Skip to content

Hide Navigation Hide TOC

Azure Subscription Permission Elevation Via ActivityLogs (09438caa-07b1-4870-8405-1dbafe3dad95)

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Cluster A Galaxy A Cluster B Galaxy B Level
Azure Subscription Permission Elevation Via ActivityLogs (09438caa-07b1-4870-8405-1dbafe3dad95) Sigma-Rules Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2