Unusual Sensitive Action Performed By Azure AD Connect Account

id: 1919c832-b23f-46bb-a110-e275b546dc78 name: Unusual sensitive action performed by Azure AD Connect account version: 1.0.0 kind: Scheduled description: The Azure AD Connect account is performing different sensitive actions that must not be done by this account. This is a sign of compromise for this accounts and should result in immediate action. severity: High queryFrequency: 30m queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: - LateralMovement - Persistence - PrivilegeEscalation relevantTechniques: - T1550 - T0859 - T1098 - T1078 - T0859 - T1078 - T0890 query: |- let SensitiveActions = dynamic(["Update service principal","Add service principal credentials","Add owner to service principal","Add delegated permission grant"]); AuditLogs | extend InitiatedByUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName | where InitiatedByUPN startswith "Sync_" and InitiatedByUPN endswith "onmicrosoft.com" | where OperationName in~ (SensitiveActions) | mv-expand TargetResources | where TargetResources.type == "ServicePrincipal" | extend TargetResourcesname = TargetResources.name | extend TargetResourcesId = TargetResources.id | extend InitiatedByIpAddress = parse_json(tostring(InitiatedBy.user)).ipAddress suppressionDuration: 5h incidentConfiguration: createIncident: true groupingConfiguration: matchingMethod: Selected reopenClosedIncident: false groupByCustomDetails: [] groupByEntities: - Account groupByAlertDetails: [] lookbackDuration: 1h enabled: true eventGroupingSettings: aggregationKind: AlertPerResult customDetails: Activity: OperationName entityMappings: - entityType: Account fieldMappings: - columnName: InitiatedByUPN identifier: FullName - entityType: CloudApplication fieldMappings: - columnName: TargetResourcesId identifier: AppId - entityType: IP fieldMappings: - columnName: InitiatedByIpAddress identifier: Address - entityType: CloudApplication fieldMappings: - columnName: TargetResourcesname identifier: Name suppressionEnabled: false

Explanation

This query is designed to detect unusual sensitive actions performed by an Azure AD Connect account. It looks for specific actions such as updating service principals, adding credentials, adding owners, and granting delegated permissions. The query filters for actions initiated by an account with a specific naming convention and checks if the target resource is a service principal. It also captures additional information such as the user's IP address. If any of these actions are detected, it will create an incident with high severity and immediate action is recommended. The query runs every 30 minutes and looks back at the past 30 minutes of audit logs. The incident grouping is based on the account involved in the action.

Details

Fabian Bader

Released: July 23, 2023

Tables

AuditLogs

Keywords

AzureADConnect,SensitiveActions,Account,LateralMovement,Persistence,PrivilegeEscalation,T1550,T0859,T1098,T1078,T0890,Updateserviceprincipal,Addserviceprincipalcredentials,Addownertoserviceprincipal,Adddelegatedpermissiongrant,InitiatedByUPN,Sync_,onmicrosoft.com,OperationName,TargetResources,ServicePrincipal,InitiatedByIpAddress.

Operators

|extendwherein~mv-expand

KQL Search