Query Details

Suspicious assignment of (classic) administrator roles

Write Classic Administrators Of Az Subscription

Query

let timeRange = 1d;
let szOperationNames = dynamic(["MICROSOFT.AUTHORIZATION/CLASSICADMINISTRATORS/WRITE", "MICROSOFT.AUTHORIZATION/CLASSICADMINISTRATORS/DELETE"]);
AzureActivity
| where OperationNameValue in~ (szOperationNames) and ActivityStatusValue == "Success"
| project timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

Explanation

This query is designed to detect suspicious activity related to the assignment of Azure classic administrator roles. It looks for instances where authorization information is being written as part of these roles. The severity of this activity is considered medium. The query uses the AzureActivity data connector and is run once a day. It checks for specific operation names and activity status to identify relevant events. The tactics involved in this query are Persistence and Privilege Escalation. The relevant technique is T1098. The query also captures the timestamp, account, and IP address associated with the suspicious activity.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AzureActivity

Keywords

AzureActivityOperationNameValueActivityStatusValueSuccessTimeGeneratedCallerCallerIpAddressIPAddress

Operators

letdynamicwherein~and==project

Severity

Medium

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub