detection.wiki

Detection rules › Kusto

Authentication Methods Changed for Privileged Account

Status
available
Severity
high
Time window
14d
Group by
InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserPrincipalName, Result, TargetUserPrincipalName
Source
github.com/Azure/Azure-Sentinel

Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation

Event coverage

ProviderEvent
Entra-AuditLogsAdmin deleted security info
Entra-AuditLogsAdmin registered security info
Entra-AuditLogsAdmin updated security info
Entra-AuditLogsUser changed default security info
Entra-AuditLogsUser deleted security info
Entra-AuditLogsUser registered security info
Entra-AuditLogsUser reviewed security info

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body kusto

id: 694c91ee-d606-4ba9-928e-405a2dd0ff0f
name: Authentication Methods Changed for Privileged Account
description: |
  'Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.
  Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1'
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
  - connectorId: BehaviorAnalytics
    dataTypes:
      - IdentityInfo
queryFrequency: 2h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
relevantTechniques:
  - T1098
tags:
  - AADSecOpsGuide
query: |
  let queryperiod = 14d;
  let queryfrequency = 2h;
  let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
  let VIPUsers = (
      IdentityInfo
      | where TimeGenerated > ago(queryperiod)
      | mv-expand AssignedRoles
      | where AssignedRoles contains 'Admin'
      | summarize by AccountUPN);
  AuditLogs
  | where TimeGenerated > ago(queryfrequency)
  | where Category =~ "UserManagement"
  | where ActivityDisplayName in (security_info_actions)
  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
  | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
  | mv-apply TargetResource = TargetResources on 
    (
        where TargetResource.type =~ "User"
        | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)
    )
  | where TargetUserPrincipalName in~ (VIPUsers)
  // Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.
  //| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result
  // Comment out this line below, if line above is used.
  | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by InitiatingAppName, InitiatingAppServicePrincipalId, 
  InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetUserPrincipalName, Result
  | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]), 
  TargetName = iff(tostring(TargetUserPrincipalName) has "[", "", tostring(split(TargetUserPrincipalName,'@',0)[0])), TargetUPNSuffix = iff(tostring(TargetUserPrincipalName) has "[", "", tostring(split(TargetUserPrincipalName,'@',1)[0]))
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: InitiatingAppName
      - identifier: AadUserId
        columnName: InitiatingAppServicePrincipalId
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: InitiatingUserPrincipalName
      - identifier: Name
        columnName: InitiatingAccountName
      - identifier: UPNSuffix
        columnName: InitiatingAccountUPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: InitiatingAadUserId
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: InitiatingIpAddress
version: 1.1.1
kind: Scheduled

Stages and Predicates

Parameters

let queryperiod = 14d;
let queryfrequency = 2h;

Let binding: security_info_actions

let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);

Let binding: VIPUsers

let VIPUsers = (
    IdentityInfo
    | where TimeGenerated > ago(queryperiod)
    | mv-expand AssignedRoles
    | where AssignedRoles contains 'Admin'
    | summarize by AccountUPN);

Derived from queryperiod.

Stage 1: source

AuditLogs

Stage 2: where

| where TimeGenerated > ago(queryfrequency)

Stage 3: where

| where Category =~ "UserManagement"

Stage 4: where

| where ActivityDisplayName in (security_info_actions)

References security_info_actions (defined above).

Stage 5: extend (5 consecutive steps)

| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))

Stage 6: kusto:mv-apply

| mv-apply TargetResource = TargetResources on 
  (
      where TargetResource.type =~ "User"
      | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)
  )

Stage 7: where

| where TargetUserPrincipalName in~ (VIPUsers)

References VIPUsers (defined above).

Stage 8: summarize

| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by InitiatingAppName, InitiatingAppServicePrincipalId, 
InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetUserPrincipalName, Result

Stage 9: extend

| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1]), 
TargetName = iff(tostring(TargetUserPrincipalName) has "[", "", tostring(split(TargetUserPrincipalName,'@',0)[0])), TargetUPNSuffix = iff(tostring(TargetUserPrincipalName) has "[", "", tostring(split(TargetUserPrincipalName,'@',1)[0]))
TargetName =
ifTargetUserPrincipalName has "["""
elsetostring(split(TargetUserPrincipalName, '@', 0)[0])
TargetUPNSuffix =
ifTargetUserPrincipalName has "["""
elsetostring(split(TargetUserPrincipalName, '@', 1)[0])

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ActivityDisplayNamein
  • Admin deleted security info transforms: cased
  • Admin registered security info transforms: cased
  • Admin updated security info transforms: cased
  • User changed default security info transforms: cased
  • User deleted security info transforms: cased
  • User registered security info transforms: cased
  • User reviewed security info transforms: cased
Categoryeq
  • UserManagement
TargetUserPrincipalNamein
  • VIPUsers
typeeq
  • User

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Actionssummarize
Endsummarize
InitiatingAadUserIdsummarize
InitiatingAppNamesummarize
InitiatingAppServicePrincipalIdsummarize
InitiatingIpAddresssummarize
InitiatingUserPrincipalNamesummarize
Resultsummarize
Startsummarize
TargetUserPrincipalNamesummarize
InitiatingAccountNameextend
InitiatingAccountUPNSuffixextend
TargetNameextend
TargetUPNSuffixextend