Adversaries may attempt to compromise privileged accounts by changing their passwords to maintain persistent access and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or long-term persistence tactics early.
KQL Query
let priority_threshold = 5;
let admins = (IdentityInfo
| where AssignedRoles contains "Admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "UserManagement"
| where OperationName has_any ("password", "security info")
| extend AccountUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| where AccountUPN in (admins)
| join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN
| extend AccountCustomEntity = AccountUPN
id: d9cccaf9-d15e-4731-a62a-06d76e9c5e67
name: Privileged Account Password Changes
description: |
'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority.
Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
query: |
let priority_threshold = 5;
let admins = (IdentityInfo
| where AssignedRoles contains "Admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "UserManagement"
| where OperationName has_any ("password", "security info")
| extend AccountUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| where AccountUPN in (admins)
| join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN
| extend AccountCustomEntity = AccountUPN
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.1.0
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
BehaviorAnalytics | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
Scenario: Scheduled Password Rotation via Password Manager
Description: A privileged account’s password is automatically updated by a password management tool like HashiCorp Vault or Microsoft Azure AD Password Protection as part of a scheduled rotation policy.
Filter/Exclusion: Check for tool_name = "HashiCorp Vault" or tool_name = "Azure AD Password Protection" in the event source, or filter by event_type = "scheduled_password_rotation".
Scenario: Admin Task to Reset Password for a Service Account
Description: An admin manually resets the password for a service account (e.g., SQL Server Service Account) using Active Directory Users and Computers (ADUC) or PowerShell.
Filter/Exclusion: Include user_role = "Domain Admin" or task_type = "service_account_password_reset", and exclude events where the account is not flagged as a privileged account.
Scenario: Automated Password Sync via Identity Provider (IdP)
Description: A privileged account’s password is synchronized via an identity provider like Microsoft Entra ID or Okta during a sync process, such as after a password change in a local system.
Filter/Exclusion: Filter by source_system = "Microsoft Entra ID" or source_system = "Okta", and exclude events where the password change was initiated by the IdP itself.
Scenario: Password Change via Remote Desktop (RDP) for Maintenance
Description: An admin changes the password of a privileged account using Remote Desktop Protocol (RDP) as part of routine maintenance or troubleshooting.
Filter/Exclusion: Include client_ip = "internal_network" or session_type = "maintenance", and exclude events where the account is not marked as a privileged account.
**Scenario: Password Reset via Self-Service