Azure AD escalation from Global Administrator to User Access Administrator

azure

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the azure integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when a Global Administrator elevates their Azure Active Directory permissions to User Access Administrator in Azure RBAC. This may indicate an attacker with Azure Active Directory privileges is seeking to gain control over Azure resources.

Strategy

Monitor Azure Active Directory audit logs for the following events:

  • User has elevated their access to User Access Administrator for their Azure Resources

Triage and Response

  1. Verify if this activity is associated with expected administrator activities.
  2. If not, investigate activity by the account associated with this alert ({{@usr.id}}) around the time of this event, including any permissions modifications made to Azure RBAC assignments.