Skip to content
TheCloud.Events

Update Role Definition

CSP: Azure
Tactics:
Privilege Escalation Persistence
Techniques:
T1098
Tags:
Azure Authorization

Event

Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.