Azure RBAC Built-In Administrator Roles Assigned

  1[metadata]
  2creation_date = "2025/09/15"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/09/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.
 11"""
 12from = "now-9m"
 13index = ["filebeat-*", "logs-azure.activitylogs-*"]
 14language = "kuery"
 15license = "Elastic License v2"
 16name = "Azure RBAC Built-In Administrator Roles Assigned"
 17note = """## Triage and Analysis
 18
 19### Investigating Azure RBAC Built-In Administrator Roles Assigned
 20
 21This rule identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator. Assignment can be done via the Azure portal, Azure CLI, PowerShell, or through API calls. Monitoring these assignments helps detect potential unauthorized privilege escalations.
 22
 23#### Privileged Built-In Administrator Roles
 24- Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c
 25- Owner: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
 26- Azure File Sync Administrator: 92b92042-07d9-4307-87f7-36a593fc5850
 27- Reservations Administrator: a8889054-8d42-49c9-bc1c-52486c10e7cd
 28- Role Based Access Control Administrator: f58310d9-a9f6-439a-9e8d-f62e7b41a168
 29- User Access Administrator: 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
 30
 31### Possible investigation steps
 32
 33- Identify the user who assigned the role and examine their recent activity for any suspicious actions.
 34- Review the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
 35- Check the history of role assignments for the user who was assigned the role to determine if this is a recurring pattern or a one-time event.
 36    - Additionally, identify the lifetime of the targeted user account to determine if it is a newly created account or an existing one.
 37- Determine if the user assigning the role historically has the necessary permissions to assign such roles and has done so in the past.
 38- Investigate any recent changes or activities performed by the newly assigned administrator to identify any suspicious actions or configurations that may have been altered.
 39- Correlate with other logs, such as Microsoft Entra ID sign-in logs, to identify any unusual access patterns or behaviors for the user.
 40
 41### False positive analysis
 42
 43- Legitimate administrators may assign built-in administrator roles during routine operations, maintenance or as required for onboarding new staff.
 44- Review internal tickets, change logs, or admin activity dashboards for approved operations.
 45
 46### Response and remediation
 47
 48- If administrative assignment was not authorized:
 49  - Immediately remove the built-in administrator role from the account.
 50  - Disable or lock the account and begin credential rotation.
 51  - Audit activity performed by the account after elevation, especially changes to role assignments and resource access.
 52- If suspicious:
 53  - Notify the user and confirm whether they performed the action.
 54  - Check for any automation or scripts that could be exploiting unused elevated access paths.
 55  - Review conditional access and PIM (Privileged Identity Management) configurations to limit elevation without approval.
 56- Strengthen posture:
 57  - Require MFA and approval for all privilege escalation actions.
 58  - Consider enabling JIT (Just-in-Time) access with expiration.
 59"""
 60references = [
 61    "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
 62    "https://orca.security/resources/research-pod/azure-identity-access-management-iam-active-directory-ad/",
 63    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/"
 64]
 65risk_score = 73
 66rule_id = "1a1046f4-9257-11f0-9a42-f661ea17fbce"
 67severity = "high"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: Azure",
 71    "Data Source: Azure Activity Logs",
 72    "Use Case: Identity and Access Audit",
 73    "Tactic: Privilege Escalation",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80event.dataset: azure.activitylogs and
 81    event.action: "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" and
 82    azure.activitylogs.properties.requestbody.properties.roleDefinitionId:
 83    (
 84      *18d7d88d-d35e-4fb5-a5c3-7773c20a72d9* or
 85      *f58310d9-a9f6-439a-9e8d-f62e7b41a168* or
 86      *b24988ac-6180-42a0-ab88-20f7382dd24c* or
 87      *8e3af657-a8ff-443c-a75c-2fe8c4bcb635* or
 88      *92b92042-07d9-4307-87f7-36a593fc5850* or
 89      *a8889054-8d42-49c9-bc1c-52486c10e7cd*
 90  )
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1098"
 98name = "Account Manipulation"
 99reference = "https://attack.mitre.org/techniques/T1098/"
100[[rule.threat.technique.subtechnique]]
101id = "T1098.003"
102name = "Additional Cloud Roles"
103reference = "https://attack.mitre.org/techniques/T1098/003/"
104
105
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"