Shadow Admins
A shadow admin is an identity that possesses permissions capable of escalating privileges to administrative level, without being explicitly designated as an administrator. These accounts pose significant security risks because they can gain full administrative control while flying under the radar of traditional admin monitoring
Amazon Web Services (AWS)
Detection Logic
The AWS shadow admin detection queries for entitlements for IAM-related services (iam, lambda, ec2, datapipeline, sts, cloudformation). The code identifies two categories of dangerous permissions:
-
Simple privileges: Individual permissions that alone grant privilege escalation capabilities
-
Combined privileges: Sets of permissions that when held together enable privilege escalation
Privileges Table
| Permission | Risk Explanation |
|---|---|
| iam:CreateLoginProfile | Allows creating a password for any IAM user, enabling the attacker to log in as that user via the AWS console |
| iam:UpdateLoginProfile | Allows resetting any IAM user's password, enabling account takeover |
| iam:AttachUserPolicy | Can attach any existing managed policy (including AdministratorAccess) to any user |
| iam:AttachGroupPolicy | Can attach any managed policy to any group, escalating privileges for all group members |
| iam:AttachRolePolicy | Can attach any managed policy to any role, then assume that role for escalated access |
| iam:PutUserPolicy | Can create or modify inline policies on users with arbitrary permissions |
| iam:PutGroupPolicy | Can create or modify inline policies on groups, affecting all members |
| iam:PutRolePolicy | Can create or modify inline policies on roles with any permissions |
| iam:CreatePolicy | Can create new managed policies with arbitrary permissions to attach elsewhere |
| iam:AddUserToGroup | Can add any user to privileged groups (e.g., Admins), inheriting all group permissions |
| iam:UpdateAssumeRolePolicy | Can modify role trust policies to allow any principal to assume privileged roles |
| iam:CreatePolicyVersion | Can create new versions of managed policies with escalated permissions |
| iam:SetDefaultPolicyVersion | Can activate older/different policy versions that may have more permissive rules |
| lambda:UpdateFunctionCode | Can inject malicious code into Lambda functions that execute with the function's IAM role permissions |
Combined Privileges Table
| Permission Combination | Risk Explanation |
|---|---|
| iam:PassRole + iam:CreateInstanceProfile | Create an instance profile with a privileged role, then attach it to EC2 instances to access that role's permissions |
| iam:PassRole + iam:AddRoleToInstanceProfile | Add a privileged role to an existing instance profile, allowing EC2 instances to assume elevated permissions |
| iam:PassRole + ec2:RunInstances | Launch EC2 instances with privileged IAM roles attached, then access instance metadata to obtain role credentials |
| iam:PassRole + datapipeline:CreatePipeline + datapipeline:PutPipelineDefinition | Create data pipelines that execute with privileged roles, running arbitrary code with elevated permissions |
| iam:UpdateAssumeRolePolicy + sts:AssumeRole | Modify a privileged role's trust policy to allow self-assumption, then assume that role |
| iam:PassRole + lambda:CreateFunction + lambda:CreateEventSourceMapping | Create Lambda functions with privileged execution roles and trigger mechanisms to run malicious code |
| iam:PassRole + cloudformation:CreateStack | Create CloudFormation stacks that provision resources with privileged roles, enabling infrastructure-level privilege escalation |
Google Cloud Platform (GCP)
Detection Logic
The GCP shadow admin searched for permissions that are granted to a top-level applciation or project, allowing non administrative users to gain higher privielged by updating the IAM model
Privileges Table
| Permission | Risk Explanation |
|---|---|
| iam.roles.create | Create custom IAM roles with any combination of permissions, bypassing predefined role limitations |
| iam.roles.update | Modify existing custom roles to add administrative permissions |
| iam.roles.undelete | Restore deleted roles that may have had elevated permissions |
| iam.serviceAccounts.setIamPolicy | Grant any principal access to service accounts, enabling impersonation of privileged service identities |
| iam.serviceAccountkeys.create | Generate new keys for service accounts, providing persistent credential access to impersonate services |
| iam.serviceAccounts.getAccessToken | Directly obtain OAuth2 access tokens for service accounts without needing keys |
| iam.serviceAccounts.implicitDelegation | Allows delegation chains where one service account can act as another, enabling privilege chaining |
| iam.serviceAccounts.actAs | Act as a service account when creating resources, granting the new resource elevated permissions |
| iam.serviceAccounts.signBlob | Sign arbitrary data as the service account, enabling creation of custom authentication tokens |
| iam.serviceAccounts.signJwt | Sign JWTs as the service account, enabling authentication as that service |
| iam.serviceAccounts.getOpenIdToken | Obtain OIDC tokens for service accounts to authenticate to external systems |
| iam.serviceAccountUser | General ability to use service accounts, combining multiple impersonation capabilities |
| iam.serviceAccountTokenCreator | Create various types of tokens for service accounts, enabling broad impersonation |
| resourcemanager.projects.setIamPolicy | Modify IAM policy at the project level, granting any permissions to any principal |
| resourcemanager.folders.setIamPolicy | Modify IAM policy at the folder level, affecting all projects within the folder hierarchy |
| resourcemanager.organizations.setIamPolicy | Modify IAM policy at the organization level, the highest scope affecting all resources |
| managedidentities.domains.setIamPolicy | Control access to managed Active Directory domains in GCP |
| secretmanager.secrets.setIamPolicy | Grant access to secrets, potentially exposing credentials and sensitive data |
| secretmanager.secrets.create | Create new secrets with the ability to store arbitrary sensitive data for later retrieval |
| *.*.createTagBinding | Create tag bindings that can affect conditional IAM policies and resource organization |
| accesscontextmanager.accessPolicies.update | Modify access context policies that control VPC Service Controls and access levels |
| apigateway.projects.locations.apis.setIamPolicy | Control access to API Gateway configurations, potentially exposing or manipulating APIs |
Microsoft Azure
Detection Logic
The Azure shadow admin detection searched for accounts that have permissions to update permissions on the subscription level, without those users being administrators
Privileges Table
| Permission | Risk Explanation |
|---|---|
| Microsoft.Authorization/elevateAccess/Action | Globally elevate access to User Access Administrator at root scope, gaining control over all Azure subscriptions in the tenant |
| Microsoft.Authorization/roleDefinitions/write | Create or modify custom role definitions to include any permissions |
| Microsoft.Authorization/roleAssignments/write | Assign any role (including Owner or Contributor) to any principal at any scope |
| Microsoft.Authorization/*/Write | Wildcard write access to all authorization resources, encompassing all the above capabilities |
| Microsoft.Directory/users/password/update | Reset any user's password in Azure AD/Entra ID, enabling account takeover |
| Microsoft.Directory/users/authenticationMethods/delete | Remove MFA and other authentication methods from user accounts, weakening account security for takeover |
| Microsoft.Directory/servicePrincipals/policies/update | Modify policies on service principals, potentially changing their authentication or authorization behavior |
| Microsoft.Directory/servicePrincipals/permissions/update | Grant additional API permissions to service principals/applications |
| Microsoft.Directory/servicePrincipals/enable | Re-enable disabled service principals that may have residual elevated permissions |
| Microsoft.Directory/groups/members/update | Add any user to any group, including privileged groups like Global Administrators |
| Microsoft.Directory/users/create | Create new users in the directory who could be assigned privileged roles |
| Microsoft.ManagedIdentity/userAssignedIdentities/write | Create or modify user-assigned managed identities that can be attached to resources for privileged access |
Microsoft Active Directory On-Premises
Detection Logic
We search for non-administrative users in AD that can esclate permissions.
It identifies accounts with dangerous permissions over:
-
Administrator identities: Users and groups that are already admins
-
Domain resources: The AD domain itself
Privileges Table
| Permission | Risk Explanation |
|---|---|
| GENERIC_ALL | Full control over the target object, including read, write, delete, and modify permissions - equivalent to complete ownership |
| GENERIC_WRITE | Write all properties on the object, enabling modification of security-sensitive attributes like group membership or msDS-KeyCredentialLink for shadow credentials attacks |
| WRITE_OWNER | Change the owner of the object, allowing the attacker to take ownership and then grant themselves full control |
| WRITE_DACL | Modify the discretionary access control list, enabling the attacker to grant themselves or others any permission on the object |
| User-Force-Change-Password (GUID: 00299570-246d-11d0-a768-00aa006e0529) | Reset a user's password without knowing the current password, enabling direct account takeover of any targeted user including administrators |
