Reset of two-factor authentication credentials (password and MFA) of Azure AD account by admin
Reset MFA Auth Cred By Admin
Query
let timeFrame = 1h;
let resetDiff = 10m;
AuditLogs
| where TimeGenerated >= ago(timeFrame)
| where OperationName == "Reset password (by admin)"
| extend PasswordResetTime = TimeGenerated, UserPrincipalName = tostring(TargetResources[0].userPrincipalName), PasswordResetIP = tostring(InitiatedBy.user.ipAddress)
| join kind= inner (
AuditLogs
| where TimeGenerated >= ago(timeFrame)
| where TargetResources contains "StrongAuthenticationMethod"
| extend StrongAuthModifyTime = TimeGenerated, UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
// Audit Event contains no source IP, using OperationsName "Admin updated security info" is not covering reset of MFA
) on UserPrincipalName
| where abs(datetime_diff('minute', PasswordResetTime, StrongAuthModifyTime)) <= resetDiff/1min
| summarize PasswordResetTime = max(PasswordResetTime), StrongAuthModifyTime = max(StrongAuthModifyTime) by UserPrincipalName, PasswordResetIP
| extend timestamp = PasswordResetTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = PasswordResetIPExplanation
This query is used to detect when an admin resets the password and modifies the multi-factor authentication (MFA) credentials of an Azure AD account. It looks for events in the Azure Active Directory audit logs where the password is reset by an admin and the StrongAuthenticationMethod is modified. If both events occur within a certain timeframe, an alert is generated. The query runs every hour and looks at events from the past hour. The severity of this alert is medium. The relevant technique is T1078 and the tactics are Initial Access. The query also includes entity mappings to map the account and IP information.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 1h