Detecting Azure API Permissions Abuse

  1. The two permissions that can be abused are: RoleManagement.ReadWrite.Directory & AppRoleAssignment.ReadWrite.All. Detailed information can be found in Microsoft documentation — HERE
  2. These permissions allow an object (whether its a Service Principal, Application, or IAM user) to basically take over a tenant (Global Admin)
  3. The AppRoleAssignment.ReadWrite.All permission will enable the object to grant itself the RoleManagement.ReadWrite.Directory permission which allows the object to become a Global Admin.

Detection

  1. You’re forwarding your M365/Azure logs to your SIEM
  2. Your SIEM is Splunk
  3. You know which index/sourcetype these audit logs reside in
  • Workload=AzureActiveDirectory
  • Operation=”Consent to Application” OR “Add delegated permission grant”
  • ModifiedProperties{}.Name = “DelegatedPermissionGrant.Scope” OR “ConsentAction.Permissions”
  • ModifiedProperties{}.NewValue = “RoleManagement.ReadWrite.Directory” OR “AppRoleAssignment.ReadWrite.All”
  • ConsentAction.Permissions
  • DelegatedPermissionGrant.Scope

--

--

--

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Enrich Your App’s content with HMS ML Kit Image Classification Service

Kubernetes tribe knowledge — K8S Java SDK (Part 1)

Handling base64 data in Deno

Learning about GIT

40+ Keyboard Shortcuts Help Speed Up Front-End Developer’s Workflow

Problem-solving with Honest Abe: let’s sum all prime numbers up to n

Business Process Automation (BPA) With Zappy

Newsletter of Carlos Santana — Issue #37

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
redhead0ntherun

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

More from Medium

Microsoft Azure Fundamentals Training Series | 4-Cloud Deployment Models and Azure Express Route

My first adventure (and maybe yours) with Microsoft Azure certification paths

Should I deploy SaaS or Private Cloud IoT Applications?

Site Recovery Strategy in Azure