Detections
- Home
- - Detections
- -DT117
- ID: DT117
- Created: 29th April 2025
- Updated: 29th April 2025
- Platform: Microsoft Azure
- Contributor: The ITM Team
Azure Unauthorized System or Service Modification
Monitor Azure Activity Logs and Azure Resource Graph for detection of unauthorized creation, modification, or deletion of resources in Azure subscriptions. Unapproved deployments may signal insider staging, misuse of compute, or persistence attempts.
Where to Configure/Access
- Azure Activity Logs (via Azure Portal): https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activitylog
- Azure Resource Graph Explorer: https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ResourceGraph/queries
Detection Methods
Monitor for critical resource operation event types:
Microsoft.Compute/virtualMachines/write
(VM creation)Microsoft.Storage/storageAccounts/write
(Storage)Microsoft.KeyVault/vaults/write
(Key Vaults)Microsoft.Authorization/roleAssignments/write
(Role Assignments)
Deploy Azure Monitor or Sentinel queries for operational drift and unauthorized resource creation.
Indicators
VMs or services deployed outside managed resource groups.
Use of non-standard SKU types (e.g., GPU-enabled VMs).
Resources missing mandatory tags such as cost center or compliance level.
Sections
ID | Name | Description |
---|---|---|
ME028 | Delegated Access via Managed Service Providers | An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments.
The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply.
This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment.
The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff.
This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability. |
IF009.006 | Installing Crypto Mining Software | The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.
Characteristics
Example ScenarioA subject installs a customized |