Detect Privilege Escalation To Global Admin Role Via Compromised Service Principal
Query
// Detect privilege escalation to Global Admin role via compromised service principal
// https://www.linkedin.com/posts/activity-7223370832763351040-TieO/
// The below Sentinel KQL analytics rule is able to detect potential privilege escalation to Global Admin role via compromised service principal in view of the recent blog from Emilien Socchi (Abusing PIM-related application permissions in Microsoft Graph - Part 1)
Link: https://lnkd.in/gmFqY4Hm
//Hourly Sentinel Analytics Rule:
let GA = dynamic(['[email protected]', '[email protected]', '[email protected]']);
AuditLogs
| where TimeGenerated > ago(1h)
| where Category == "RoleManagement"
| where ActivityDisplayName == "Add member to role"
| where TargetResources contains "Global Administrator"
| extend UPN = tostring(TargetResources[0].userPrincipalName)
| where not (UPN has_any(GA))
// MITRE ATT&CK Mapping
// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1078.004 - Valid Accounts: Cloud Accounts:
// This technique involves adversaries gaining access to cloud accounts to perform actions such as adding new members to privileged roles1.
// T1098 - Account Manipulation:
// This technique includes actions like adding users to privileged groups or roles, which is exactly what this query is designed to detect2.
// T1078 - Valid Accounts:
// More generally, this technique involves the use of valid accounts to maintain access to systems, which can include adding new accounts to privileged roles3.Explanation
This query is designed to detect potential unauthorized privilege escalation to the Global Administrator role in a Microsoft environment. It specifically looks for instances where a service principal, which may have been compromised, is used to add a member to the Global Administrator role. Here's a simple breakdown of what the query does:
-
Define Trusted Global Admins: It starts by defining a list of known, trusted Global Administrator accounts (e.g., [email protected], [email protected], [email protected]).
-
Filter Audit Logs: The query searches through audit logs from the past hour, focusing on entries related to role management activities.
-
Identify Role Additions: It looks for activities where a member is added to a role, specifically targeting the "Global Administrator" role.
-
Exclude Trusted Accounts: It checks if the user principal name (UPN) of the account being added is not in the list of trusted Global Admins. If the UPN is not in the list, it flags this as a potential issue.
-
Security Context: The query is part of a security monitoring strategy to detect unauthorized privilege escalations, which could indicate a compromised service principal being used maliciously.
-
MITRE ATT&CK Techniques: The query is associated with specific MITRE ATT&CK techniques that involve the misuse of valid accounts and account manipulation to gain unauthorized access or privileges in cloud environments.
In essence, this query helps security teams identify suspicious activities that could indicate a security breach involving the elevation of privileges to a highly sensitive role within an organization.
