Skip to content
Threat Feed
high advisory

Azure AD PIM Role Assignment Detected

Detection of an Azure AD Privileged Identity Management (PIM) role assignment, specifically identifying when a user is added as an eligible member, which could lead to unauthorized access and privilege escalation.

This analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. PIM roles provide users with elevated privileges for specific tasks. Monitoring these assignments is crucial because attackers can exploit these roles to gain unauthorized access. The detection leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. The Splunk detection rule azure_ad_pim_role_assigned focuses on events with the operationName "Add eligible member to role in PIM completed*". Successful exploitation could allow unauthorized actions, data breaches, or further compromise. This activity is relevant to any organization using Azure AD PIM.

Attack Chain

  1. Compromise User Account: An attacker gains initial access by compromising a user account through phishing, credential stuffing, or other means.
  2. Identify Target Role: The attacker identifies a PIM role that would grant them the necessary privileges to achieve their objectives.
  3. Request Role Assignment: The attacker attempts to assign themselves as an eligible member to the targeted PIM role.
  4. "Add eligible member to role in PIM completed" event is generated in Azure AD audit logs.
  5. Activate Role: If the role requires activation, the attacker activates the assigned role.
  6. Escalate Privileges: The attacker uses the newly acquired privileges to perform unauthorized actions, such as accessing sensitive data or modifying system configurations.
  7. Maintain Persistence: The attacker ensures continued access by creating backdoors or other persistence mechanisms, like adding rogue applications or service principals.
  8. Achieve Objective: The attacker achieves their ultimate objective, such as data exfiltration, system disruption, or financial gain.

Impact

A successful attack can lead to significant damage, including unauthorized access to sensitive data, modification of critical system configurations, and potential data breaches. The impact can range from compromised user accounts to complete control over the Azure AD environment. If an attacker successfully escalates privileges and maintains persistence, they can cause long-term damage.

Recommendation

  • Deploy the provided Sigma rule Azure AD PIM Role Assigned to your SIEM and tune for your environment.
  • Enable and monitor Azure Active Directory audit logs, specifically the azure:monitor:aad sourcetype, as recommended in the "How To Implement" section.
  • Review and filter known false positives as documented in the brief.
  • Investigate any alerts generated by the Sigma rule, focusing on the user field and dest which indicates the assigned role, as mentioned in the rule definition.

Detection coverage 2

Azure AD PIM Role Assigned

high

Detects the assignment of an Azure AD Privileged Identity Management (PIM) role by monitoring Azure AD audit logs for the 'Add eligible member to role in PIM completed*' operation.

sigma tactics: persistence, privilege_escalation techniques: T1098.003 sources: webserver, linux

Azure AD PIM Role Assigned (Audit Log)

high

Detects the assignment of an Azure AD Privileged Identity Management (PIM) role by monitoring Azure AD audit logs for the 'Add eligible member to role in PIM completed*' operation using audit log source.

sigma tactics: persistence, privilege_escalation techniques: T1098.003 sources: dns_query, windows

Detection queries are available on the platform. Get full rules →