KQL Search

Query Details

AR 006 Bulk Password Profile Updates

Query

id: f6071829-0006-4364-d456-ff0011223344
name: Bulk Password Profile Updates Across Multiple Users
description: |
  Detects five or more successful "Update PasswordProfile" or 
  "Update StsRefreshTokenValidFrom Timestamp" events against different users
  within a one-hour window from the same actor. This bulk behavior is seen
  during Azure AD Connect sync exploitation (AADInternals), automated password
  resets by an attacker pivoting through multiple accounts, or an adversary
  revoking tokens to prevent defensive response teams from maintaining access.

  A single user performing multiple password profile updates in rapid succession
  is anomalous unless they are a privileged service account with a known
  management profile.

  Reference: AADInternals https://github.com/Gerenios/AADInternals
             MITRE T1098 – Account Manipulation
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
  - Impact
relevantTechniques:
  - T1098
  - T1531
  - T1070
query: |
  // --- Configurable ---
  let UpdateThreshold = 5;
  // --------------------
  AuditLogs
  | where TimeGenerated > ago(2h)
  | where ActivityDisplayName in (
      "Update PasswordProfile",
      "Update StsRefreshTokenValidFrom Timestamp",
      "Reset user password",
      "Change user password")
  | where Result == "success"
  | extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
  | extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
  | extend TargetUser     = tostring(TargetResources[0].displayName)
  | extend TargetUserUPN  = tostring(TargetResources[0].userPrincipalName)
  | summarize
      UpdateCount       = count(),
      DistinctTargets   = dcount(TargetUserUPN),
      TargetUsers       = make_set(TargetUserUPN, 20),
      Operations        = make_set(ActivityDisplayName),
      FirstEvent        = min(TimeGenerated),
      LastEvent         = max(TimeGenerated),
      CorrelationIds    = make_set(CorrelationId, 5)
      by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
  | where UpdateCount >= UpdateThreshold and DistinctTargets >= 3
  | extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: InitiatedByUPN

customDetails:
  UpdateCount: UpdateCount
  DistinctTargetsAffected: DistinctTargets
  TargetUsersAffected: TargetUsers

alertDetailsOverride:
  alertDisplayNameFormat: "Bulk password/token update: {{UpdateCount}} operations against {{DistinctTargets}} accounts by {{Actor}}"
  alertDescriptionFormat: "Actor {{Actor}} performed {{UpdateCount}} password profile or token revocation updates against {{DistinctTargets}} different user accounts in {{DurationMinutes}} minutes. This may indicate Azure AD Connect sync exploitation or attacker-driven account manipulation."

suppressionDuration: PT2H
suppressionEnabled: false
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect suspicious activity related to bulk password or token updates in an Azure Active Directory environment. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies instances where a single user or application (referred to as "actor") successfully updates the password profile or token validity timestamp for five or more different user accounts within a one-hour period. This behavior can indicate potential security threats, such as exploitation of Azure AD Connect or unauthorized password resets by an attacker.

  2. Severity: The alert generated by this query is considered high severity because such actions can be indicative of malicious activity aimed at maintaining persistence or impacting the system.

  3. Data Source: It uses audit logs from Azure Active Directory to track these events.

  4. Detection Logic:

    • It looks for specific activities: "Update PasswordProfile", "Update StsRefreshTokenValidFrom Timestamp", "Reset user password", and "Change user password".
    • It filters for successful operations only.
    • It groups the data by the actor and counts the number of distinct user accounts affected.
    • If an actor updates five or more different accounts within an hour, it triggers an alert.

  5. Alert Details: The alert provides information about the number of operations, the distinct accounts affected, and the actor responsible. It also includes the time duration over which these updates occurred.

  6. Use Case: This query is useful for security teams to identify and respond to potential unauthorized access or manipulation of user accounts in a timely manner.

  7. Additional Information: The query references tools and techniques related to account manipulation, such as AADInternals and MITRE ATT&CK techniques T1098 (Account Manipulation), T1531, and T1070. Overall, this query helps in monitoring and detecting unusual patterns of account updates that could signify a security breach or misuse of administrative privileges.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryAccountUserActorTargetUserTargetUserUPNOperationsCorrelationIdsTimeGeneratedDurationMinutes

Operators

letagoiniffisnotemptytostringsummarizecountdcountmake_setminmaxbindatetime_diff

Actions