Slack user privilege escalation
Description
AlphaSOC detected privilege escalation within Slack user permissions. This may
indicate that an adversary has modified user access levels to gain elevated
privileges within the Slack workspace. This detection specifically monitors
actions such as permissions_assigned, owner_transferred,
role_change_to_admin, or role_change_to_owner.
Impact
Threat actors with elevated Slack privileges can access private channels, export sensitive conversations, modify workspace settings, and maintain persistent access to organizational communications. Elevated access enables data exfiltration, information gathering, and potential lateral movement into other connected services.
Severity
| Severity | Condition |
|---|---|
Low | Slack user privilege escalation |
Investigation and Remediation
Review Slack audit logs to identify affected users and permission changes. Revert unauthorized privilege modifications and disable compromised accounts. Audit workspace settings, third-party app integrations, and user roles. Enable multi-factor authentication (MFA) for all users and enforce strict role-based access controls.