AZT507.1 - External Entity Access: Azure Lighthouse

Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant

Resource

AzureAD

Actions

• Microsoft.ManagedServices/registrationAssignments/Write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

New-AzSubscriptionDeployment

az deployment sub create

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01

Detections

Detection Details

• The Az PowerShell cmdlets Get-AzManagedServicesDefinition and Get-AzManagedServicesAssignment, or az cli cmdlets az managedservices definition list and az managedservices assignment list can be used to list the onboarded customers to the tenant.

Additional Resources

https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer