Detection of Privileged Azure AD Role Assignment
Detection of privileged Azure AD role assignments to users, which can indicate persistence and privilege escalation by threat actors.
This brief addresses the threat of unauthorized or malicious assignment of privileged roles in Azure Active Directory (Azure AD). Threat actors may compromise user accounts and subsequently assign them privileged roles to maintain persistence, escalate privileges, and gain long-term control over the Azure AD environment. The technique involves manipulating user roles to gain administrative access, potentially leading to data breaches, service disruption, or further lateral movement within the cloud environment. This activity can be detected by monitoring Azure AD audit logs for "Add member to role" operations. Successful exploitation can enable the adversary to establish backdoors, exfiltrate sensitive data, or disrupt critical business processes.
Attack Chain
- An attacker gains initial access to a low-privilege user account through credential theft or phishing.
- The attacker attempts to assign a privileged role, such as Global Administrator or Security Administrator, to the compromised account. This is done by calling the Azure AD API or using the Azure portal.
- The "Add member to role" operation is logged in the Azure AD audit logs.
- The system checks if the user attempting the role assignment has the necessary permissions to perform this action. If not, the attempt fails (detection opportunity).
- If the attacker has sufficient permissions (e.g., they compromised an account that can assign roles), the privileged role is successfully assigned to the compromised account.
- The attacker leverages the newly assigned privileged role to access sensitive data, modify configurations, or create new administrative accounts.
- The attacker establishes persistence by creating backdoors, such as adding new service principals with elevated permissions.
- The attacker exfiltrates sensitive data or performs other malicious activities using the compromised account with the newly acquired privileges.
Impact
Successful assignment of privileged roles in Azure AD can have severe consequences. Attackers can gain complete control over the Azure AD tenant, potentially impacting thousands of users and applications. Data breaches, service disruptions, and financial losses are all possible outcomes. The compromised account can be used to create new administrative accounts, further solidifying the attacker's foothold. The impact extends to all services integrated with Azure AD, including Microsoft 365, Azure resources, and other cloud applications.
Recommendation
- Deploy the Sigma rule
Azure AD Privileged Role Assignedto your SIEM to detect unauthorized role assignments based on theazure:monitor:aadsourcetype. - Investigate any detected instances of privileged role assignments, focusing on the
userandinitiatedByfields to identify potentially compromised accounts. - Review and harden Azure AD role assignment policies to minimize the risk of unauthorized privilege escalation, referencing the Microsoft documentation links in the references section.
- Enable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to mitigate the risk of credential theft.
- Regularly audit Azure AD role assignments to identify and remove any unnecessary privileges, referencing the MITRE ATT&CK technique T1098.003.
Detection coverage 2
Azure AD Privileged Role Assigned
highDetects the assignment of privileged Azure AD roles to a user based on Azure AD audit logs.
Azure AD Role Assignment by Unfamiliar User
mediumDetects role assignments by users that are not typically seen assigning roles.
Detection queries are available on the platform. Get full rules →