A potential SSH tunnel to an AAD Connect host indicates an adversary may be establishing covert access to exfiltrate data or pivot within the network. SOC teams should proactively hunt for this behavior to detect and mitigate unauthorized access to a critical identity service.
KQL Query
DeviceInfo
| where LoggedOnUsers has "MSOL_"
| summarize by DeviceName, PublicIP
| join kind=inner (_Im_NetworkSession
| where NetworkApplicationProtocol =~ "ssh") on $left.PublicIP == $right.DstIpAddr
id: 7f52bc1d-138e-4a02-af25-a04dbea85646
name: Potential SSH Tunnel to AAD Connect Host
description: |
'Azure AD Connect (AAD Connect) is a critical service that handles connections between on-premise Active Directory and Azure AD.
Due to the critical nature of AAD Connect threat actors may attempt to compromise the service in order to access credentials.
This query looks for SSH connections to host that appear to run AAD Connect. The results should be reviewed to determine if the
SSH connection is legitimate.'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
tactics:
- Persistence
relevantTechniques:
- T1133
query: |
DeviceInfo
| where LoggedOnUsers has "MSOL_"
| summarize by DeviceName, PublicIP
| join kind=inner (_Im_NetworkSession
| where NetworkApplicationProtocol =~ "ssh") on $left.PublicIP == $right.DstIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: PublicIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
Scenario: Scheduled Azure AD Connect Synchronization Job
Description: The Azure AD Connect synchronization job runs periodically and may generate SSH activity as part of its secure connection to Azure AD.
Filter/Exclusion: Exclude events where the source IP is the internal IP of the Azure AD Connect server or where the process name matches AzureADConnect.exe or msol related processes.
Scenario: Admin Task to Reconfigure AAD Connect via SSH
Description: An administrator may use SSH to access the AAD Connect server to perform configuration changes or troubleshooting.
Filter/Exclusion: Exclude events where the user is a known admin account (e.g., Administrator, AADConnectAdmin) and the command line includes terms like configure, sync, or reconnect.
Scenario: SSH Access for Remote Support via AAD Connect Server
Description: A support technician may use SSH to access the AAD Connect server for remote troubleshooting or maintenance.
Filter/Exclusion: Exclude events where the source IP is from a known support IP range or where the user is a support account (e.g., SupportTech, HelpDesk).
Scenario: Legitimate SSH Tunnel for Network Monitoring Tools
Description: A network monitoring tool like SolarWinds or PRTG may establish an SSH tunnel through the AAD Connect server to monitor internal network traffic.
Filter/Exclusion: Exclude events where the process name includes SolarWinds, PRTG, or Nagios, or where the destination port is a known monitoring port (e.g., 514, 515).
Scenario: SSH Tunnel for Database Replication via AAD Connect
Description: A database replication tool like SQL Server Replication or MySQL Replication may use SSH tunneling