Query Details

Added temporary access pass or changed password of Azure AD connector account

AAD Connector Account Added TA Por Changed Password

Query

let AADConnectorAcc = (_GetWatchlist('ServiceAccounts')
    | where ['Tags'] == "Azure AD Connect" | project AccountObjectId = ['Service AAD Object Id']);
AuditLogs
  | extend TargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
  | extend TargetId = tostring(TargetResources[0].id)
  | where TargetId in (AADConnectorAcc)
  | where (LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user") or OperationName == "Reset user password"
  | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | extend AccountCustomEntity = InitiatingUserOrApp

Explanation

This query looks for events where a temporary access pass or password change has been added to an Azure AD connector account. It checks the AuditLogs for events where the account is identified by the IdentityInfo table and a specific name pattern. The query also includes information about the initiating user or application and their IP address. The query is scheduled to run daily and is relevant to techniques related to persistence, credential access, privilege escalation, and initial access. The query maps the account information to the "Account" entity with the "FullName" field. The severity of this query is medium.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

AzureActiveDirectoryAuditLogsTargetResourcesAADConnectorAccLoggedByServiceResultDescriptionOperationNameInitiatedByInitiatingUserOrAppAccountCustomEntityFullName

Operators

letwhereextendtolowertostringiniffisnotemptyproject

Severity

Medium

Tactics

PersistenceCredentialAccessPrivilegeEscalationInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub