KQL Search

Query Details

HomeAI ToolsDevice Query

None Passwordless Authentication From Privileged Identities

Query

id: 6235a7c6-953a-4603-a1b9-f9daee988e9a
name: Successfully sign-in from privileged user with password authentication (no password-less sign-in)
description: |
  'Using Sentinel Watchlist with all privileged accounts to search for Password-based and successful authentication (without FIDO2 or WHfB sign-in)'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
  - T1110
query: |
  _GetWatchlist('IdentityCorrelation')
  | extend UserPrincipalName = "Associated Privileged Account"
  | join
  (
  union AADNonInteractiveUserSignInLogs, SigninLogs
  | where AuthenticationDetails contains "Password" and ResultType == "0"
  ) on $left.UserPrincipalName == $right.UserPrincipalName
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.1.1
kind: Scheduled

Explanation

This query searches for successful sign-ins from privileged users using password authentication. It uses the Sentinel Watchlist to search for password-based authentication without FIDO2 or WHfB sign-in. The query connects to Azure Active Directory and retrieves SigninLogs and AADNonInteractiveUserSignInLogs data. It runs once a day and looks for events within the past day. The query is triggered when the number of events is greater than 0. The query is relevant to the Initial Access and Credential Access tactics and uses techniques T1078 and T1110. The query joins the Watchlist data with the sign-in logs based on the UserPrincipalName and extends the results with additional fields. The query maps the results to the Account entity using the UserPrincipalName as the identifier.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AADNonInteractiveUserSignInLogsSigninLogs

Keywords

Devices,Intune,User

Operators

idnamedescriptionseverityrequiredDataConnectorsqueryFrequencyqueryPeriodtriggerOperatortriggerThresholdtacticsrelevantTechniquesqueryentityMappingsversionkindextendjoinunionwherecontainsandon$left$right.

Actions