Azure resource lock deleted

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an Azure resource lock is deleted.

Strategy

Monitoring of Azure authorization logs where @evt.name is MICROSOFT.AUTHORIZATION/LOCKS/DELETE and @evt.outcome is Success. Resource locks prevent accidental deletion or modification of critical Azure resources. Removing a resource lock may be a precursor to unauthorized modifications or deletion of protected resources

Triage and response

  • Determine if {{@usr.id}} had a legitimate reason to delete the resource lock.
  • Identify which resource was unlocked and assess its criticality.
  • Review subsequent actions taken on the unlocked resource to determine if unauthorized modifications or deletions occurred.
  • Check for other suspicious activity from the same user or IP address around the same time.
  • Re-enable the resource lock if the change was unauthorized and verify no data loss has occurred.