Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Sigma rule (View on GitHub)
1title: Azure Subscription Permission Elevation Via ActivityLogs
2id: 09438caa-07b1-4870-8405-1dbafe3dad95
3status: test
4description: |
5 Detects when a user has been elevated to manage all Azure Subscriptions.
6 This change should be investigated immediately if it isn't planned.
7 This setting could allow an attacker access to Azure subscriptions in your environment.
8references:
9 - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
10author: Austin Songer @austinsonger
11date: 2021-11-26
12modified: 2022-08-23
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.initial-access
18 - attack.t1078.004
19logsource:
20 product: azure
21 service: activitylogs
22detection:
23 selection:
24 operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
25 condition: selection
26falsepositives:
27 - If this was approved by System Administrator.
28level: high
References
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity