General
This rule detects when an external user (guest user) is added to a role with high administrative privileges, outside of Privileged Identity Management (PIM). This alert triggers specifically when your organization uses PIM, but someone assigns the admin role without going through the PIM process.
Rationale
Privileged Identity Management (PIM) is a security control mechanism that helps organizations manage, monitor, and audit administrative privileges. When PIM is deployed, the expectation is that all administrative privileges are granted through PIM - with approval processes, temporary assignments, and additional monitoring. Granting administrative privileges outside of PIM undermines these controls.
Granting administrative privileges to external users (guest users with email addresses like @hotmail.com, @gmail.com, or @live.com) is particularly risky. These accounts are not managed by your organization, may have weaker security settings, and can be used by attackers as a persistence mechanism. When an attacker has gained access to an admin account, they can create or use an external guest user and grant them high privileges - this allows the attacker to maintain access even if the original compromised account is cleaned up.
This detection is especially critical because it combines two red flags: (1) administrative privileges outside the PIM process, and (2) assignment to an external account. This pattern is strongly indicative of malicious behavior or at least a serious deviation from security policy that requires immediate attention.
Follow-up
Follow these steps to adequately address this detection:
- Immediately contact the administrator who granted the privileges to validate whether this was a deliberate and authorized action.
-
If no: consider the admin account as compromised and perform immediate containment:
- Immediately remove all administrative privileges from the external user
- Disable the external user in Entra ID
- Disable the admin account that granted the privileges (possibly compromised)
- Revoke all active sessions from both accounts
- Reset the password of the admin account
- Investigate all activities of both accounts since the privilege assignment:
- What other users or groups were created or modified?
- Were new application registrations or service principals created?
- Were there changes to Conditional Access policies or MFA settings?
- Was data exported or shared with external parties?
- Were new Azure resources created?
- Were there changes to audit logging or security monitoring settings?
- Check if there are other external users with admin privileges that were recently added
- Consider having Attic perform a Tier2 investigation to determine the full scope of the incident. This is highly recommended as this pattern is typical for advanced attacks where the attacker attempts to gain persistence.
-
If no: consider the admin account as compromised and perform immediate containment:
Attic FIX
A fix will be offered to remove the administrative privileges from the external user, after you have validated that this is malicious behavior or does not comply with policy. For further investigation you can contact us, Attic can support via our IR service.
Comments
0 comments
Please sign in to leave a comment.