KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Privilege Escalation To The Most Dangerous Entra Admin Role Via Compromised Service Principal

Query

// Detect privilege escalation to The Most Dangerous Entra Admin Role via compromised service principal
// https://www.linkedin.com/posts/activity-7223370832763351040-TieO/

// Hourly Sentinel Analytics Rule:

let PTS = dynamic(['[email protected]', '[email protected]', '[email protected]']);
AuditLogs 
| where TimeGenerated > ago(1h)
| where Category == "RoleManagement"
| where ActivityDisplayName == "Add member to role"
| where TargetResources contains "Partner Tier2 Support"
| extend UPN = tostring(TargetResources[0].userPrincipalName)
| where not (UPN has_any(PTS))

// Custom DefenderXDR KQL (Exposure Management) detecting this dangerous role activation: 

let DangerousAdmin =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| extend AccountUPN = NodeProperties.rawData.accountUpn
| extend AdminRoles = NodeProperties.rawData.assignedRoles
| where AdminRoles contains "Partner Tier2 Support"
| project AccountUPN;
IdentityLogonEvents
| where AccountUpn has_any(DangerousAdmin)

Explanation

This query is designed to detect if a compromised service principal has been used to escalate privileges to a highly sensitive administrative role, specifically the "Partner Tier2 Support" role, within the last hour. Here's a simplified breakdown:

  1. Define Trusted Service Principals: A list of trusted service principals (PTS) is defined.
  2. Filter Audit Logs: The query looks at audit logs from the past hour, focusing on role management activities where a member was added to a role.
  3. Target Specific Role: It specifically checks if the role added is "Partner Tier2 Support".
  4. Exclude Trusted Principals: It excludes actions performed by the trusted service principals listed earlier.
  5. Identify Dangerous Admins: It identifies accounts that have been assigned the "Partner Tier2 Support" role.
  6. Logon Events: It then checks logon events to see if any of these identified accounts have logged in.

In essence, the query aims to catch unauthorized privilege escalations to a critical admin role by excluding known trusted service principals and focusing on recent activities.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AuditLogsExposureGraphNodesIdentityLogonEvents

Keywords

AuditLogsRoleManagementActivityDisplayNameTargetResourcesUserPrincipalNameExposureGraphNodesCategoriesAccountUpnAssignedRolesIdentityLogonEvents

Operators

letdynamic>ago|where==containsextendtostringnothas_anyset_has_elementproject

Actions