Skip to content
Threat Feed
medium advisory

Detection of Okta Administrator Role Assignment to User or Group

Detects the assignment of an Okta administrator role to a user or group, potentially indicating privilege escalation or persistence attempts by malicious actors.

The assignment of administrator roles within Okta to users or groups is a sensitive action that requires careful monitoring. While legitimate administrator actions can account for these events, malicious actors may attempt to escalate privileges or establish persistence by assigning themselves or their controlled groups administrative rights. This activity could lead to unauthorized access, data breaches, or disruption of services within the Okta environment. Defenders should prioritize monitoring these role assignments to identify and respond to potential threats promptly.

Attack Chain

  1. Compromise an Okta user account through phishing or credential stuffing.
  2. Leverage the compromised account to authenticate to the Okta environment.
  3. Identify an existing administrator account within the Okta organization.
  4. Impersonate the targeted admin user to assign admin roles.
  5. Assign the Okta Administrator role to either a compromised user account or a newly created rogue group.
  6. The user or members of the rogue group now possess elevated privileges within the Okta environment.
  7. The attacker leverages these elevated privileges to access sensitive applications, data, or configurations.

Impact

Successful assignment of administrator roles to unauthorized users can lead to severe consequences, including data breaches, unauthorized access to critical applications, and disruption of business operations. The impact can range from compromised user accounts to full control over the Okta tenant, affecting all integrated applications and services.

Recommendation

  • Deploy the provided Sigma rule to detect anomalous Okta admin role assignments to users or groups, focusing on eventType: group.privilege.grant and eventType: user.account.privilege.grant.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the role assignment and the user or group involved.
  • Implement multi-factor authentication (MFA) for all Okta user accounts, especially those with administrative privileges, to mitigate the risk of account compromise.
  • Regularly review Okta administrator role assignments and revoke any unnecessary privileges to minimize the attack surface.

Detection coverage 2

Okta Admin Role Assigned to User or Group

medium

Detects when the Administrator role is assigned to a user or group in Okta.

sigma tactics: persistence, privilege-escalation techniques: T1098.003 sources: okta, okta

Okta Group Privilege Grant Activity

medium

Detects granting of privileges to a group in Okta, which can be used for privilege escalation.

sigma tactics: privilege-escalation techniques: T1098.003 sources: okta, okta

Detection queries are kept inside the platform. Get full rules →