Skip to content

AZT508 - Azure Policy#

By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.

Resource

Azure Policy

Actions

  • Microsoft.Authorization/policies/deployIfNotExists/action

  • Microsoft.Authorization/policyAssignments/write

Examples

portal

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource 'deployIfNotExists' Policy Action Microsoft.Authorization/policies/deployIfNotExists/action AzureActivity
Resource N/A Microsoft.Authorization/policyAssignments/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue=='MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/WRITE'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists