Authentications of Privileged Accounts Outside of Expected Controls

Hunt Hypothesis

Privileged accounts authenticating from unfamiliar locations, devices, or ASNs may indicate unauthorized access or lateral movement by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of privileged credentials and mitigate risk to critical assets.

KQL Query

let admin_users = (IdentityInfo
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  let admin_asn = (SigninLogs
  | where TimeGenerated between (ago(7d)..ago(1d))
  | where tolower(UserPrincipalName) in (admin_users)
  | summarize by AutonomousSystemNumber);
  let admin_locations = (SigninLogs
  | where TimeGenerated between (ago(7d)..ago(1d))
  | where tolower(UserPrincipalName) in (admin_users)
  | summarize by Location);
  let admin_devices = (SigninLogs
  | where TimeGenerated between (ago(7d)..ago(1d))
  | where tolower(UserPrincipalName) in (admin_users)
  | extend deviceId = tostring(DeviceDetail.deviceId)
  | where isnotempty(deviceId)
  | summarize by deviceId);
  SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | where tolower(UserPrincipalName) in (admin_users)
  | extend deviceId = tostring(DeviceDetail.deviceId)
  | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)

Analytic Rule Definition

id: af435ca1-fb70-4de1-92c1-7435c48482a9
name: Authentications of Privileged Accounts Outside of Expected Controls
description: |
  'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.
    Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.
    Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: BehaviorAnalytics
    dataTypes:
      - BehaviorAnalytics
  - connectorId: BehaviorAnalytics
    dataTypes:
      - IdentityInfo
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078.004
tags:
  - AADSecOpsGuide
query: |
  let admin_users = (IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    let admin_asn = (SigninLogs
    | where TimeGenerated between (ago(7d)..ago(1d))
    | where tolower(UserPrincipalName) in (admin_users)
    | summarize by AutonomousSystemNumber);
    let admin_locations = (SigninLogs
    | where TimeGenerated between (ago(7d)..ago(1d))
    | where tolower(UserPrincipalName) in (admin_users)
    | summarize by Location);
    let admin_devices = (SigninLogs
    | where TimeGenerated between (ago(7d)..ago(1d))
    | where tolower(UserPrincipalName) in (admin_users)
    | extend deviceId = tostring(DeviceDetail.deviceId)
    | where isnotempty(deviceId)
    | summarize by deviceId);
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where tolower(UserPrincipalName) in (admin_users)
    | extend deviceId = tostring(DeviceDetail.deviceId)
    | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
version: 1.0.2
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Pete Bryan
    support:
        tier: Community
    categories:
        domains: [ "Security - Others", "Identity" ]

Required Data Sources

Sentinel Table	Notes
`IdentityInfo`	Ensure this data connector is enabled
`SigninLogs`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1078.004 — T1078.004

References

Source Query

False Positive Guidance

Scenario: A system administrator uses a privileged account to run a scheduled maintenance job from a remote location that hasn’t been used in the past 7 days.
Filter/Exclusion: src_ip in (list of known remote management IPs) or job_name contains "scheduled_maintenance"
Scenario: A DBA authenticates using a privileged account to apply a critical security patch during a planned maintenance window from a device that is not typically used for such tasks.
Filter/Exclusion: user_agent contains "patching_tool" or event_type contains "security_patch"
Scenario: A network administrator uses a privileged account to configure a new firewall rule from a device that is not commonly used for network configuration tasks.
Filter/Exclusion: device_type contains "firewall_config_tool" or src_device contains "network_mgmt_console"
Scenario: A cloud administrator authenticates via a privileged account to deploy a new virtual machine from a cloud management console that is not typically used for such operations.
Filter/Exclusion: src_ip in (list of cloud_admin_ips) or action contains "vm_deployment"
Scenario: A security analyst uses a privileged account to perform a forensic investigation from a workstation that is not part of the regular admin access list.
Filter/Exclusion: user_role contains "security_analyst" or event_type contains "forensic_investigation"