Query Details
Detect Privilege Escalation To Global Admin Role Via Compromised Service Principal
Query
// Detect privilege escalation to Global Admin role via compromised service principal // https://www.linkedin.com/posts/activity-7223370832763351040-TieO/ // The below Sentinel KQL analytics rule is able to detect potential privilege escalation to Global Admin role via compromised service principal in view of the recent blog from Emilien Socchi (Abusing PIM-related application permissions in Microsoft Graph - Part 1) Link: https://lnkd.in/gmFqY4Hm //Hourly Sentinel Analytics Rule: let GA = dynamic(['[email protected]', '[email protected]', '[email protected]']); AuditLogs | where TimeGenerated > ago(1h) | where Category == "RoleManagement" | where ActivityDisplayName == "Add member to role" | where TargetResources contains "Global Administrator" | extend UPN = tostring(TargetResources[0].userPrincipalName) | where not (UPN has_any(GA))
Explanation
This query is designed to detect if a compromised service principal has been used to escalate privileges to the Global Admin role in the last hour. Here's a simple summary:
- Purpose: Identify unauthorized additions to the Global Admin role.
- Scope: Checks audit logs from the past hour.
- Filters:
- Looks for role management activities.
- Specifically targets activities where a member is added to the Global Admin role.
- Exclusions: Ignores known legitimate Global Admins (listed in the
GAarray).
In essence, it flags any new Global Admin additions that are not from the pre-approved list of Global Admins.
Details
Steven Lim
Released: August 2, 2024
Tables
AuditLogs
Keywords
DevicesIntuneUserAuditLogsRoleManagementGlobalAdministrator
Operators
letdynamic['']@acme.comAuditLogs|where>ago==containsextendtostring[0]userPrincipalNamenothas_any