Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the azure integration.

Goal

Detect an Azure Active Directory (Azure AD) member being added to a built-in Administrative role.

Strategy

Monitor Azure AD Audit logs for the following operations:

• @evt.name:"Add member to role"
• @properties.targetResources.modifiedProperties.newValue:*Administrator*

Azure AD uses roles to assign privileges to identities. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:

• Application Administrator
• Cloud Application Administrator
• Exchange Administrator
• Privileged Role Administrator
• User Administrator
• Sharepoint Administrator
• Hybrid Identity Administrator

This whitepaper from Mandiant describes the abuse of Azure AD privileged roles.

The field @usr.id is the identity that actioned the change, and the fields @properties.targetResources.userPrincipalName or @properties.targetResources.displaylName is the identity being assigned the administrative privileges.

Triage and response

1. Determine if {{@usr.id}} should have made a {{@evt.name}} API call.
2. If the API call was not made by the user:

• Rotate user credentials.
• Determine what other API calls were made by the user.
• Begin your organization’s incident response (IR) process and investigate.

3. If the API call was made legitimately by the user:

• Determine if {{@usr.id}} was authorized to make the change.
• Follow Microsoft’s best practices where possible to ensure the user was assigned the correct level of privileges for their function.

Changelog

• 19 December 2023 - Updated group by values to include @properties.targetResources.userPrincipalName
• 19 September 2024 - Updated with additional query to capture service principals being assigned administrative roles.