Skip to content

AZT508 - Azure Policy#

By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.

Resource

Azure Policy

Actions

  • Microsoft.Authorization/policies/deployIfNotExists/action

  • Microsoft.Authorization/policyAssignments/write

Examples

portal

Detections

Logs#

Data Source Operation Name Action Log Location
Resource 'deployIfNotExists' Policy Action Microsoft.Authorization/policies/deployIfNotExists/action Activity Log
Resource N/A Microsoft.Authorization/policyAssignments/write Activity Log

Queries#

      |where OperationNameValue=="Microsoft.Authorization/policies/deployIfNotExists/action" or OperationNameValue=="Microsoft.Authorization/policyAssignments/write"