App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Sigma rule (View on GitHub)
1title: App Granted Privileged Delegated Or App Permissions
2id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
3related:
4 - id: ba2a7c80-027b-460f-92e2-57d113897dbc
5 type: obsolete
6status: test
7description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
8references:
9 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
10author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
11date: 2022-07-28
12modified: 2023-03-29
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.t1098.003
17logsource:
18 product: azure
19 service: auditlogs
20detection:
21 selection:
22 properties.message: Add app role assignment to service principal
23 condition: selection
24falsepositives:
25 - When the permission is legitimately needed for the app
26level: high
References
Related rules
- User Added to an Administrator's Azure AD Role
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address