HUNT 07 Lighthouse Delegation Changes
Query
// Hunt : Hunt - Azure Lighthouse Managed Services Delegation Changes (90d)
// Tactics : Persistence
// MITRE : T1098
// Purpose : Shows all Azure Lighthouse (ManagedServices) delegation events. Attackers who gain Owner rights may create Lighthouse delegations to grant a foreign tenant persistent cross-subscription access that survives password resets.
//==========================================================================================
AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue has "MICROSOFT.MANAGEDSERVICES"
| where ActivityStatusValue =~ "Success"
| extend OperationType = case(
OperationNameValue has "DELETE", "Delegation Removed",
OperationNameValue has "WRITE", "Delegation Added or Modified",
"Other")
| project TimeGenerated, OperationType, Caller, Operation = OperationNameValue, ResourceId, CallerIpAddress, SubscriptionId
| order by TimeGenerated descExplanation
This query is designed to track changes in Azure Lighthouse delegations over the past 90 days. Azure Lighthouse allows service providers to manage resources across different Azure tenants. The query focuses on identifying any successful delegation events, which could indicate potential security risks if an attacker gains access.
Here's a simplified breakdown of what the query does:
-
Data Source: It pulls data from the
AzureActivitylog, which records various activities within Azure. -
Time Frame: It filters the data to include only events from the last 90 days.
-
Operation Filter: It specifically looks for operations related to "MICROSOFT.MANAGEDSERVICES", which pertains to Azure Lighthouse delegations.
-
Success Filter: It only considers events where the activity status is marked as "Success".
-
Operation Type: It categorizes the operations into:
- "Delegation Removed" if the operation involves a "DELETE".
- "Delegation Added or Modified" if the operation involves a "WRITE".
- "Other" for any other types of operations.
-
Data Projection: It selects and displays specific details about each event, including:
- The time the event was generated.
- The type of operation.
- The caller (who initiated the operation).
- The operation name.
- The resource ID involved.
- The caller's IP address.
- The subscription ID.
-
Sorting: Finally, it orders the results by the time the event was generated, showing the most recent events first.
The purpose of this query is to help identify any unauthorized or suspicious delegation changes that could allow persistent access across subscriptions, even after password resets, which is a tactic used by attackers for persistence.
