Azure Subscription Admin Privilege Granting
Detection overview
Triggers
- Assignment of a highly permissive role to an entity at the Subscription scope level.
Possible Root Causes
- Unauthorized Privilege Escalation: An attacker is modifying permissions to gain additional or persistent access to the environment.
- Administrative Change: An administrator has been granted a highly permissive role to facilitate complete access to the environment.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the Principal: Review the identity that performed the role assignment for other signs of malicious activity.
- Validate Privilege Justification: Assess whether the entity should have the assigned level of privilege based on their normal duties.
- If Malicious Actions or High-Risk Configurations Are Suspected:
- Revert any unauthorized configuration changes.
- Disable credentials associated with this alert to prevent further misuse.
- Conduct a comprehensive investigation to determine the initial compromise and scope of impacted resources.
Azure Subscription Admin Privilege Granting
Possible root causes
Malicious Detection
Benign Detection
Azure Subscription Admin Privilege Granting
Example scenarios
Azure Subscription Admin Privilege Granting
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Subscription Admin Privilege Granting
Steps to investigate
Azure Subscription Admin Privilege Granting
MITRE ATT&CK techniques covered
Azure Subscription Admin Privilege Granting
Related detections
No items found.