/
azure_ad_user_enabled_and_password_reset.yml
69 lines (69 loc) · 2.75 KB
/
azure_ad_user_enabled_and_password_reset.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Azure AD User Enabled And Password Reset
id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268
version: 2
date: '2023-12-20'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
description: The following analytic identifies an Azure AD user enabling a previously
disabled account and resetting its password within 2 minutes. This behavior could
represent an adversary who has obtained administrative access and is trying to establish
a backdoor identity within an Azure AD tenant.
data_source:
- Azure Active Directory Enable account
- Azure Active Directory Reset password (by admin)
- Azure Active Directory Update user
search: ' `azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user")
| transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_enabled_and_password_reset_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
You must be ingesting Azure Active Directory events into your Splunk environment.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.
known_false_positives: While not common, Administrators may enable accounts and reset
their passwords for legitimate reasons. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1098/
tags:
analytic_story:
- Azure Active Directory Persistence
asset_type: Azure Active Directory
confidence: 90
impact: 50
message: A user account, $user$, was enabled and its password reset within
2 minutes by $initiatedBy$
mitre_attack_id:
- T1098
observable:
- name: user
type: User
role:
- Victim
- name: initiatedBy
type: User
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- operationName
- user
- properties.initiatedBy.user.userPrincipalName
- properties.result
risk_score: 45
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log
source: Azure AD
sourcetype: azure:monitor:aad
update_timestamp: true