Azure Subscription Permission Elevation Via ActivityLogs

Oct 17, 2023 · attack.initial_access attack.t1078.004 ·

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Sigma rule (View on GitHub)

 1title: Azure Subscription Permission Elevation Via ActivityLogs
 2id: 09438caa-07b1-4870-8405-1dbafe3dad95
 3status: test
 4description: |
 5    Detects when a user has been elevated to manage all Azure Subscriptions.
 6    This change should be investigated immediately if it isn't planned.
 7    This setting could allow an attacker access to Azure subscriptions in your environment.    
 8references:
 9    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
10author: Austin Songer @austinsonger
11date: 2021/11/26
12modified: 2022/08/23
13tags:
14    - attack.initial_access
15    - attack.t1078.004
16logsource:
17    product: azure
18    service: activitylogs
19detection:
20    selection:
21        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
22    condition: selection
23falsepositives:
24    - If this was approved by System Administrator.
25level: high

References

Azure permissions - Azure RBAC

Lists the permissions for Azure resource providers.

Read More

Azure Subscription Permission Elevation Via ActivityLogs

Sigma rule (View on GitHub)

References

Azure permissions - Azure RBAC

Related rules