New Owner Added to Azure Subscription [RULE-1162]
This rule detects when a user is added as an Owner to an Azure subscription. The Owner role is the highest privilege role within Azure and provides full control over all resources within the subscription, including management of access rights, billing, and all underlying resources.
Rationale
The Azure subscription Owner role is one of the most powerful roles within the Azure environment. A user with this role can manage all resources within the subscription, including assigning and revoking rights to other users, creating and deleting resources, and modifying security settings. This makes the Owner role an attractive target for attackers.
When an attacker has access to an account with sufficient privileges, they can assign themselves or another compromised account the Owner role. This is also known as privilege escalation (see also: MITRE ATT&CK T1098 - Account Manipulation). With these elevated privileges, the attacker can then take over the entire Azure environment, exfiltrate data, create resources for cryptomining, or install backdoors for future access.
It is therefore crucial to monitor and validate new Owner assignments. Legitimate assignments of the Owner role are often rare and should always go through a controlled process. Unexpected assignments may indicate a security incident and require immediate action.