Azure Subscription Permission Elevation Via AuditLogs

Aug 12, 2024 · attack.initial-access attack.t1078 ·

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Sigma rule (View on GitHub)

 1title: Azure Subscription Permission Elevation Via AuditLogs
 2id: ca9bf243-465e-494a-9e54-bf9fc239057d
 3status: test
 4description: |
 5    Detects when a user has been elevated to manage all Azure Subscriptions.
 6    This change should be investigated immediately if it isn't planned.
 7    This setting could allow an attacker access to Azure subscriptions in your environment.    
 8references:
 9    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
10author: Austin Songer @austinsonger
11date: 2021-11-26
12modified: 2022-12-25
13tags:
14    - attack.initial-access
15    - attack.t1078
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        Category: 'Administrative'
22        OperationName: 'Assigns the caller to user access admin'
23    condition: selection
24falsepositives:
25    - If this was approved by System Administrator.
26level: high

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.

Read More

Azure Subscription Permission Elevation Via AuditLogs

Sigma rule (View on GitHub)

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Related rules