Query Details

Disabled soft- or hard match of Azure AD Connect sync

AAD Connect Changed Dir Sync Settings

Query

AuditLogs
| where OperationName has "Set DirSync feature"
| where Category has "DirectoryManagement"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName == "DirSyncFeatures"
| extend NewValue = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0]
| extend OldValue = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue))[0]
| extend UserPrincipalName =  parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend IPAddress =  parse_json(tostring(InitiatedBy.user)).ipAddress
| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName

Explanation

This query is designed to detect any changes made to the Azure AD Connect sync configuration that could potentially allow the takeover of cloud-only accounts from an on-premises server. It looks for specific audit logs related to the modification of the "DirSyncFeatures" property. The query extracts relevant information such as the new and old values of the property, the user's principal name, and the IP address from which the change was initiated. The query runs once a day and is focused on detecting persistence, credential access, privilege escalation, and initial access techniques. The results are mapped to the Account and IP entities for further analysis.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

Azure AD ConnectAAD synccloud-only accountsAADC serverAuditLogsSet DirSync featureDirectoryManagementDirSyncFeaturesInitiatedBy.userTimeGenerated

Operators

wherehasparse_jsontostringextend

Severity

Medium

Tactics

PersistenceCredentialAccessPrivilegeEscalationInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub