KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Connect Changed Dir Sync Settings

Query

id: ea66d776-3936-48b5-8e10-cdc550e616d7
name: Disabled soft- or hard match of Azure AD Connect sync
description: |
  'Change of AAD sync configuration to overwrite and take-over (Azure AD) cloud-only accounts from AADC server (on-premises)'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - CredentialAccess
  - PrivilegeEscalation
  - InitialAccess
relevantTechniques:
  - T1136
  - T1098
  - T1078
query: |
  AuditLogs
  | where OperationName has "Set DirSync feature"
  | where Category has "DirectoryManagement"
  | where parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName == "DirSyncFeatures"
  | extend NewValue = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0]
  | extend OldValue = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue))[0]
  | extend UserPrincipalName =  parse_json(tostring(InitiatedBy.user)).userPrincipalName
  | extend IPAddress =  parse_json(tostring(InitiatedBy.user)).ipAddress
  | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
version: 1.0.1
kind: Scheduled

Explanation

This query is designed to detect any changes made to the Azure AD Connect sync configuration that could potentially allow the takeover of cloud-only accounts from an on-premises server. It looks for specific audit logs related to the modification of the "DirSyncFeatures" property. The query extracts relevant information such as the new and old values of the property, the user's principal name, and the IP address from which the change was initiated. The query runs once a day and is focused on detecting persistence, credential access, privilege escalation, and initial access techniques. The results are mapped to the Account and IP entities for further analysis.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

AzureADConnect,AADsync,cloud-onlyaccounts,AADCserver,AuditLogs,SetDirSyncfeature,DirectoryManagement,DirSyncFeatures,InitiatedBy.user,TimeGenerated

Operators

wherehasparse_jsontostringextend

Actions