C-AZ-RBAC-OWNERPrivilege Escalation

Azure RBAC Owner Assignment

Microsoft.Authorization/roleAssignments/write on a scope lets the principal grant itself Owner — across subscription / RG / resource.

§ Where this technique fits

C-AZ-RBAC-OWNER is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4.7 on average.

§ Dossiers chaining this technique

Compromised VM → Managed Identity → Subscription Owner
A VM with an over-privileged system-assigned managed identity is compromised; query IMDS for an Azure AD token, then assign yourself Owner on the subscription.
step 4 / 5
Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
step 5 / 7
Entra app consent phishing → Global Admin equivalent
Phish a privileged user to consent to an OAuth app requesting Directory.ReadWrite.All + RoleManagement.ReadWrite.Directory — the app then grants itself Global Administrator.
step 5 / 6

§ What commonly comes next

01
Azure VM RunCommand
C-AZ-RUNCOMMAND-VM · Lateral Movement
seen 1×
02
Entra Application Persistence
C-AZ-APP-PERSIST · Persistence
seen 1×
03
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Compromised VM → Managed Identity → Subscription Owner

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

Entra app consent phishing → Global Admin equivalent

§ What commonly comes next