Detectionmediumtest
Privileged Account Creation
Detects when a new admin is created.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Mark Morowczynski, Yochana Henderson, Tim SheltonCreated Thu Aug 11Updated Tue Aug 16f7b5b004-dece-46e4-a4a5-f6fd0e1c6947cloud
Log Source
Azureauditlogs
ProductAzure← raw: azure
Serviceauditlogs← raw: auditlogs
Detection Logic
Detection Logic1 selector
detection:
selection:
properties.message|contains|all:
- Add user
- Add member to role
Status: Success
condition: selectionFalse Positives
A legitimate new admin account being created
References
MITRE ATT&CK
Rule Metadata
Rule ID
f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
Status
test
Level
medium
Type
Detection
Created
Thu Aug 11
Modified
Tue Aug 16
Path
rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml
Raw Tags
attack.initial-accessattack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1078.004