Azure Suspect Key Vault Privilege Granting
Detection overview
Triggers
- Assignment of a privileged Key Vault role to an entity for a given Key Vault.
Possible Root Causes
- Unauthorized Privilege Escalation: An attacker is assigning permissions to an entity to gain additional or persistent access to the environment.
- Administrative Change: An administrator has been granted a highly permissive role to enable full access to the Key Vault.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the Principal: Review the identity that performed the role assignment for other signs of malicious activity.
- Validate Privilege Justification: Assess whether the entity should have the assigned level of privilege based on their normal duties.
- If Malicious Actions or High-Risk Configurations Are Suspected:
- Revert any unauthorized configuration changes.
- Disable credentials associated with this alert to prevent further misuse.
- Conduct a comprehensive investigation to determine the initial compromise and scope of impacted resources.
Azure Suspect Key Vault Privilege Granting
Possible root causes
Malicious Detection
Benign Detection
Azure Suspect Key Vault Privilege Granting
Example scenarios
Azure Suspect Key Vault Privilege Granting
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspect Key Vault Privilege Granting
Steps to investigate
Azure Suspect Key Vault Privilege Granting
MITRE ATT&CK techniques covered
Azure Suspect Key Vault Privilege Granting
Related detections
No items found.