Triggers
- An account has been created with administrative privileges (TenantAdmins, PrivilegedRoleAdmins, ApplicationAdministrators) that provide broad access to the environment.
Possible Root Causes
- An attacker that has gained administrative rights has added additional administrative accounts to the environment as a back-up access method if their existing access is disabled or otherwise removed at a future date.
- Existing legitimate administrators may add additional administrative users unintentionally or via social engineering.
- A new, legitimate, administrative account was added.
Business Impact
- Unauthorized administrative users have complete control within the environment, creating significant on-going risk to a broad range of resources.
- Attackers with access to the identified administrative rights will be able to operate unfettered within the environment.
- Attackers using multiple administrative accounts improve their resilience to an incident response and are able to silo operations to prevent the detection of a single compromised admin account from affecting access and actions undertaken from other compromised admin accounts.
Steps to Verify
- Validate the administrative account was created according to organizational change control policies and that the access granted is appropriate and necessary