KQL Search

Query Details

HomeAI ToolsDevice Query

Monitoring Restricted Management Administrative Units Abuse

Query

// Monitoring restricted management administrative units abuse
// https://securitylabs.datadoghq.com/articles/abusing-entra-id-administrative-units/

// Yesterday, I read an insightful article by Katie Knowles on the potential abuse of the new Entra Restricted Management Units (currently in preview) for sticky persistence if a global administrator or privileged role administrator is compromised. Although exploiting this feature requires a high-privileged role, it remains a significant risk for organizations that do not implement privileged role access management using PIM. The possibility of high-privileged roles being compromised through AiTM attacks, even with MFA enforced, makes this a critical issue.
// Therefore, it is crucial for SecOps to monitor the creation of restricted AUs to detect potential sticky persistence abuses. This is particularly important due to the lack of visibility of the members and the inability of regular privileged role admins to reset user credentials within these restricted AUs. In my SlimKQL GitHub repository, I have shared a Sentinel KQL rule to monitor the creation of Restricted AUs, enabling SecOps to take necessary mitigation actions.

// Hourly Sentinel Monitoring Rule

AuditLogs
| where TimeGenerated > (1h)
| where OperationName == "Add administrative unit"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[2].displayName == "IsMemberManagementRestricted"
| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].newValue))[0] == true
| extend RestrictedAUs = TargetResources[0].displayName
| extend UPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend IPAddress = parse_json(tostring(InitiatedBy.user)).ipAddress
| project TimeGenerated, RestrictedAUs, UPN, IPAddress, AdditionalDetails

// MITRE ATT&CK Technique Mapping

// Tactic: Initial Access
// Technique: Valid Accounts (T1078)
// Sub-technique: Domain Accounts (T1078.002)
// Description: The query identifies actions performed by specific user accounts, which could indicate the use of valid accounts to gain initial access.

// Tactic: Persistence
// Technique: Account Manipulation (T1098)
// Sub-technique: Additional Cloud Credentials (T1098.001)
// Description: Adding administrative units and modifying properties can be a form of account manipulation to maintain persistence within the environment.

// Tactic: Privilege Escalation
// Technique: Abuse Elevation Control Mechanism (T1548)
// Sub-technique: Bypass User Account Control (T1548.002)
// Description: The operation of adding administrative units with restricted member management could be an attempt to escalate privileges

Explanation

This query is designed to help security operations teams monitor and detect potential abuse of Entra Restricted Management Units (currently in preview) by high-privileged roles. Here's a simplified summary:

  1. Purpose: The query aims to identify the creation of Restricted Administrative Units (AUs) in an organization's environment. This is important because these units can be exploited for persistent access if a high-privileged account (like a global administrator) is compromised.

  2. Context: The concern arises from the potential for high-privileged roles to be compromised through attacks, even with multi-factor authentication (MFA) in place. Monitoring the creation of these restricted AUs helps in detecting and mitigating such abuses.

  3. Query Breakdown:

    • Data Source: The query uses the AuditLogs table.
    • Time Frame: It looks at logs generated in the last hour.
    • Operation Filter: It filters for the operation named "Add administrative unit".
    • Property Check: It checks if the property IsMemberManagementRestricted is set to true, indicating a restricted AU.
    • Details Extraction: It extracts and displays relevant details such as the name of the restricted AU, the user principal name (UPN) of the initiator, and their IP address.

  4. Output: The query projects (displays) the time the event was generated, the name of the restricted AU, the UPN, the IP address, and any additional details.

  5. Security Mapping:

    • Initial Access: Identifies actions by specific user accounts, potentially indicating the use of valid accounts to gain access.
    • Persistence: Detects account manipulation through the addition of administrative units, which can help maintain persistent access.
    • Privilege Escalation: Monitors for operations that could indicate an attempt to escalate privileges by adding restricted administrative units.

By running this query hourly, security teams can stay vigilant against potential abuses of high-privileged roles and take necessary actions to protect their environment.

Details

Steven Lim profile picture

Steven Lim

Released: September 21, 2024

Tables

AuditLogs

Keywords

AuditLogsAdministrativeUnitRestrictedAUsUPNIPAddressTimeGeneratedAdditionalDetails

Operators

AuditLogs|where>(1h)==parse_jsontostring[ ][0][2]displayNamenewValuetrueextendproject

Actions