App Granted Privileged Delegated Or App Permissions

Feb 1, 2024 · attack.persistence attack.privilege_escalation attack.t1098.003 ·

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Sigma rule (View on GitHub)

 1title: App Granted Privileged Delegated Or App Permissions
 2id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
 3related:
 4    - id: ba2a7c80-027b-460f-92e2-57d113897dbc
 5      type: obsoletes
 6status: test
 7description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
 8references:
 9    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions
10author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
11date: 2022/07/28
12modified: 2023/03/29
13tags:
14    - attack.persistence
15    - attack.privilege_escalation
16    - attack.t1098.003
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message: Add app role assignment to service principal
23    condition: selection
24falsepositives:
25    - When the permission is legitimately needed for the app
26level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

App Granted Privileged Delegated Or App Permissions

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules