Azure Privilege Anomaly: Root Scope
Detection overview
Triggers
- Unusual use of a highly permissive role observed within a Root Scope.
Possible Root Causes
- Unauthorized Access: An attacker is leveraging elevated permissions to gain additional or persistent access to the environment.
- Administrative Use: An administrator is using a highly permissive role to facilitate complete access to the environment.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the Principal: Review the identity that performed the actions for other signs of malicious activity.
- Review Privileges: Assess whether this account should have the assigned level of privilege based on their normal duties.
- If Malicious Actions or High-Risk Configurations Are Suspected:
- Revert any unauthorized configuration changes.
- Disable credentials associated with the alert to prevent further misuse.
- Conduct a comprehensive investigation to determine the initial compromise and scope of impacted resources.
Azure Privilege Anomaly: Root Scope
Possible root causes
Malicious Detection
Benign Detection
Azure Privilege Anomaly: Root Scope
Example scenarios
Azure Privilege Anomaly: Root Scope
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Privilege Anomaly: Root Scope
Steps to investigate
Azure Privilege Anomaly: Root Scope
MITRE ATT&CK techniques covered
Azure Privilege Anomaly: Root Scope
Related detections
No items found.