EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Azure Subscription Permission Elevation Via ActivityLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

MITRE ATT&CK

T1078.004
privilege-escalationpersistencedefense-evasioninitial-access

Detection Query

selection:
  operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection

Author

Austin Songer @austinsonger

Created

2021-11-26

Data Sources

azureactivitylogs

Platforms

azure

References

Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078.004
Raw Content
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-evasion
    - attack.initial-access
    - attack.t1078.004
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high