General
This rule detects when a user is added as an Owner to an Azure subscription. The Owner role is the highest privilege role within Azure and provides full control over all resources within the subscription, including management of access rights, billing, and all underlying resources.
Rationale
The Azure subscription Owner role is one of the most powerful roles within the Azure environment. A user with this role can manage all resources within the subscription, including assigning and revoking rights to other users, creating and deleting resources, and modifying security settings. This makes the Owner role an attractive target for attackers.
When an attacker has access to an account with sufficient privileges, they can assign themselves or another compromised account the Owner role. This is also known as privilege escalation (see also: MITRE ATT&CK T1098 - Account Manipulation). With these elevated privileges, the attacker can then take over the entire Azure environment, exfiltrate data, create resources for cryptomining, or install backdoors for future access.
It is therefore crucial to monitor and validate new Owner assignments. Legitimate assignments of the Owner role are often rare and should always go through a controlled process. Unexpected assignments may indicate a security incident and require immediate action.
Follow-up
Follow these steps to adequately address this detection:
- Validate whether the Owner assignment is legitimate by contacting the user who granted the permissions.
-
If no: consider the account as compromised and perform immediate containment:
- Immediately remove the Owner assignment from the suspicious user
- Disable the account that granted the permissions (possibly compromised)
- Disable the account that received the Owner permissions
- Revoke all active sessions from both accounts
- Reset the passwords of both accounts
- Investigate all activities of both accounts since the Owner assignment to determine what actions were performed. Pay specific attention to:
- New users or service principals created
- New resources deployed (VMs, storage accounts, etc.)
- Changes to network rules or firewalls
- Data exfiltration to external storage
- Changes to logging or monitoring settings
-
If no: consider the account as compromised and perform immediate containment:
Azure Owner Role Details
The Owner role in Azure (RoleDefinitionId: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635) provides the following permissions:
- Full access to all resources within the subscription
- Permissions management: can assign and revoke all Azure RBAC roles
- Resource management: create, modify and delete all resource types
- Network configuration: modify firewalls, NSGs, VNets, etc.
- Data access: read and write data in all storage accounts, databases, etc.
- Billing management: insight into costs and billing
- Policy management: modify Azure Policies and compliance settings
Due to these broad permissions, the Owner role must be assigned very restrictively and continuously monitored.
Comments
0 comments
Please sign in to leave a comment.