Which SIEM platforms have a T1098.003 detection rule?

df00tech provides T1098.003 (Additional Cloud Roles) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Additional Cloud Roles (T1098.003)?

Detecting Additional Cloud Roles requires the following data sources: Cloud Service: Cloud Service Modification, User Account: User Account Modification, Azure Active Directory: Audit Logs, Azure Activity Logs.

What severity and confidence is the T1098.003 detection?

The T1098.003 detection is rated high severity with high confidence.

What are common false positives for T1098.003?

Common false positives for T1098.003 include: Legitimate IT administrators assigning roles as part of onboarding new employees or service accounts during approved change windows; Privileged Identity Management (PIM) activations by authorized users performing time-bound role elevations for maintenance tasks; Automated infrastructure provisioning pipelines (Terraform, Bicep, ARM templates) that assign roles as part of resource deployment.

T1098.003 IBM QRadar · QRadar

Detect Additional Cloud Roles in IBM QRadar

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings, including the ability to reset the passwords of other admins. This account modification may immediately follow account creation or other malicious account activity. Adversaries may also modify existing valid accounts that they have compromised, potentially leading to privilege escalation and lateral movement to additional accounts. In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant, allowing external accounts to perform actions inside the victim tenant. Threat groups such as Scattered Spider, LAPSUS$, and Storm-0501 have used this technique to gain persistent administrative access to cloud environments.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1098 Account Manipulation
Sub-technique: T1098.003 Additional Cloud Roles
Canonical reference: https://attack.mitre.org/techniques/T1098/003/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  LOGSOURCETYPENAME(devicetype) AS "Log Source Type",
  username AS "Initiated By",
  QIDNAME(qid) AS "Event Name",
  sourceip AS "Source IP",
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Azure Active Directory',
    'Microsoft Office 365',
    'Microsoft Azure'
  )
  AND (
    LOWER(QIDNAME(qid)) LIKE '%add member to role%'
    OR LOWER(QIDNAME(qid)) LIKE '%role assignment%'
    OR LOWER(QIDNAME(qid)) LIKE '%elevate access%'
    OR LOWER(QIDNAME(qid)) LIKE '%assign directory role%'
    OR LOWER(UTF8(payload)) LIKE '%roleassignments/write%'
    OR LOWER(UTF8(payload)) LIKE '%elevateaccess/action%'
    OR LOWER(UTF8(payload)) LIKE '%roledefinitions/write%'
  )
  AND devicetime > NOW() - 86400000
ORDER BY magnitude DESC, devicetime DESC

high severity medium confidence

IBM QRadar AQL query detecting cloud role assignment events across Microsoft Azure Active Directory, Office 365, and Azure Activity log sources. Searches both normalized QIDNAME event classifications and raw UTF-8 payload for role assignment operations. Requires the Azure AD, O365, and Azure DSMs to be installed and configured with appropriate log source identifiers.

Data Sources

Microsoft Azure Active Directory DSMMicrosoft Office 365 DSMMicrosoft Azure DSM

Required Tables

events

False Positives & Tuning

Legitimate IT admin role assignments performed through approved IAM ticketing systems such as ServiceNow or Jira
Automated Azure AD Governance access review campaigns that re-assign certified roles in bulk after review completion
Service principal provisioning during enterprise application onboarding that generates roleAssignments/write events in Activity logs
Break-glass emergency access account role grants during production incident response under change management approval

Download portable Sigma rule (.yml)

Other platforms for T1098.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Assign Global Administrator Role to User via Azure AD PowerShell
Expected signal: Azure AD AuditLogs: OperationName 'Add member to role' with TargetResources containing the target UPN and RoleName 'Global Administrator'. InitiatedBy will show the executing account's UPN and IP address. Event appears in AuditLogs within 5-15 minutes. Unified Audit Log: RecordType 8, Operation 'Add member to role.' with similar details.
Test 2Assign Azure Subscription Owner Role via Az PowerShell (RBAC Escalation)
Expected signal: AzureActivity log: OperationNameValue 'Microsoft.Authorization/roleAssignments/write' with ActivityStatusValue 'Success', Caller set to the executing account, ResourceId containing the subscription scope and roleAssignment GUID. Event appears in AzureActivity within 2-5 minutes.
Test 3Use elevateAccess API to Gain User Access Administrator at Root Scope
Expected signal: AzureActivity log: OperationNameValue 'Microsoft.Authorization/elevateAccess/action' with ActivityStatusValue 'Success', Caller set to the Global Admin account. A second event 'Microsoft.Authorization/roleAssignments/write' at scope '/' will also appear as the role is auto-assigned.
Test 4Add External Guest Account to Privileged Role via Microsoft Graph API
Expected signal: Azure AD AuditLogs: OperationName 'Add member to role' with TargetResources showing the guest account UPN (ending in #EXT# or external domain) and RoleName 'Security Administrator'. InitiatedBy shows the account that executed the Graph API call with its IP address. Graph API calls appear as 'Microsoft Graph' in the InitiatedBy.app field when authenticated via service principal.

Last updated: 2026-04-13 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1098.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Additional Cloud Roles in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1098.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1098.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox