security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2321 from austinsonger/Azure-Subscription-Permission-Elevation

Browse Source 
Azure subscription permission elevation
This commit is contained in:
frack113
2021-11-27 07:47:54 +01:00
committed by GitHub
parent 7a5bf359a1 98084e857c
commit efa099aec7
2 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml
+22
View File
@@ -0,0 +1,22 @@
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: experimental
author: Austin Songer @austinsonger
date: 2021/11/26
description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
logsource:
product: azure
service: azure.activitylogs
detection:
selection1:
properties.message:
- MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection1
level: high
falsepositives:
- If this was approved by System Administrator.
tags:
- attack.initial_access
- attack.t1078
rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml
+22
View File
@@ -0,0 +1,22 @@
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: experimental
author: Austin Songer @austinsonger
date: 2021/11/26
description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
logsource:
product: azure
service: azure.auditlogs
detection:
selection:
Category: 'Administrative'
OperationName: 'Assigns the caller to user access admin'
condition: selection
level: high
falsepositives:
- If this was approved by System Administrator.
tags:
- attack.initial_access
- attack.t1078