Disabled soft- or hard match of Azure AD Connect sync
AAD Connect Changed Dir Sync Settings
Query
AuditLogs
| where OperationName has "Set DirSync feature"
| where Category has "DirectoryManagement"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName == "DirSyncFeatures"
| extend NewValue = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0]
| extend OldValue = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue))[0]
| extend UserPrincipalName = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend IPAddress = parse_json(tostring(InitiatedBy.user)).ipAddress
| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalNameExplanation
This query is designed to detect any changes made to the Azure AD Connect sync configuration that could potentially allow the takeover of cloud-only accounts from an on-premises server. It looks for specific audit logs related to the modification of the "DirSyncFeatures" property. The query extracts relevant information such as the new and old values of the property, the user's principal name, and the IP address from which the change was initiated. The query runs once a day and is focused on detecting persistence, credential access, privilege escalation, and initial access techniques. The results are mapped to the Account and IP entities for further analysis.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 1d