KQL Search

Query Details

HomeAI ToolsDevice Query

Reset MFA Auth Cred By Admin

Query

id: 667db47c-e169-46e0-9160-9c88a0074363
name: Reset of two-factor authentication credentials (password and MFA) of Azure AD account by admin
description: |
  'This query over Azure Active Directory events of reset password and modification of StrongAuthentiicationMethods by admins.
  An alert is generated if both authentication credentials was modified within a certain timeframe.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
  let timeFrame = 1h;
  let resetDiff = 10m;
  AuditLogs
  | where TimeGenerated >= ago(timeFrame)
  | where OperationName == "Reset password (by admin)"
  | extend PasswordResetTime = TimeGenerated, UserPrincipalName = tostring(TargetResources[0].userPrincipalName), PasswordResetIP = tostring(InitiatedBy.user.ipAddress)
  | join kind= inner (
      AuditLogs
      | where TimeGenerated >= ago(timeFrame)
      | where TargetResources contains "StrongAuthenticationMethod"
      | extend StrongAuthModifyTime = TimeGenerated, UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
    // Audit Event contains no source IP, using OperationsName "Admin updated security info" is not covering reset of MFA
  ) on UserPrincipalName
  | where abs(datetime_diff('minute', PasswordResetTime, StrongAuthModifyTime)) <= resetDiff/1min
  | summarize PasswordResetTime = max(PasswordResetTime), StrongAuthModifyTime = max(StrongAuthModifyTime) by UserPrincipalName, PasswordResetIP
  | extend timestamp = PasswordResetTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = PasswordResetIP
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.2.1
kind: Scheduled

Explanation

This query is used to detect when an admin resets the password and modifies the multi-factor authentication (MFA) credentials of an Azure AD account. It looks for events in the Azure Active Directory audit logs where the password is reset by an admin and the StrongAuthenticationMethod is modified. If both events occur within a certain timeframe, an alert is generated. The query runs every hour and looks at events from the past hour. The severity of this alert is medium. The relevant technique is T1078 and the tactics are Initial Access. The query also includes entity mappings to map the account and IP information.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

AzureActiveDirectory,Resetpassword,StrongAuthenticationMethod,AuditLogs,TimeGenerated,OperationName,PasswordResetTime,UserPrincipalName,PasswordResetIP,InitiatedBy.user.ipAddress,TargetResources,StrongAuthModifyTime,datetime_diff,summarize,timestamp,AccountCustomEntity,IPCustomEntity,FullName,Address

Operators

whereextendjoinonabsdatetime_diffsummarize

Actions