App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Sigma rule (View on GitHub)
1title: App Assigned To Azure RBAC/Microsoft Entra Role
2id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
3status: test
4description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
8date: 2022-07-19
9modified: 2024-11-04
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1098.003
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 targetResources.type: 'Service Principal'
20 properties.message:
21 - Add member to role
22 - Add eligible member to role
23 - Add scoped member to role
24 condition: selection
25falsepositives:
26 - When the permission is legitimately needed for the app
27level: medium
References
Related rules
- App Granted Privileged Delegated Or App Permissions
- User Added to an Administrator's Azure AD Role
- Potential PrintNightmare Exploitation Attempt
- Windows Spooler Service Suspicious Binary Load
- Diamond Sleet APT Scheduled Task Creation