Suspicious assignment of (classic) administrator roles
Write Classic Administrators Of Az Subscription
Query
let timeRange = 1d;
let szOperationNames = dynamic(["MICROSOFT.AUTHORIZATION/CLASSICADMINISTRATORS/WRITE", "MICROSOFT.AUTHORIZATION/CLASSICADMINISTRATORS/DELETE"]);
AzureActivity
| where OperationNameValue in~ (szOperationNames) and ActivityStatusValue == "Success"
| project timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddressExplanation
This query is designed to detect suspicious activity related to the assignment of Azure classic administrator roles. It looks for instances where authorization information is being written as part of these roles. The severity of this activity is considered medium. The query uses the AzureActivity data connector and is run once a day. It checks for specific operation names and activity status to identify relevant events. The tactics involved in this query are Persistence and Privilege Escalation. The relevant technique is T1098. The query also captures the timestamp, account, and IP address associated with the suspicious activity.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1d
Period: 1d