AZT508 - Azure Policy#
By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.
Resource
Azure Policy
Actions
-
Microsoft.Authorization/policies/deployIfNotExists/action
-
Microsoft.Authorization/policyAssignments/write
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Provider |
---|---|---|---|
Resource | 'deployIfNotExists' Policy Action | Microsoft.Authorization/policies/deployIfNotExists/action | AzureActivity |
Resource | N/A | Microsoft.Authorization/policyAssignments/write | AzureActivity |
Queries#
Platform | Query |
---|---|
Log Analytics | AzureActivity | where OperationNameValue=='MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/WRITE' |