administrators will legitimately assign the privileged roles users as part of administrative tasks. filter as needed.

Sample rules

Azure AD Privileged Role Assigned

source: splunk
technicques:
- T1098
- T1098.003

Description

The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the “Add member to role” operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.

Detection logic

`azure_monitor_aad`  "operationName"="Add member to role" 
| rename properties.*  as * 
| rename initiatedBy.user.userPrincipalName as initiatedBy 
| rename targetResources{}.modifiedProperties{}.newValue  as roles 
| eval role=mvindex(roles,1) 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role 
| lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description 
| search isprvilegedadrole = True 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_privileged_role_assigned_filter`

O365 Privileged Role Assigned

source: splunk
technicques:
- T1098
- T1098.003

Description

The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") 
| eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) 
| stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature 
| lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole 
| search isprvilegedadrole="TRUE" category="User" 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `o365_privileged_role_assigned_filter`