Detecting Azure API Permissions Abuse

  1. The two permissions that can be abused are: RoleManagement.ReadWrite.Directory & AppRoleAssignment.ReadWrite.All. Detailed information can be found in Microsoft documentation — HERE
  2. These permissions allow an object (whether its a Service Principal, Application, or IAM user) to basically take over a tenant (Global Admin)
  3. The AppRoleAssignment.ReadWrite.All permission will enable the object to grant itself the RoleManagement.ReadWrite.Directory permission which allows the object to become a Global Admin.

Detection

  1. You’re forwarding your M365/Azure logs to your SIEM
  2. Your SIEM is Splunk
  3. You know which index/sourcetype these audit logs reside in
  • Workload=AzureActiveDirectory
  • Operation=”Consent to Application” OR “Add delegated permission grant”
  • ModifiedProperties{}.Name = “DelegatedPermissionGrant.Scope” OR “ConsentAction.Permissions”
  • ModifiedProperties{}.NewValue = “RoleManagement.ReadWrite.Directory” OR “AppRoleAssignment.ReadWrite.All”
  • ConsentAction.Permissions
  • DelegatedPermissionGrant.Scope

--

--

--

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Makes for Complete Software Requirements?

UltraESB-X — The Protégé of UltraESB

When to use class or struct in Swift

Decred Journal — April 2021

10 Amazing Commit Messages

Transform operator in web flux

Building a stable Data Warehouse

Git Over It: One Long Night Through the Eyes of a Beginner

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
redhead0ntherun

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

More from Medium

Cloud Computing with Azure

VGG Net Architecture

Oracle Rest Data Services and OpenAPI

Microsoft Azure Fundamentals Training Series | 4-Cloud Deployment Models and Azure Express Route