Detection rules › Panther
Admin Role Assigned
Assigning an admin role manually could be a sign of privilege escalation
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1078 Valid Accounts |
Rule body yaml
AnalysisType: rule
Filename: admin_assigned.py
RuleID: "Standard.AdminRoleAssigned"
DisplayName: "Admin Role Assigned"
Enabled: true
LogTypes:
- Asana.Audit
- Atlassian.Audit
- GCP.AuditLog
- GitHub.Audit
- GSuite.ActivityEvent
- OneLogin.Events
- Zendesk.Audit
Tags:
- DataModel
- Privilege Escalation:Valid Accounts
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0004:T1078
Description: Assigning an admin role manually could be a sign of privilege escalation
Runbook: Verify with the user who attached the role or add to a allowlist
Reference: https://medium.com/@gokulelango1040/privilege-escalation-attacks-28a9ef226abb
SummaryAttributes:
- p_any_ip_addresses
Tests:
- Name: GCP - Admin Assigned
ExpectedResult: true
Log:
{
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"authenticationInfo": { "principalEmail": "bob@example.com" },
"requestMetadata": { "callerIP": "4.4.4.4" },
"serviceData":
{
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta":
{
"bindingDeltas":
[
{
"action": "ADD",
"member": "cat@example.com",
"role": "roles/resourcemanager.organizationAdmin",
},
],
},
},
},
"p_log_type": "GCP.AuditLog",
}
- Name: GCP - Multiple Admin Roles Assigned
ExpectedResult: true
Log:
{
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"authenticationInfo": { "principalEmail": "bob@example.com" },
"requestMetadata": { "callerIP": "4.4.4.4" },
"serviceData":
{
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta":
{
"bindingDeltas":
[
{
"action": "ADD",
"member": "cat@example.com",
"role": "roles/resourcemanager.organizationAdmin",
},
{
"action": "ADD",
"member": "dog@example.com",
"role": "roles/owner",
},
],
},
},
},
"p_log_type": "GCP.AuditLog",
}
- Name: GSuite - Other Admin Action
ExpectedResult: false
Log:
{
"actor": { "email": "bobert@example.com" },
"id": { "applicationName": "admin" },
"type": "DELEGATED_ADMIN_SETTINGS",
"name": "RENAME_ROLE",
"p_log_type": "GSuite.ActivityEvent",
}
- Name: GSuite - Privileges Assigned
ExpectedResult: true
Log:
{
"actor": { "email": "bobert@example.com" },
"id": { "applicationName": "admin" },
"type": "DELEGATED_ADMIN_SETTINGS",
"name": "ASSIGN_ROLE",
"parameters":
{
"ROLE_NAME": "Some Admin Role",
"USER_EMAIL": "bob@example.com",
},
"p_log_type": "GSuite.ActivityEvent",
}
- Name: OneLogin - Non permissions assigned event
ExpectedResult: false
Log: { "event_type_id": 8, "p_log_type": "OneLogin.Events" }
- Name: OneLogin - Non super user permissions assigned
ExpectedResult: false
Log:
{
"event_type_id": 72,
"privilege_name": "Manage users",
"p_log_type": "OneLogin.Events",
}
- Name: OneLogin - Super user permissions assigned
ExpectedResult: true
Log:
{
"event_type_id": 72,
"privilege_name": "Super user",
"user_name": "Evil Bob",
"actor_user_name": "Bobert O'Bobly",
"p_log_type": "OneLogin.Events",
}
- Name: Github - User Promoted
ExpectedResult: true
Log:
{
"actor": "cat",
"action": "team.promote_maintainer",
"p_log_type": "GitHub.Audit",
"user": "bob",
}
- Name: Github - Admin Added
ExpectedResult: true
Log:
{
"actor": "cat",
"action": "business.add_admin",
"p_log_type": "GitHub.Audit",
"user": "bob",
}
- Name: Github - Admin Invited
ExpectedResult: true
Log:
{
"actor": "cat",
"action": "business.invite_admin",
"p_log_type": "GitHub.Audit",
"user": "bob",
}
- Name: Github - Unknown Admin Role
ExpectedResult: false
Log:
{
"actor": "cat",
"action": "unknown.admin_role",
"p_log_type": "GitHub.Audit",
"user": "bob",
}
- Name: Zendesk - Admin Role Downgraded
ExpectedResult: false
Log:
{
"url": "https://myzendek.zendesk.com/api/v2/audit_logs/111222333444.json",
"id": 123456789123,
"action_label": "Updated",
"actor_id": 123,
"source_id": 123,
"source_type": "user",
"source_label": "Bob Cat",
"action": "update",
"change_description": "Role changed from Administrator to End User",
"ip_address": "127.0.0.1",
"created_at": "2021-05-28T18:39:50Z",
"p_log_type": "Zendesk.Audit",
}
- Name: Zendesk - Admin Role Assigned
ExpectedResult: true
Log:
{
"url": "https://myzendek.zendesk.com/api/v2/audit_logs/111222333444.json",
"id": 123456789123,
"action_label": "Updated",
"actor_id": 123,
"source_id": 123,
"source_type": "user",
"source_label": "Bob Cat",
"action": "update",
"change_description": "Role changed from End User to Administrator",
"ip_address": "127.0.0.1",
"created_at": "2021-05-28T18:39:50Z",
"p_log_type": "Zendesk.Audit",
}
- Name: Zendesk - App Admin Role Assigned
ExpectedResult: true
Log:
{
"url": "https://myzendek.zendesk.com/api/v2/audit_logs/111222333444.json",
"id": 123456789123,
"action_label": "Updated",
"actor_id": 123,
"source_id": 123,
"source_type": "user",
"source_label": "Bob Cat",
"action": "update",
"change_description": "Explore role changed from not set to Admin\nGuide role changed from not set to Admin\nSupport role changed from not set to Admin\nTalk role changed from not set to Admin",
"ip_address": "127.0.0.1",
"created_at": "2021-05-28T18:39:50Z",
"p_log_type": "Zendesk.Audit",
}
- Name: Asana - Normal Login
ExpectedResult: false
Log:
{
"actor":
{
"actor_type": "user",
"email": "homer@springfield.com",
"gid": "2222222",
"name": "Homer",
},
"context": { "client_ip_address": "8.8.8.8", "context_type": "web" },
"created_at": "2021-10-21T23:38:10.364Z",
"details": { "method": ["ONE_TIME_KEY"] },
"event_category": "logins",
"event_type": "user_login_succeeded",
"gid": "222222222",
"resource":
{
"email": "homer@springfield.com",
"gid": "2222222",
"name": "homer",
"resource_type": "user",
},
"p_log_type": "Asana.Audit",
"p_parse_time": "2021-06-04 10:02:33.650807",
"p_event_time": "2021-06-04 09:59:53.650807",
}
- Name: Asana - Admin Added
ExpectedResult: True
Log:
{
"actor": { "actor_type": "user", "name": Homer },
"context": { "client_ip_address": "1.1.1.1", "context_type": "web" },
"created_at": "2021-10-21T23:38:18.319Z",
"details":
{
"group":
{
"gid": "11111",
"name": "1183399881404774.2lgxga.asanatest1.us",
"resource_type": "workspace",
},
"new_value": "member",
"old_value": "super_admin",
},
"event_category": "roles",
"event_type": "user_workspace_admin_role_changed",
"gid": "22222",
"resource":
{
"email": "marge@springfield.com",
"gid": "222222",
"name": "Marge Simpson",
"resource_type": "user",
},
"p_log_type": "Asana.Audit",
}
Detection logic
Condition
event_type eq "admin_role_assigned"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
ips | p_any_ip_addresses |
actor | actor_user |
user | |
p_log_type | |
assigned_admin_role |