Added temporary access pass or changed password of Azure AD connector account
AAD Connector Account Added TA Por Changed Password
Query
let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
| where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
AuditLogs
| extend TargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TargetId = tostring(TargetResources[0].id)
| where TargetId in (AADConnectorAcc)
| where (LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user") or OperationName == "Reset user password"
| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend AccountCustomEntity = InitiatingUserOrAppExplanation
This query looks for events where a temporary access pass or password change has been added to an Azure AD connector account. It checks the AuditLogs for events where the account is identified by the IdentityInfo table and a specific name pattern. The query also includes information about the initiating user or application and their IP address. The query is scheduled to run daily and is relevant to techniques related to persistence, credential access, privilege escalation, and initial access. The query maps the account information to the "Account" entity with the "FullName" field. The severity of this query is medium.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 1d