Detectionmediumtest

User Added to an Administrator's Azure AD Role

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Raphaël CALVETCreated Mon Oct 04Updated Sun Oct 09ebbeb024-5b1d-4e16-9c0c-917f86c708a7cloud

Log Source

Azureactivitylogs

ProductAzure← raw: azure

Serviceactivitylogs← raw: activitylogs

Detection Logic

detection:
    selection:
        Operation: 'Add member to role.'
        Workload: 'AzureActiveDirectory'
        ModifiedProperties{}.NewValue|endswith:
            - 'Admins'
            - 'Administrator'
    condition: selection

False Positives

PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.

References

Resolving title…

m365internals.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1078 · Valid Accounts

Sub-techniques

T1098.003 · Additional Cloud Roles

Rule Metadata

Rule ID

ebbeb024-5b1d-4e16-9c0c-917f86c708a7

Status

test

Level

medium

Type

Detection

Created

Mon Oct 04

Modified

Sun Oct 09

Author

Raphaël CALVET

Path

rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml

Raw Tags

attack.initial-accessattack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1098.003attack.t1078

View on GitHub