Azure AD PIM Role Assignment Detected
Detection of an Azure AD Privileged Identity Management (PIM) role assignment, specifically identifying when a user is added as an eligible member, which could lead to unauthorized access and privilege escalation.
This analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. PIM roles provide users with elevated privileges for specific tasks. Monitoring these assignments is crucial because attackers can exploit these roles to gain unauthorized access. The detection leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. The Splunk detection rule azure_ad_pim_role_assigned focuses on events with the operationName "Add eligible member to role in PIM completed*". Successful exploitation could allow unauthorized actions, data breaches, or further compromise. This activity is relevant to any organization using Azure AD PIM.
Attack Chain
- Compromise User Account: An attacker gains initial access by compromising a user account through phishing, credential stuffing, or other means.
- Identify Target Role: The attacker identifies a PIM role that would grant them the necessary privileges to achieve their objectives.
- Request Role Assignment: The attacker attempts to assign themselves as an eligible member to the targeted PIM role.
- "Add eligible member to role in PIM completed" event is generated in Azure AD audit logs.
- Activate Role: If the role requires activation, the attacker activates the assigned role.
- Escalate Privileges: The attacker uses the newly acquired privileges to perform unauthorized actions, such as accessing sensitive data or modifying system configurations.
- Maintain Persistence: The attacker ensures continued access by creating backdoors or other persistence mechanisms, like adding rogue applications or service principals.
- Achieve Objective: The attacker achieves their ultimate objective, such as data exfiltration, system disruption, or financial gain.
Impact
A successful attack can lead to significant damage, including unauthorized access to sensitive data, modification of critical system configurations, and potential data breaches. The impact can range from compromised user accounts to complete control over the Azure AD environment. If an attacker successfully escalates privileges and maintains persistence, they can cause long-term damage.
Recommendation
- Deploy the provided Sigma rule
Azure AD PIM Role Assignedto your SIEM and tune for your environment. - Enable and monitor Azure Active Directory audit logs, specifically the
azure:monitor:aadsourcetype, as recommended in the "How To Implement" section. - Review and filter known false positives as documented in the brief.
- Investigate any alerts generated by the Sigma rule, focusing on the
userfield anddestwhich indicates the assigned role, as mentioned in the rule definition.
Detection coverage 2
Azure AD PIM Role Assigned
highDetects the assignment of an Azure AD Privileged Identity Management (PIM) role by monitoring Azure AD audit logs for the 'Add eligible member to role in PIM completed*' operation.
Azure AD PIM Role Assigned (Audit Log)
highDetects the assignment of an Azure AD Privileged Identity Management (PIM) role by monitoring Azure AD audit logs for the 'Add eligible member to role in PIM completed*' operation using audit log source.
Detection queries are available on the platform. Get full rules →