title: App Granted Privileged Delegated Or App Permissions
id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
related:
    - id: ba2a7c80-027b-460f-92e2-57d113897dbc
      type: obsolete
status: test
description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
modified: 2023-03-29
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add app role assignment to service principal
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: high

title: App Assigned To Azure RBAC/Microsoft Entra Role
id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
status: test
description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-19
modified: 2024-11-04
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        targetResources.type: 'Service Principal'
        properties.message:
            - Add member to role
            - Add eligible member to role
            - Add scoped member to role
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: medium

title: Github Outside Collaborator Detected
id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
    Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.collection
    - attack.t1098.001
    - attack.t1098.003
    - attack.t1213.003
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'org.remove_outside_collaborator'
            - 'project.update_user_permission'
    condition: selection
falsepositives:
    - Validate the actor if permitted to access the repo.
    - Validate the Multifactor Authentication changes.
level: medium

title: Google Workspace Application Access Level Modified
id: 22f2fb54-5312-435d-852f-7c74f81684ca
status: test
description: |
    Detects when an access level is changed for a Google workspace application.
    An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
    An adversary would be able to remove access levels to gain easier access to Google workspace resources.
references:
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
    - https://support.google.com/a/answer/9261439
author: Bryan Lim
date: 2024-01-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection:
        eventService: 'admin.googleapis.com'
        eventName: 'CHANGE_APPLICATION_SETTING'
        setting_name|startswith: 'ContextAwareAccess'
    condition: selection
falsepositives:
    - Legitimate administrative activities changing the access levels for an application
level: medium

title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.003
logsource:
    product: azure
    service: activitylogs
detection:
    keywords:
        - Microsoft.Authorization/roleAssignments/write
    condition: keywords
falsepositives:
    - Valid change
level: medium

title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.003
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - group.privilege.grant
            - user.account.privilege.grant
    condition: selection
falsepositives:
    - Administrator roles could be assigned to users or group by other admin users.

level: medium

title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
status: test
description: User Added to an Administrator's Azure AD Role
references:
    - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
author: Raphaël CALVET, @MetallicHack
date: 2021-10-04
modified: 2022-10-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1098.003
    - attack.t1078
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        Operation: 'Add member to role.'
        Workload: 'AzureActiveDirectory'
        ModifiedProperties{}.NewValue|endswith:
            - 'Admins'
            - 'Administrator'
    condition: selection
falsepositives:
    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium