obtained privileged access to Entra ID by waiting for the victim to activate their privileged role through Azure Privileged Identity Management and then impersonating the privileged account (for example, by stealing cookies or tokens). By taking these actions, Mandiant was able to fulfill the assessmentās goal and gain Global Administrator rights inĀ Entra ID.
Remediation and Recommendations
To avoid the attack scenario, Mandiant suggests the following hardening measures:
Review your organizationās security principals for theĀ DeviceManagementConfiguration.ReadWrite.AllĀ permission:Ā DeviceManagementConfiguration should be handled by organizations that use Microsoft Intune for device management.Go ahead and write.Since it grants the trustee authority over the Intune-managed devices and, consequently, any identities connected to the devices, all permissions are considered sensitive.
Mandiant advises businesses to routinely check the authorizations given toĀ Azure serviceĀ principals, with a focus on the DeviceManagementConfiguration.Along with other sensitive permissions (like RoleManagement), there is the ReadWrite.All permission.See AppRoleAssignment and ReadWrite.Directory.Application and ReadWrite.All.ReadWrite.All.
Businesses that manage PAWs with Intune should exercise extra caution when assigning Intune privileges (either via DeviceManagementConfiguration).Use Entra roles like Intune Role Administrator or ReadWrite.All.
Enable Intuneās multiple admin approval: Intune allows you to use Access Policies to demand a second administratorās approval before applying any changes. By doing this, an attacker would be unable to use a single compromised account to create or alter management scripts.
Think about turning on activity logs for the Microsoft Graph API: Graph API Activity logs, which provide comprehensive details about Graph API HTTP requests made to Microsoft Graph resources, can be enabled to aid in detection and response efforts.
Make use of the features that Workload ID Premium licenses offer: With a Workload-ID Premium license, Mandiant suggests using these features to:
Limit the use of privileged service principals to known, reliable places only. By guaranteeing that only trustworthy places are used, this reduces the possibility of unwanted access and improves security.
Enable risk detections in Microsoft Identity Protection to improve service principal security. When risk factors or questionable activity are found, this can proactively prohibit access.
Keep an eye on service principal sign-ins proactively: Monitoring service principal sign-ins proactively can aid in identifying irregularities and possible dangers. Incorporate this information into security procedures to set off notifications and facilitate quick action in the event of unwanted access attempts.
Mandiant has a thorough grasp of the various ways attackers may compromise their targetās cloud estate with some hostile emulation engagements, Red Team Assessments, and Purple Team Assessments.
Read more on Govindhtech.com
Detecting OAuth Threats with Entra ID Logs
In today's digital landscape, securing applications against unauthorized access is paramount. One common vector for such attacks is through OAuth, a protocol that allows third-party services to exchange web resources on behalf of a user. This month, we've seen an uptick in three specific OAuth Threat Patterns (TTPs) that organizations should be aware of. Firstly, there has been a rise in "Token Theft via Authorization Code Interception." Attackers intercept the authorization code sent from the authorization server to the client application, enabling them to request access tokens without proper authentication. To detect this, monitor Entra ID logs for unusual patterns in token requests or unauthorized access attempts. Secondly, "Phishing Attacks Targeting OAuth Flows" have become more sophisticated. These attacks trick users into granting permissions to malicious applications, which can then exploit these permissions to access sensitive data. Keep an eye on user consent grants in Entra ID logs for anomalies, such as multiple consents granted in a short period or consents for unexpected scopes. Lastly, "Malicious Third-Party Applications" pose a significant threat. These applications may appear legitimate but are designed to steal user data or perform unauthorized actions. Regularly review the applications registered in your Entra ID tenant and check their permissions and activities against Entra ID logs. By staying vigilant and leveraging the detailed insights provided by Entra ID logs, you can effectively detect and mitigate these OAuth threats. For more comprehensive security strategies and tools, visit IAMDevBox.com. Read more: Detecting OAuth Threats with Entra ID Logs
Understanding Entra ID Federation with External IDPs
Entra ID, Microsoft's cloud-based identity and access management service, offers robust federation capabilities that allow organizations to integrate external identity providers (IDPs). This integration, known as Entra ID Federation, enables users to authenticate using their existing credentials from other systems, enhancing security and user experience. External IDPs can include social media platforms, on-premises Active Directory, or other third-party identity solutions. By federating these IDPs with Entra ID, organizations can streamline their authentication processes, reduce administrative overhead, and comply with various security standards more effectively. This setup not only simplifies user access but also ensures that authentication requests are securely handled across different environments. To set up Entra ID Federation with an external IDP, administrators need to configure trust relationships between Entra ID and the external provider. This involves creating a relying party trust in the external IDP that points to Entra ID and setting up claims mapping to ensure that the necessary user information is correctly passed during authentication. IAMDevBox.com provides comprehensive guides and resources to help navigate this process smoothly. Read more: Understanding Entra ID Federation with External IDPs
iT4iNT SERVER Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover http://dlvr.it/TSG8Pc VDS VPS Cloud

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch ⢠No registration required ⢠HD streaming
How To Discover Unauthorized Apps via SSO Logs (Entra ID)
Discover unauthorized apps using Entra SSO logs and CloudFuze Manageās deep discovery to detect Shadow IT and strengthen SaaS governance.
How RaccoonO365 Weaponized Cloudflare and Telegram to Industrialize Microsoft 365 Credential Theft
Read the full report on -
CyberDudeBivash offers real-time cybersecurity news, threat intelligence, zero-day vulnerabilities, malware reports, and security tools.