User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
Sigma rule (View on GitHub)
1title: User Added to an Administrator's Azure AD Role
2id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
3status: test
4description: User Added to an Administrator's Azure AD Role
5references:
6 - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
7author: Raphaël CALVET, @MetallicHack
8date: 2021-10-04
9modified: 2022-10-09
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1098.003
14 - attack.t1078
15logsource:
16 product: azure
17 service: activitylogs
18detection:
19 selection:
20 Operation: 'Add member to role.'
21 Workload: 'AzureActiveDirectory'
22 ModifiedProperties{}.NewValue|endswith:
23 - 'Admins'
24 - 'Administrator'
25 condition: selection
26falsepositives:
27 - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
28level: medium
References
-
Today I would like to share my experience with doing Cloud forensics in Azure AD. I’ve been working for over a year with Azure Active Directory, and have primary focused on the different secu…
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- App Granted Privileged Delegated Or App Permissions
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow