Azure Subscription Admin Privilege Granting

Azure Subscription Admin Privilege Granting

Detection overview

Triggers

  • Assignment of a highly permissive role to an entity at the Subscription scope level.

Possible Root Causes

  • Unauthorized Privilege Escalation: An attacker is modifying permissions to gain additional or persistent access to the environment.
  • Administrative Change: An administrator has been granted a highly permissive role to facilitate complete access to the environment.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the Principal: Review the identity that performed the role assignment for other signs of malicious activity.
  • Validate Privilege Justification: Assess whether the entity should have the assigned level of privilege based on their normal duties.
  • If Malicious Actions or High-Risk Configurations Are Suspected:
    • Revert any unauthorized configuration changes.
    • Disable credentials associated with this alert to prevent further misuse.
    • Conduct a comprehensive investigation to determine the initial compromise and scope of impacted resources.
Azure Subscription Admin Privilege Granting

Possible root causes

Malicious Detection

Benign Detection

Azure Subscription Admin Privilege Granting

Example scenarios

Azure Subscription Admin Privilege Granting

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Subscription Admin Privilege Granting

Steps to investigate

Azure Subscription Admin Privilege Granting

MITRE ATT&CK techniques covered

Azure Subscription Admin Privilege Granting

Related detections

No items found.

FAQs