Azure AD Privileged Graph API Permission Assignment
Detection of high-risk Graph API permission assignments (Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory) in Azure AD, potentially leading to unauthorized modifications and security breaches.
This threat brief focuses on the assignment of privileged Graph API permissions within Azure Active Directory (Azure AD). Attackers, including groups like NOBELIUM, may attempt to assign themselves or compromised applications excessive permissions to maintain persistence, escalate privileges, or achieve other malicious objectives within the cloud environment. The permissions of concern are Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory, as these grant broad control over applications, role assignments, and directory settings. The detection leverages Azure AD audit logs specifically monitoring 'Update application' operations. Successful exploitation can lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. This activity became particularly relevant after the Midnight Blizzard attack, highlighting the need for robust monitoring of Azure AD permission changes.
Attack Chain
- An attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.
- The attacker authenticates to the Azure portal or uses the Azure CLI with the compromised account.
- The attacker identifies an existing application registration within Azure AD that they can modify.
- Using the compromised account, the attacker attempts to update the application registration.
- The attacker assigns one or more of the following high-risk Graph API permissions to the application: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, or RoleManagement.ReadWrite.Directory. This involves modifying the
requiredAppPermissionsproperty of the application object. - The Azure AD audit log records an "Update application" event with the modified
requiredAppPermissions. - The attacker uses the application's newly acquired permissions to perform malicious actions, such as reading or modifying application configurations, role assignments, or directory settings.
- The attacker maintains persistence by leveraging the application's elevated privileges for ongoing unauthorized access and control.
Impact
Successful assignment of these permissions can lead to a complete compromise of the Azure AD environment. An attacker can modify application configurations, create or delete users, assign roles, and potentially gain access to other connected resources and services. The impact can range from data breaches and service disruption to complete control over the organization's cloud identity infrastructure. This is a critical issue, especially in light of recent nation-state attacks targeting Azure AD, as highlighted by Microsoft's guidance on the Midnight Blizzard attack.
Recommendation
- Deploy the provided Sigma rule
Azure AD Privileged Graph API Permission Assignedto your SIEM, ensuring it is tuned to your environment, and enable the data source:azure_monitor_aadwith categoryAuditLogs. - Investigate any alerts triggered by the Sigma rule
Azure AD Privileged Graph API Permission Assignedimmediately to determine if the permission assignment was authorized. - Review application registrations in Azure AD and identify any applications with excessive or unnecessary permissions.
- Monitor Azure AD audit logs for any modifications to application registrations, focusing on changes to the
requiredAppPermissionsproperty. - Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft.
Detection coverage 2
Azure AD Privileged Graph API Permission Assigned
criticalDetects the assignment of high-risk Graph API permissions in Azure AD audit logs.
Azure AD Application Update - Non Privileged Permission Change
lowDetects any update to Azure AD application permissions excluding high risk API permissions.
Detection queries are available on the platform. Get full rules →