Antisyphon KB

Mitigation & Detections

Nov 04, 20241 min read

Mitigating Privilege Escalations with Managed Identities

  1. Audit and remove privileges held by Service Principals
    1. Find active and eligible assigments for admin roles:
      1. Global Administrator
      2. Privileged Role Administrator
      3. Privileged Authentication Admin
    2. Find service principals that have
      1. RoleManagement.ReadWrite.Directory
      2. AppRoleAssignment.ReadWrite.All
  2. Audit privileges held by other principals
    1. Find users, groups, and service principals with admin roles:
      1. Application Administrator
      2. Cloud Application Administrator
      3. Directory Synchronization Account
      4. Hybrid Identity Administrator
      5. Partner Tier1 Support
      6. Partner Tier2 Support
    2. Audit explicit owners of service principals from step 1
    3. Audit service principals with MS Graph app roles:
      1. Application.ReadWrite.All
      2. ServicePrincipalEndpoint.ReadWrite.All
  3. Audit privileges held against automation accounts
    1. Owner
    2. Contributor
    3. Automation Contributor
    4. User Access Administrator

Detecting Automation Account RunBook Edits

  1. Produce logs when a service principal is granted elevated roles:
    1. Global Administrator
    2. Privileged Role Administrator
    3. Privileged Authentication Administrator
  2. Produce logs when RunBook Edits happen
    1. Creating a draft
    2. Publishing a draft
  3. Produce logs when a service principal is granted app roles:
    1. RoleManagement.ReadWrite.Directory
    2. AppRoleAssignment.ReadWrite.All

Graph View

Backlinks

  • No backlinks found