User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
Sigma rule (View on GitHub)
1title: User Added to an Administrator's Azure AD Role
2id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
3status: test
4description: User Added to an Administrator's Azure AD Role
5references:
6 - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
7author: Raphaël CALVET, @MetallicHack
8date: 2021-10-04
9modified: 2022-10-09
10tags:
11 - attack.initial-access
12 - attack.defense-evasion
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.t1098.003
16 - attack.t1078
17logsource:
18 product: azure
19 service: activitylogs
20detection:
21 selection:
22 Operation: 'Add member to role.'
23 Workload: 'AzureActiveDirectory'
24 ModifiedProperties{}.NewValue|endswith:
25 - 'Admins'
26 - 'Administrator'
27 condition: selection
28falsepositives:
29 - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
30level: medium
References
-
Today I would like to share my experience with doing Cloud forensics in Azure AD. I’ve been working for over a year with Azure Active Directory, and have primary focused on the different secu…
Read More
Related rules
- AWS Key Pair Import Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Authentications To Important Apps Using Single Factor Authentication
- Azure Domain Federation Settings Modified