KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Connector Account Added TA Por Changed Password

Query

id: a091a0c0-2397-4dd9-a3f0-ea8a3d2dded2
name: Added temporary access pass or changed password of Azure AD connector account
description: |
  'Added TAP security information or password change event on On-Premises Sync Account. This account will be identified by IdentityInfo table (assignment to "Directory Synchronization Accounts" role) and name pattern'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - CredentialAccess
  - PrivilegeEscalation
  - InitialAccess
relevantTechniques:
  - T1098
  - T1078
query: |
  let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
      | where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
  AuditLogs
    | extend TargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
    | extend TargetId = tostring(TargetResources[0].id)
    | where TargetId in (AADConnectorAcc)
    | where (LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user") or OperationName == "Reset user password"
    | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
    | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
    | extend AccountCustomEntity = InitiatingUserOrApp
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Explanation

This query looks for events where a temporary access pass or password change has been added to an Azure AD connector account. It checks the AuditLogs for events where the account is identified by the IdentityInfo table and a specific name pattern. The query also includes information about the initiating user or application and their IP address. The query is scheduled to run daily and is relevant to techniques related to persistence, credential access, privilege escalation, and initial access. The query maps the account information to the "Account" entity with the "FullName" field. The severity of this query is medium.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

AzureActiveDirectory,AuditLogs,TargetResources,AADConnectorAcc,LoggedByService,ResultDescription,OperationName,InitiatedBy,InitiatingUserOrApp,AccountCustomEntity,FullName

Operators

letwhereextendtolowertostringiniffisnotemptyproject

Actions