Detection of Azure Subscription Permission Elevation

This threat brief focuses on detecting unauthorized elevation of privileges within Azure environments. Specifically, it addresses the assignment of the ‘User Access Administrator’ role to a user, which allows managing access to all Azure subscriptions. This activity can be indicative of malicious actors attempting to gain control over an Azure environment or an insider threat escalating their privileges without proper authorization. The detection is based on Azure Audit Logs and can help identify potentially compromised accounts or misconfigurations. A successful elevation can lead to unauthorized access, data breaches, and service disruptions. Defenders should closely monitor these events and investigate any unexpected privilege escalations.

Attack Chain

1. An attacker gains initial access to an Azure account, possibly through compromised credentials or exploiting a vulnerability.
2. The attacker attempts to assign the ‘User Access Administrator’ role to themselves or another account they control.
3. This assignment generates an ‘Administrative’ audit log event with the OperationName ‘Assigns the caller to user access admin’.
4. The attacker now has the ability to manage user access to all Azure subscriptions within the tenant.
5. The attacker creates new user accounts with elevated privileges within the subscriptions.
6. The attacker leverages the newly created accounts to access sensitive resources and data.
7. The attacker performs reconnaissance activities to identify critical assets and data stores.
8. The attacker exfiltrates sensitive data or deploys malicious workloads within the compromised subscriptions.

Impact

A successful privilege escalation to the ‘User Access Administrator’ role can have severe consequences. It grants the attacker complete control over the Azure subscriptions, allowing them to access sensitive data, disrupt services, and potentially compromise the entire cloud environment. The number of affected subscriptions depends on the scope of the compromised account. This attack targets any organization utilizing Azure subscriptions and is particularly impactful for those storing sensitive data or running critical applications in the cloud.

Recommendation

• Deploy the provided Sigma rule “Azure Subscription Permission Elevation Via AuditLogs” to your SIEM and tune it for your environment to detect the ‘Assigns the caller to user access admin’ event in the Azure Audit Logs.
• Investigate any detected instances of this event to determine if the privilege elevation was authorized and legitimate.
• Review and enforce the principle of least privilege for all Azure accounts to minimize the impact of potential compromises; reference the Microsoft Entra documentation for guidance.
• Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to prevent unauthorized access via compromised credentials.