Query Details
HUNT 07 AAD Prov Dir Sync Feature History 180d
Query
id: aa1f0007-2007-4207-9207-aadprov-hunt07
name: HUNT-07 DirSync Feature Change History (180d)
description: |
Long-window history (180 days) of DirSync feature configuration changes:
BlockSoftMatch, BlockCloudObjectTakeoverThroughHardMatch, Password Hash Sync,
Seamless SSO. Useful for retrospective audit of who changed what, when,
from which IP - directly modelled on the Cloud-Architekt
AADConnect-ChangedDirSyncSettings.kql query.
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- DefenseEvasion
- PrivilegeEscalation
relevantTechniques:
- T1556
- T1098
query: |
AuditLogs
| where TimeGenerated > ago(180d)
| where Category =~ "DirectoryManagement"
or OperationName has_any (
"Set DirSyncEnabled flag",
"Update directory feature",
"Set Company Information",
"Set Password Hash Sync",
"Update OnPremisesDirectorySynchronization",
"OnPremDirectorySynchronization"
)
or tostring(TargetResources) has_any (
"BlockSoftMatch",
"BlockCloudObjectTakeoverThroughHardMatch",
"PasswordHashSync",
"passwordHashSync",
"SeamlessSSO",
"synchronizationInterval"
)
| extend Actor = coalesce(tostring(InitiatedBy.user.userPrincipalName),
tostring(InitiatedBy.app.displayName))
| extend SourceIP = tostring(InitiatedBy.user.ipAddress)
| extend Feature = case(
tostring(TargetResources) has "BlockCloudObjectTakeoverThroughHardMatch", "HardMatchBlock",
tostring(TargetResources) has "BlockSoftMatch", "SoftMatchBlock",
tostring(TargetResources) has_any ("PasswordHashSync","passwordHashSync"), "PasswordHashSync",
tostring(TargetResources) has "SeamlessSSO", "SeamlessSSO",
"Other"
)
| project TimeGenerated, OperationName, Feature, Actor, SourceIP, Result,
TargetResources
| order by TimeGenerated desc
Explanation
This query is designed to track changes in the configuration of certain DirSync features over the past 180 days. It focuses on auditing who made changes, when they were made, and from which IP address. The query specifically looks for changes related to features like BlockSoftMatch, BlockCloudObjectTakeoverThroughHardMatch, Password Hash Sync, and Seamless Single Sign-On (SSO).
Here's a simplified breakdown of the query:
-
Data Source: It uses data from Azure Active Directory's AuditLogs.
-
Time Frame: It examines logs from the last 180 days.
-
Filter Criteria:
- It filters logs related to directory management operations, such as enabling DirSync, updating directory features, and setting password hash synchronization.
- It also checks for specific changes in target resources related to the features mentioned above.
-
Data Extraction:
- It extracts the user or application that initiated the change (Actor).
- It captures the IP address from which the change was made (SourceIP).
- It identifies the specific feature that was changed.
-
Output:
- The query outputs a list of changes, including the time of the change, the operation performed, the feature affected, the actor, the source IP, the result of the operation, and the target resources involved.
- The results are sorted by the time the change was made, in descending order.
This query is useful for security and compliance purposes, as it helps identify unauthorized or suspicious changes to critical directory synchronization settings, which could indicate attempts at defense evasion or privilege escalation.
Details
David Alonso
Released: June 1, 2026
Tables
Keywords
Operators