<  Back to rules search

Azure AD member assigned built-in Administrator role

azure

Classification:

attack

Tactic:

Technique:

Set up the azure integration.

Goal

Detect an Azure Active Directory (Azure AD) member being added to a built-in Administrative role.

Strategy

Monitor Azure AD Audit logs for the following operations:

  • @evt.name:"Add member to role"
  • @properties.targetResources.modifiedProperties.newValue:*Administrator*

Azure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:

This whitepaper from Mandiant describes the abuse of Azure AD privileged roles.

Triage and response

  1. Determine if {{@usr.id}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Begin your organization’s incident response (IR) process and investigate.
  1. If the API call was made legitimately by the user:
  • Determine if {{@usr.id}} was authorized to make the change.
  • Follow Microsoft’s best practices where possible to ensure the user was assigned the correct level of privileges for their function.