Forum Discussion
Questioning Azure PIM Security: Can MFA Requirements Be Bypassed?
Hi everybody, I recently came up with a scenario to test a use case in which a threat actor could potentially steal your Azure access token. With this token, the actor attempts to elevate privile...
This isn't so much a problem with PIM as much as it is making sure you have configured strong authentication methods. Protect the token from adversary-in-the-middle with a FIDO2 key, Passkey, Certificate, or WH4B. There are two primary types of token theft: network based or device based. Evilginx2 is one of a handful of known methods of bypassing MFA, which in turn would bypass PIM if you have not yet setup strong authentication methods for your administrators.
If you are defending against malware lifting the token off the device itself, such as Mimikatz, then we recommend application control policies like AppLocker, WDAC, ASR, and Credential Guard, with a healthy dose of EDR.
Another recommendation is to require trusted devices for your administrators. In my lab, I found this prevents a stolen token from being replayed from unmanaged devices (which is what the attacker's device would be).
Resources: Token Theft Playbook Guidance: https://aka.ms/tokentheftplaybook
Configure Credential Guard:
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune
If you are defending against malware lifting the token off the device itself, such as Mimikatz, then we recommend application control policies like AppLocker, WDAC, ASR, and Credential Guard, with a healthy dose of EDR.
Another recommendation is to require trusted devices for your administrators. In my lab, I found this prevents a stolen token from being replayed from unmanaged devices (which is what the attacker's device would be).
Resources: Token Theft Playbook Guidance: https://aka.ms/tokentheftplaybook
Configure Credential Guard:
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune
