Query Details

ROPC Authentication Against Dormant Account

27 ROPC Dormant Account

Query

let LegitRopcApps = dynamic([
    "Microsoft Authentication Broker",
    "Microsoft Intune Company Portal",
    "Azure AD Connect",
    "Microsoft Office",
    "Microsoft Office Authentication Broker"
]);
let LegitRopcUsers = dynamic([]);
let Active =
    union isfuzzy=true
        (SigninLogs
            | where TimeGenerated between (ago(14d) .. ago(1h))),
        (AADNonInteractiveUserSignInLogs
            | where TimeGenerated between (ago(14d) .. ago(1h)))
    | where ResultType == 0
    | distinct Upn = tolower(UserPrincipalName);
// ROPC sign-ins surface in SigninLogs more than the non-interactive table; correlate both.
let RopcSignIns =
    union isfuzzy=true
        (SigninLogs
            | where TimeGenerated > ago(1h)
            | where AuthenticationProtocol =~ "ropc"
            | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType),
        (AADNonInteractiveUserSignInLogs
            | where TimeGenerated > ago(1h)
            | where AuthenticationProtocol =~ "ropc"
            | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType);
RopcSignIns
| invoke ExcludeAllowlistedIPs_AADNI()
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName)
| where Upn !in (LegitRopcUsers)
| where Upn !in (Active)
| summarize
    Count     = count(),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    Apps      = make_set(AppDisplayName),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count desc

Explanation

This query is designed to detect suspicious activity involving dormant accounts in an Azure Active Directory environment. Here's a simplified breakdown:

  1. Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method for accounts that haven't had any successful sign-ins (interactive or non-interactive) in the last 14 days. Dormant accounts are vulnerable to attacks like credential-stuffing and breach-replay, where attackers use leaked passwords to gain unauthorized access.

  2. Trigger: The detection is triggered by a successful ROPC sign-in (indicated by ResultType == 0) for an account that hasn't appeared in sign-in logs in the past 14 days.

  3. Tuning:

    • Known legitimate ROPC applications are excluded from triggering alerts.
    • Dormant service or sync accounts that are intentionally inactive can be allowlisted to prevent false positives.
  4. Severity and Techniques: The severity of this detection is marked as high, and it maps to MITRE ATT&CK techniques T1078 (Valid Accounts) and T1110 (Brute Force).

  5. Data Sources: The query uses data from Azure Active Directory's SigninLogs and AADNonInteractiveUserSignInLogs.

  6. Query Logic:

    • It first identifies accounts with successful sign-ins in the last 14 days to filter out active accounts.
    • It then checks for recent ROPC sign-ins within the last hour.
    • It excludes sign-ins from known legitimate applications and allowlisted users.
    • It identifies dormant accounts that have suddenly had a successful ROPC sign-in.
  7. Output: The query summarizes the findings by user, showing the number of sign-ins, associated IP addresses, countries, and applications involved. It orders results by the number of sign-ins, highlighting potentially compromised accounts.

  8. Alerting: If a dormant account is detected with a successful ROPC sign-in, an alert is generated with details about the account and the suspicious activity. This can trigger the creation of an incident for further investigation.

Overall, this query helps security teams identify and respond to potential unauthorized access attempts on dormant accounts, which could indicate a security breach.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

DevicesIntuneUserAccountIPAddressLocationAppDisplayNameTimeGeneratedPrincipalAuthenticationProtocolResultTypeSigninLogsAADNonInteractiveSignInMicrosoftBrokerCompanyPortalAzureADConnectOffice

Operators

letdynamicunionisfuzzywherebetweenagodistincttolowerprojectinvokeExcludeAllowlistedIPs_AADNIin~extendsummarizecountmake_setminmaxbytostringorder by

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 1h

Period: 14d

Actions

GitHub