Privileged Account Creation

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1078.004 ·

Share on:

Detects when a new admin is created.

Sigma rule (View on GitHub)

 1title: Privileged Account Creation
 2id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
 3status: test
 4description: Detects when a new admin is created.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
 8date: 2022-08-11
 9modified: 2022-08-16
10tags:
11    - attack.initial-access
12    - attack.defense-evasion
13    - attack.persistence
14    - attack.privilege-escalation
15    - attack.t1078.004
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        properties.message|contains|all:
22            - Add user
23            - Add member to role
24        Status: Success
25    condition: selection
26falsepositives:
27    - A legitimate new admin account being created
28level: medium

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.

Read More

Privileged Account Creation

Sigma rule (View on GitHub)

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Related rules