Query Details
Microsoft Dynamics 365 Privilege Escalation Via Role Or Team Modification
Query
# *Microsoft Dynamics 365 Privilege Escalation via Role or Team Modification*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1098 | Account Manipulation | https://attack.mitre.org/techniques/T1098 |
| T1078 | Valid Accounts | https://attack.mitre.org/techniques/T1078 |
#### Description
This rule detects suspicious activity in Microsoft Dynamics 365 where an account, from outside the corporate IP range, first performs inquiries about user privileges and then subsequently modifies or creates roles or teams within a short time frame. This could indicate an attempt to escalate privileges or gain unauthorized access.
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### Possible false positives
- Legitimate administrative actions performed by users
## Defender XDR
```KQL
let CorporateIPRange = "147.86.0.0/16";
let ThreatWindow = 10m;
let SuspiciousInquiries =
CloudAppEvents
| where TimeGenerated > ago(1d)
| where Application == "Microsoft Dynamics 365"
| where not(ipv4_is_in_range(IPAddress, CorporateIPRange ))
| where IsAdminOperation == 0
| where ActionType in ("RetrieveUserPrivileges", "RetrieveUserPrivilegeByPrivilegeName", "RetrievePrivilegeMaxDepthFromTeamRoles")
| project TargetTime = TimeGenerated, AccountId, IPAddress, CorrelationId = tostring(parse_json(RawEventData).CorrelationId);
CloudAppEvents
| where TimeGenerated > ago(1d)
| where Application == "Microsoft Dynamics 365"
| where not(ipv4_is_in_range(IPAddress, CorporateIPRange ))
| where ActionType has_any ("Update", "Create") and (ObjectName has "role" or ObjectName has "team" or parse_json(RawEventData).EntityName has_any ("role", "systemuserroles", "teamroles"))
| project ModificationTime = TimeGenerated, AccountId, ActionType, ObjectName, RawEventData
| join kind=inner SuspiciousInquiries on AccountId
| where ModificationTime between (TargetTime .. (TargetTime + ThreatWindow))
| project ModificationTime, AccountId, ActionType, ObjectName, IPAddress, TargetTime
```
Explanation
This KQL query is designed to detect potentially suspicious activities in Microsoft Dynamics 365 that could indicate privilege escalation attempts. Here's a simplified explanation:
-
Objective: The query aims to identify instances where an account, accessing the system from outside the corporate IP range, first checks user privileges and then quickly modifies or creates roles or teams. This behavior might suggest an attempt to gain unauthorized access or escalate privileges.
-
Key Components:
- Corporate IP Range: The query excludes activities from the corporate network (IP range
147.86.0.0/16), focusing on external accesses. - Threat Window: A short time frame (10 minutes) is used to link suspicious inquiries about user privileges with subsequent modifications or creations of roles or teams.
- Suspicious Inquiries: The query first identifies actions where an account checks user privileges without performing administrative operations, which could be a precursor to unauthorized changes.
- Role/Team Modifications: It then looks for actions where roles or teams are updated or created by the same account within the 10-minute window after the initial inquiry.
- Corporate IP Range: The query excludes activities from the corporate network (IP range
-
Detection Logic:
- The query checks for any non-administrative actions related to privilege inquiries from outside the corporate network.
- It then identifies any role or team modifications by the same account within 10 minutes of the inquiry.
- If such a sequence is detected, it flags the activity as suspicious.
-
Potential False Positives: Legitimate administrative actions by users might trigger this detection, so further investigation is necessary to confirm any malicious intent.
Overall, this query helps security teams monitor and respond to potential privilege escalation attempts in Microsoft Dynamics 365 by identifying unusual patterns of behavior from external accounts.
Details
Benjamin Zulliger
Released: June 24, 2026
Tables
Keywords
Operators