/
Anomalous AAD Account Manipulation.yaml
58 lines (57 loc) · 3.92 KB
/
Anomalous AAD Account Manipulation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
id: 8741deeb-332e-4061-8873-5086040920e3
name: Anomalous AAD Account Manipulation
description: |
'Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups.
Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an
output of all high Blast Radius users performing "Update user" (name change) to priveleged role, or where one or more features of the activitiy
deviates from the user, his peers or the tenant profile.'
requiredDataConnectors:
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Persistence
relevantTechniques:
- T1098
query: |
//Critical Roles can impersonate any user or app, can update passwords for users or service principals (if the role can let a user update passwords for privileged users, if an attacker compromises this user then attacker can update passwords for privileged users hence gaining more privileges so users with this role are equally critical)
//High Roles are Administrators that can manage all aspects or permissions of important products but can't update credentials and impersonate another user/app
let critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10',
'd29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);
let high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070',
'7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45',
'7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);
AuditLogs
| where OperationName == "Update user"
| mv-expand AdditionalDetails
| mv-expand TargetResources
| where AdditionalDetails.key == "UserPrincipalName"
| mv-expand TargetResources
| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)
| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)
| where RoleId in (critical,high)
| where isnotempty(RoleId) or isnotempty(RoleName)
| extend TargetId = tostring(TargetResources.id)
| extend Target = iff(tostring(TargetResources.userPrincipalName) has "#EXT#",replace("_","@",tostring(split(TargetResources.userPrincipalName, "#")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)
| join kind=inner ( BehaviorAnalytics
) on $left._ItemId == $right.SourceRecordId
| where UsersInsights.BlastRadius == "High" or ActivityInsights has "True"
| extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName), UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["TargetUser"]=Target, RoleName, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIPAddress
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: ResourceId