Skip to content
Threat Feed
high advisory

Azure Subscription Permission Elevation via Activity Logs

An attacker elevates their Azure subscription permissions to manage all subscriptions, potentially leading to unauthorized access and control over the environment.

This threat involves the elevation of user permissions within an Azure environment to manage all Azure subscriptions. While legitimate administrators may perform this action, unauthorized elevation of permissions can grant an attacker significant control over the entire Azure environment. This could be an insider threat or a compromised account being used to broaden access. The activity is logged within Azure Activity Logs, providing an opportunity for detection. Defenders should be aware of this potential escalation path and monitor for unexpected or unauthorized permission changes.

Attack Chain

  1. The attacker gains initial access to an Azure account, potentially through compromised credentials (T1078.004).
  2. The attacker authenticates to the Azure portal or uses Azure CLI/PowerShell with the compromised account.
  3. The attacker attempts to elevate their permissions using the MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION operation.
  4. Azure Activity Logs record the attempt to elevate permissions.
  5. If successful, the attacker gains management access to all Azure subscriptions within the tenant.
  6. The attacker can then provision resources, modify configurations, and access data within those subscriptions.
  7. The attacker might establish persistence by creating new user accounts with elevated privileges or modifying existing roles.
  8. The attacker can then exfiltrate sensitive data or disrupt services within the Azure environment.

Impact

Successful elevation of permissions to manage all Azure subscriptions allows an attacker to control all resources, data, and configurations within the Azure environment. This can lead to data breaches, service disruptions, financial loss, and reputational damage. The scope of impact depends on the sensitivity of the data stored within Azure and the criticality of the services hosted there.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect unauthorized MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION operations in Azure Activity Logs.
  • Investigate any detected instances of MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION immediately, as outlined in the rule description.
  • Implement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.
  • Review and enforce the principle of least privilege for Azure role assignments.
  • Monitor Azure Activity Logs for other suspicious activities, such as unusual resource creation or modification.

Detection coverage 2

Azure Subscription Permission Elevation Via ActivityLogs

high

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned.

sigma tactics: initial-access, persistence, privilege-escalation, stealth techniques: T1078.004 sources: azure, activitylogs

Azure Subscription Role Assignment - Potential Privilege Escalation

medium

Detects creation of new role assignments at the subscription level, which can be used for privilege escalation.

sigma tactics: privilege-escalation techniques: T1068 sources: azure, activitylogs

Detection queries are kept inside the platform. Get full rules →