Azure Suspect Key Vault Privilege Granting

Azure Suspect Key Vault Privilege Granting

Detection overview

Triggers

  • Assignment of a privileged Key Vault role to an entity for a given Key Vault.

Possible Root Causes

  • Unauthorized Privilege Escalation: An attacker is assigning permissions to an entity to gain additional or persistent access to the environment.
  • Administrative Change: An administrator has been granted a highly permissive role to enable full access to the Key Vault.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the Principal: Review the identity that performed the role assignment for other signs of malicious activity.
  • Validate Privilege Justification: Assess whether the entity should have the assigned level of privilege based on their normal duties.
  • If Malicious Actions or High-Risk Configurations Are Suspected:
    • Revert any unauthorized configuration changes.
    • Disable credentials associated with this alert to prevent further misuse.
    • Conduct a comprehensive investigation to determine the initial compromise and scope of impacted resources.
Azure Suspect Key Vault Privilege Granting

Possible root causes

Malicious Detection

Benign Detection

Azure Suspect Key Vault Privilege Granting

Example scenarios

Azure Suspect Key Vault Privilege Granting

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspect Key Vault Privilege Granting

Steps to investigate

Azure Suspect Key Vault Privilege Granting

MITRE ATT&CK techniques covered

Azure Suspect Key Vault Privilege Granting

Related detections

No items found.

FAQs