Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
ca6fcec7a8a8fbd3724107dc9de4af27eef17555

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Detections/AuditLogs

Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml

76lines · modecode

RawDownload
Latest commit unavailable.
unknown
1id: f80d951a-eddc-4171-b9d0-d616bb83efdc
2name: Admin promotion after Role Management Application Permission Grant
3description: |
4 'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).
5 This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.
6 A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.
7 Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http'
8severity: High
9requiredDataConnectors:
10 - connectorId: AzureActiveDirectory
11 dataTypes:
12 - AuditLogs
13queryFrequency: 2h
14queryPeriod: 2h
15triggerOperator: gt
16triggerThreshold: 0
17tactics:
18 - PrivilegeEscalation
19 - Persistence
20relevantTechniques:
21 - T1098.003
22 - T1078.004
23tags:
24 - SimuLand
25query: |
26 AuditLogs
27 | where LoggedByService =~ "Core Directory"
28 | where Category =~ "ApplicationManagement"
29 | where AADOperationType =~ "Assign"
30 | where ActivityDisplayName =~ "Add app role assignment to service principal"
31 | mv-expand TargetResources
32 | mv-expand TargetResources.modifiedProperties
33 | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)
34 | where displayName_ =~ "AppRole.Value"
35 | extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))
36 | where AppRole has "RoleManagement.ReadWrite.Directory"
37 | extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
38 | extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
39 | extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))
40 | extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))
41 | project TimeGenerated, OperationName, Initiator, Target, TargetId, Result
42 | join kind=innerunique (
43 AuditLogs
44 | where LoggedByService =~ "Core Directory"
45 | where Category =~ "RoleManagement"
46 | where AADOperationType in ("Assign", "AssignEligibleRole")
47 | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
48 | mv-expand TargetResources
49 | mv-expand TargetResources.modifiedProperties
50 | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)
51 | where displayName_ =~ "Role.DisplayName"
52 | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))
53 | where RoleName contains "Admin"
54 | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
55 | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
56 | extend TargetUser = tostring(TargetResources.userPrincipalName)
57 | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))
58 | extend TargetType = tostring(TargetResources.type)
59 | extend TargetId = tostring(TargetResources.id)
60 | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result
61 ) on $left.TargetId == $right.InitiatorId
62 | extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,
63 TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType
64 | where TimeRoleMgGrant < TimeAdminPromo
65 | project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType
66entityMappings:
67 - entityType: Account
68 fieldMappings:
69 - identifier: FullName
70 columnName: ServicePrincipal
71 - entityType: Account
72 fieldMappings:
73 - identifier: FullName
74 columnName: TargetObject
75version: 1.0.2
76kind: Scheduled