T1531.Entra.HighlyPrivilegedRoleRemoval.md

T1531.Entra.HighlyPrivilegedRoleRemoval

Detect bulk removal of highly privileged roles from Microsoft Entra that can lead to a loss of control over the cloud environment.

Hunt Tags

ID: T1531.Entra.HighlyPrivilegedRoleRemoval

Author: Nicola Suter

License: MIT License

References: Link to medium post

ATT&CK Tags

Tactic: Impact (TA0040)

Technique: Account Access Removal (T1531)

Technical description of the attack

Attackers can remove highly privileged roles from Microsoft Entra that can lead to a loss of control over the cloud environment. These roles are Global Administrator and Privileged Role Administrator. If the customer has not access to an admin account with these roles, the customer will lose control over the cloud environment.

Permission required to execute the technique

To remove the roles, the attacker needs to have the Global Administrator or Privileged Role Administrator role.

Detection description

Bulk removal of highly privileged roles can be detected by looking at the RoleAssignmentDeleted event in the Microsoft Entra Activity Logs.

Utilized Data Source

Event ID	Event Name	Log Provider	ATT&CK Data Source
-	AuditLogs	Entra ID	Cloud Service

Hunt details

KQL

FP Rate: Low

Source: Entra ID

Description: This detection looks at Entra admin role removal events.

Query:

let lookback = 2h;
let AdminRoleInfo = datatable (RoleId: guid, RoleDisplayName: string)[
    '62e90394-69f5-4237-9190-012177145e10', 'Global Administrator',
    'e8611ab8-c189-46e8-94e1-60213ab1f814', 'Privileged Role Administrator'
];
AuditLogs
| where ingestion_time() > ago(lookback)
| where AADOperationType in~ ('AdminRemovePermanentGrantedRole', 'AdminRemovePermanentEligibleRole')
| mv-apply details = AdditionalDetails on (
    where details.key == "RoleDefinitionOriginId"
    | extend RoleId = toguid(details.value)
    )
| mv-apply details = AdditionalDetails on (
    where details.key == "ipaddr"
    | extend IPAddress = tostring(details.value)
    )
| lookup AdminRoleInfo on RoleId
| mv-expand TargetResources
| where TargetResources.type == 'User'
| extend
    UserObjectId = TargetResources.id,
    UserPrincipalName = TargetResources.userPrincipalName
| extend Actor = iif(isnotempty(InitiatedBy.user), InitiatedBy.user.id, InitiatedBy.app.appId)
| project
    ActivityDateTime,
    ActivityDisplayName,
    RoleDisplayName,
    UserPrincipalName,
    UserObjectId,
    Actor,
    IPAddress

Considerations

• Only the Global Administrator and Privileged Role Administrator roles are covered by this detection.

False Positives

High amounts of role removals can lead to false positives, e.g. due to permission cleanup. During regular operations the amount of role removals should be low.

Detection Blind Spots

• The detection does not cover the removal of other roles than Global Administrator and Privileged Role Administrator.
• The detection does not cover permissions of service principals that might have similar permisions as the Global Administrator and Privileged Role Administrator roles.

References

• https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/