Query Details
AAD Connector Account Outside Of Watch List
Query
id: 86e9ba6f-d1ed-48b8-a849-c26f77db8c1b
name: Detection of Microsoft Entra Connect accounts outside of WatchLists
version: 1.0.2
kind: Scheduled
description: List of objects with Directory role membership to "Directory Synchronization" or naming similar to Microsoft Entra Connect account which aren't stored in the WatchList was found. Indicator of creating AAD connector account as backdoor.
severity: Medium
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1098
- T1078
query: |
// Query all users that habe the "Directory Synchronization Accounts" role assigned
let DirSyncRoleAssignedMembers = (IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where AssignedRoles has "Directory Synchronization Accounts"
| summarize by AccountObjectId);
// Query all users that have signed in to the AADSync API
let DirSyncNamedUsers = (union isfuzzy=true AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated > ago(1d)
// AADC APIs: AADSync = "cb1056e2-e479-49de-ae31-7812af012ed8", AAD Connect v2 = 6eb59a73-39b2-4c23-a70f-e2e3ce8965b1
| where (UserPrincipalName startswith "sync_" and UserPrincipalName endswith "onmicrosoft.com")
or AppId == "cb1056e2-e479-49de-ae31-7812af012ed8"
or AppId == "6eb59a73-39b2-4c23-a70f-e2e3ce8965b1"
| summarize by AccountObjectId = UserId);
// Query all explicitly tagged Microsoft Entra Connect / Azure AD Connect account in the watchlist ServiceAccounts
let WatchList = _GetWatchlist('ServiceAccounts')
| where ['Tags'] has "Azure AD Connect"
| project AccountObjectId = ['Service AAD Object Id'];
// Combine the two lists and remove all known accounts
// All resulting accounts are not possibly not allowed to use this API or have the role assigned
union isfuzzy=true DirSyncRoleAssignedMembers, DirSyncNamedUsers
| summarize by AccountObjectId
| where AccountObjectId !in (WatchList)
| join kind=leftouter (IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
)
on AccountObjectId
| project-away *1, TimeGenerated
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5m
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails:
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountUPN
- identifier: ObjectGuid
columnName: AccountObjectId
- identifier: DisplayName
columnName: AccountDisplayName
suppressionDuration: 1h
Explanation
This query is designed to detect Microsoft Entra Connect accounts that are not stored in the WatchList. It looks for objects with Directory role membership to "Directory Synchronization" or naming similar to Microsoft Entra Connect account. The query frequency is once a day and the query period is 14 days. The severity of this detection is medium. The query combines two lists of users and removes known accounts, resulting in a list of potentially unauthorized accounts. The query does not have suppression enabled and is configured to create an incident. The incident grouping configuration is disabled and the lookback duration is 5 minutes. The event grouping settings aggregate alerts into a single alert. The query maps certain fields to account entities and the suppression duration is 1 hour.
Details
Thomas Naunheim
Released: September 21, 2023
Tables
Keywords
Operators