Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Authentication Methods Modified for PIM-Eligible User [RULE-1149]

This rule detects when authentication methods are modified for a user who is eligible to activate a highly privileged role through Privileged Identity Management (PIM). This includes adding, removing, or changing multi-factor authentication methods such as phone numbers, authenticator apps, or security keys. Because PIM-eligible users can escalate to powerful administrative roles on demand, any unexpected modification to their authentication methods represents an elevated security risk that requires immediate verification.

Rationale

Privileged Identity Management (PIM) provides just-in-time privileged access by allowing users to activate administrative roles only when needed. Users who are PIM-eligible for high-privilege roles such as Global Administrator, Security Administrator, or Exchange Administrator can temporarily escalate their permissions. This makes them high-value targets for attackers.

If an attacker compromises a PIM-eligible account and registers their own MFA method (MITRE ATT&CK T1098.005 - Account Manipulation: Device Registration), they can then activate the privileged role, passing the MFA challenge with their own registered method. This gives the attacker full administrative control over the tenant, potentially allowing them to modify security configurations, access all data, create additional backdoor accounts, and disable security monitoring.

The combination of PIM eligibility and authentication method modification is particularly dangerous because it represents a clear path to privilege escalation. Even if the account does not currently hold administrative privileges, the attacker can activate them at will. This rule provides early detection of this attack chain before the attacker escalates to full administrative access. Rapid investigation is essential to prevent complete tenant compromise.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the authentication method change was intentional: Contact the account owner and the initiating user (if different) to confirm whether the modification was planned and authorized. Check what specific authentication method was added or changed, and whether the user recently activated any PIM roles.

    • If no: The modification was unauthorized and the account may be compromised:

      1. Immediately disable the affected account in Microsoft Entra ID to prevent the attacker from activating any PIM roles.
      2. Revoke all active sessions and remove any PIM role activations that are currently active for this user.
      3. Remove any authentication methods that were added by the attacker, then reset the user's password and require re-registration of MFA methods through a secure, verified process.
      4. Review the PIM activation history in Microsoft Entra ID to determine whether any privileged roles were activated after the authentication method change.
      5. Review the account's recent activity in the Unified Audit Log (https://security.microsoft.com/auditlogsearch) for signs of administrative actions, data exfiltration, mail forwarding rules, OAuth app consents, or security configuration changes.
      6. Consider engaging Attic's IR team for a comprehensive investigation, especially if privileged roles were activated by the attacker. An IR Credit Pack is required for this service.

    • If yes: The modification was intentional and authorized:

      1. Verify that the change complies with your organization's security policy for privileged account management and PIM procedures.
      2. If acceptable: close the incident and document the approved change.

More information