From 26ae440bd035923f5ee01f1e94a008219100ffad Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 11:32:57 -0600 Subject: [PATCH 1/8] auditlogs_azure_subscription_permissions_elevation.yml --- ...ure_subscription_permissions_elevation.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure/auditlogs_azure_subscription_permissions_elevation.yml diff --git a/rules/cloud/azure/auditlogs_azure_subscription_permissions_elevation.yml b/rules/cloud/azure/auditlogs_azure_subscription_permissions_elevation.yml new file mode 100644 index 000000000..2be150efc --- /dev/null +++ b/rules/cloud/azure/auditlogs_azure_subscription_permissions_elevation.yml @@ -0,0 +1,22 @@ +title: Azure Subscription Permission Elevation Via AuditLogs +id: ca9bf243-465e-494a-9e54-bf9fc239057d +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation +logsource: + product: azure + service: azure.auditlogs +detection: + selection: + Category: 'Administrative' + OperationName: 'Assigns the caller to user access admin' + condition: selection +level: High +falsepositives: + - If this was approved by System Administrator. +tags: + - attack.initial_access + - attack.t1078 From 5e42b73a92da8cf780d7198093ee9a4024392b18 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 11:33:37 -0600 Subject: [PATCH 2/8] activitylogs_azure_subscription_permissions_elevation.yml --- ...ure_subscription_permissions_elevation.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml diff --git a/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml b/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml new file mode 100644 index 000000000..88c444c19 --- /dev/null +++ b/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml @@ -0,0 +1,22 @@ +title: Azure Subscription Permission Elevation Via ActivityLogs +id: 09438caa-07b1-4870-8405-1dbafe3dad95 +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +logsource: + product: azure + service: azure.activitylogs +detection: + selection: + properties.message: + - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + condition: selection +level: High +falsepositives: + - If this was approved by System Administrator. +tags: + - attack.initial_access + - attack.t1078 From d78bbb9333145c36aee74e2ace05b58302e4d92d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 11:42:32 -0600 Subject: [PATCH 3/8] Update activitylogs_azure_subscription_permissions_elevation.yml --- .../activitylogs_azure_subscription_permissions_elevation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml b/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml index 88c444c19..d03e4fc0d 100644 --- a/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml +++ b/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml @@ -13,7 +13,7 @@ detection: selection: properties.message: - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION - condition: selection + condition: selection level: High falsepositives: - If this was approved by System Administrator. From 8e78578892745d17c1efdef92a25dea15f96480d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 12:07:21 -0600 Subject: [PATCH 4/8] Update activitylogs_azure_subscription_permissions_elevation.yml --- .../activitylogs_azure_subscription_permissions_elevation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml b/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml index d03e4fc0d..a2c337934 100644 --- a/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml +++ b/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml @@ -10,10 +10,10 @@ logsource: product: azure service: azure.activitylogs detection: - selection: + selection1: properties.message: - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION - condition: selection + condition: selection1 level: High falsepositives: - If this was approved by System Administrator. From 550846202907d48e9c3192125c3cb8c5e6473cc8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 12:08:13 -0600 Subject: [PATCH 5/8] Rename auditlogs_azure_subscription_permissions_elevation.yml to azure_subscription_permissions_elevation_via_auditlogs.yml --- ...=> azure_subscription_permissions_elevation_via_auditlogs.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/azure/{auditlogs_azure_subscription_permissions_elevation.yml => azure_subscription_permissions_elevation_via_auditlogs.yml} (100%) diff --git a/rules/cloud/azure/auditlogs_azure_subscription_permissions_elevation.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml similarity index 100% rename from rules/cloud/azure/auditlogs_azure_subscription_permissions_elevation.yml rename to rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml From 92f3705bd96d19939897562473e6d1090af5e048 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 12:08:43 -0600 Subject: [PATCH 6/8] Update and rename activitylogs_azure_subscription_permissions_elevation.yml to azure_subscription_permissions_elevation_via_activitylogs.yml --- ...azure_subscription_permissions_elevation_via_activitylogs.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/azure/{activitylogs_azure_subscription_permissions_elevation.yml => azure_subscription_permissions_elevation_via_activitylogs.yml} (100%) diff --git a/rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml similarity index 100% rename from rules/cloud/azure/activitylogs_azure_subscription_permissions_elevation.yml rename to rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml From 7e0634e43cf804b07ced6ac1cf5891a2f6041ec6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 13:42:39 -0600 Subject: [PATCH 7/8] Update azure_subscription_permissions_elevation_via_activitylogs.yml --- ...zure_subscription_permissions_elevation_via_activitylogs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index a2c337934..712a9aaaa 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -14,7 +14,7 @@ detection: properties.message: - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION condition: selection1 -level: High +level: high falsepositives: - If this was approved by System Administrator. tags: From 98084e857c72fb547b0af7fc1343b36ef4ea49aa Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 26 Nov 2021 13:42:48 -0600 Subject: [PATCH 8/8] Update azure_subscription_permissions_elevation_via_auditlogs.yml --- .../azure_subscription_permissions_elevation_via_auditlogs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml index 2be150efc..798468f2d 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -14,7 +14,7 @@ detection: Category: 'Administrative' OperationName: 'Assigns the caller to user access admin' condition: selection -level: High +level: high falsepositives: - If this was approved by System Administrator. tags: