Query Details

Detect Privilege Escalation To The Most Dangerous Entra Admin Role Via Compromised Service Principal

Query

// Detect privilege escalation to The Most Dangerous Entra Admin Role via compromised service principal
// https://www.linkedin.com/posts/activity-7223370832763351040-TieO/

// Hourly Sentinel Analytics Rule:

let PTS = dynamic(['[email protected]', '[email protected]', '[email protected]']);
AuditLogs 
| where TimeGenerated > ago(1h)
| where Category == "RoleManagement"
| where ActivityDisplayName == "Add member to role"
| where TargetResources contains "Partner Tier2 Support"
| extend UPN = tostring(TargetResources[0].userPrincipalName)
| where not (UPN has_any(PTS))

// Custom DefenderXDR KQL (Exposure Management) detecting this dangerous role activation: 

let DangerousAdmin =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| extend AccountUPN = NodeProperties.rawData.accountUpn
| extend AdminRoles = NodeProperties.rawData.assignedRoles
| where AdminRoles contains "Partner Tier2 Support"
| project AccountUPN;
IdentityLogonEvents
| where AccountUpn has_any(DangerousAdmin)

// MITRE ATT&CK Mapping

// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to gain access to and maintain persistence on systems.
// Relevance: The query detects the addition of members to a high-privilege role, which could indicate the use of valid accounts for privilege escalation.
// T1098 - Account Manipulation:
// Description: Adversaries may manipulate accounts to maintain access to credentials and permissions.
// Relevance: The detection of adding members to a role aligns with account manipulation activities.
// T1071 - Application Layer Protocol:
// Description: Adversaries may use application layer protocols to communicate with remote systems.
// Relevance: The logon events detection part of the query can help identify suspicious logon activities using valid accounts.
// T1110 - Brute Force:
// Description: Adversaries may use brute force techniques to attempt to gain access to accounts.
// Relevance: Although not directly related to brute force, monitoring logon events for high-privilege accounts can help detect potential brute force attempts.

Explanation

This query is designed to detect potential security threats related to privilege escalation in an organization's IT environment. Here's a simplified explanation:

  1. Purpose: The query aims to identify when a compromised service principal (a type of account used by applications or services) is used to escalate privileges by adding members to a highly sensitive admin role known as "Partner Tier2 Support."

  2. Process:

    • Audit Logs: The query checks audit logs from the past hour to find instances where someone added a member to a role within the "RoleManagement" category. It specifically looks for the "Add member to role" activity targeting the "Partner Tier2 Support" role.
    • Exclusion: It excludes known safe accounts (listed as PTS1, PTS2, PTS3) from triggering an alert.
  3. Detection of Dangerous Admin Role Activation:

    • It identifies accounts with the "Partner Tier2 Support" role from a dataset called ExposureGraphNodes.
    • It then checks logon events to see if any of these accounts have been used, indicating potential unauthorized access.
  4. Security Framework Mapping:

    • MITRE ATT&CK Techniques:
      • T1078 (Valid Accounts): The query helps detect if valid accounts are being used for unauthorized access.
      • T1098 (Account Manipulation): It aligns with detecting manipulation of accounts to gain or maintain access.
      • T1071 (Application Layer Protocol): It can identify suspicious logon activities, which might involve communication with remote systems.
      • T1110 (Brute Force): While not directly related, monitoring these logon events can help spot brute force attempts on high-privilege accounts.

In summary, this query is a security measure to detect and prevent unauthorized privilege escalation by monitoring specific role assignments and logon activities, ensuring that only legitimate users have access to sensitive roles.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

AuditLogsExposureGraphNodesIdentityLogonEvents

Keywords

AuditLogsRoleManagementActivityDisplayNameTargetResourcesUserPrincipalNameExposureGraphNodesCategoriesAccountUpnAdminRolesIdentityLogonEvents

Operators

letdynamic>ago==containsextendtostringnothas_anyset_has_elementproject

MITRE Techniques

Actions

GitHub