Query Details

KQL To Check Privilege Admin Failing Microsoft CA MFA Enforcement

Query

// KQL to check Privilege Admin failing Microsoft CA MFA enforcement

let PrivilegeAdmin =
IdentityInfo
| where TimeGenerated > ago(14d)
| where AssignedRoles != "[]" and isnotnull(AssignedRoles)
| distinct AccountUPN;
SigninLogs
| where UserPrincipalName has_any(PrivilegeAdmin)
| where ResultType == "0"
| where ConditionalAccessPolicies != "[]"
| mv-expand ConditionalAccessPolicies
| extend CADisplayName = tostring(ConditionalAccessPolicies.displayName)
| extend CAResult = tostring(ConditionalAccessPolicies.result)
| where CADisplayName == "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals"
| where CAResult == "reportOnlyFailure"

// MITRE ATT&CK Mapping

// The KQL query can be associated with the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts:
// The query identifies privileged accounts and monitors their sign-in activities, which aligns with the use of valid accounts for persistence or privilege escalation1.
// T1078.003 - Valid Accounts: Cloud Accounts:
// Specifically focuses on cloud accounts, as it deals with Azure AD sign-in logs and conditional access policies1.
// T1110 - Brute Force:
// Monitoring failed conditional access policies can help detect brute force attempts where attackers try to bypass multi-factor authentication1.
// T1556 - Modify Authentication Process:
// The query checks for failures in multi-factor authentication policies, which could indicate attempts to modify or bypass the authentication process1.

Explanation

This KQL query is designed to identify privileged admin accounts that have failed to comply with a specific Microsoft Conditional Access policy requiring multi-factor authentication (MFA) for accessing Microsoft Admin Portals. Here's a simple breakdown of what the query does:

  1. Identify Privileged Admins:

    • It first looks at the IdentityInfo table to find accounts with assigned roles, indicating they have some level of privilege. It filters out any entries where the assigned roles are empty or null.
    • It collects the unique user principal names (UPNs) of these privileged accounts.
  2. Check Sign-in Logs:

    • It then examines the SigninLogs table for sign-in attempts by these privileged accounts.
    • It filters for successful sign-ins (ResultType == "0") where the conditional access policies are not empty.
  3. Evaluate Conditional Access Policies:

    • The query expands the conditional access policies to check if any of them are named "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals".
    • It specifically looks for cases where the result of this policy is "reportOnlyFailure", indicating that the MFA requirement was not enforced successfully.
  4. Security Implications:

    • The query helps in identifying potential security risks by detecting when privileged accounts fail to meet MFA requirements, which could be a sign of attempted unauthorized access or a misconfiguration.
  5. MITRE ATT&CK Techniques:

    • The query is linked to several MITRE ATT&CK techniques, such as:
      • T1078 - Valid Accounts: Monitoring privileged accounts for potential misuse.
      • T1078.003 - Valid Accounts: Cloud Accounts: Focuses on cloud-based accounts.
      • T1110 - Brute Force: Detects potential brute force attempts to bypass MFA.
      • T1556 - Modify Authentication Process: Identifies attempts to bypass or modify the authentication process.

In summary, this query is a security measure to monitor and ensure that privileged accounts comply with MFA policies, helping to prevent unauthorized access to sensitive admin portals.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

IdentityInfoSigninLogs

Keywords

IdentityInfoAssignedRolesAccountUPNSigninLogsUserPrincipalNameResultTypeConditionalAccessPoliciesDisplayNameResultMicrosoftAdminPortalsAzureADSignInLogsConditionalAccessPolicies

Operators

let|where>ago!=andisnotnulldistincthas_any==mv-expandextendtostring

MITRE Techniques

Actions

GitHub